College kids are making too many connections, crashing 5ghz on access points and rebooting (crashing) main router. How should I prevent this using my limited hardware.
Scenario
I am renting a few rooms to some college kids and lately I have been having the internet get knocked out.
I was able to see in real time once what was happening. The router’s load went high and luci became sluggish, the memory usage was slowly rising and the connections graph hard a sharp incline from 500 to 3000 and still rising… and then…silence, no response until the router was finished rebooting (I assume the watchdog kicked in). This seems to additionally take out the 5ghz wifi on the access points that were used (this requires a manual reboot). The problem is this takes down the internet for everyone and it can happen at anytime without warning.
Setup (initial that ran fine for years)
-Each renter gets their own wifi ssid/password and its setup on every access point
-Router and access points are archer c7 v2.
modem—router—AP0
…………………—AP1
…………………—AP2
…………………—AP3
Setup2 (current setup - trying to mitigate the problem)
-I have split the occupants in the house in half so some connect to router0 and others connect to router1
-But the responsible party is still taking down router1 setup
-Router and access points are archer c7 v2.
modem—router0—AP0
…………………..—AP1
……….—router1—AP0
…………………..—AP1
Possible solutions
QOS - doesn’t really solve my connection issues and very cpu costly on old archer c7’s with gigabit internet
Keep separating users on access points up until I find culprit…but still doesn’t solve underlining problem that connection counts can still take down the network.
Can I limit the connections to each LAN IP/MAC and will this use minimal cpu/memory? ie. each IP/MAC can have 300 connections and anymore get dropped/rejected & Logged? Could this be done easily on the Access points to reduce cpu load on routers? Maybe it can be done based on wifi SSID on the access points?
If i understand correctly, you use Archer c7's as simple wireless access points, and also use an additional Archer c7 as the main router? Archer has pretty anemic specs at only 128mb ram. It's pretty dated.
My man, you need to upgrade so those college kids can keep on torrenting without crashing the system! LoL Maybe you can squeak by keeping the c7's as dumb ap's I don't know, but the main router probably needs better specs. Good news is there's loads of really cheap really good x86 boxes on ebay. You might even have an older computer/laptop you are not using that could be easily converted into a router for cheap, maybe even free. The good news is that Openwrt does support x86 cpu's. You can install Openwrt on a computer or laptop with 2 nics and use that as a router.
Someone with more experience in this then I have will probably come along to give you a hardware recommendation.
also wireless often has more priority over ethernet, it can make a wired network look down, QoS would solve this but you may need a newer router like others suggested.
There is only one suggestion you can still test.
What does the logs say have you managed to get a log when it becomes locked down unable to access?
What you might are looking for are errors which are out of place like:
Port 2 sending packet with its own source address, when the 'loop' isn't from a switch, but just a innocent device, this can be a indication you need to disable hardware offloading and maybe even software offloading because instead of offloading it is dropping packets and invalidating checksums which causes STP to step in wrongly and blocking the full router, I noticed this on my own Flint 2 on a very congested network with no way to restore aswell until reboot, wireless kept accessible try to read logs from wireless.
Then you may decide to turn this off before purchasing a newer router.
Also keep in mind that if this is disabled, your speed is likely halved you also need to check QoS again.
frollic
-Yes, everything is openwrt on archer c7’s
-I did not expect the 5ghz wifi to be knocked out.
-speed is 1gb/50mbit. *It might be 300/50mbit. Our ISP’s in canada keep playing games and it’s just something I mentally can’t keep track of anymore. Prices constantly keep going up and you keep calling back and the deal of the day is always a new speed at a new price and then the whole thing starts over again. Sometimes faster speeds, sometimes slower speeds. Speedtest says ~250mbits but maybe thats internet cap or maybe its wifi limit. I’m not going spend 2hrs on hold with ISP to find out. (sorry for mini rant")
MakeWiFiGreatAgain
-Yes, those darn linux iso’s. My goal isn’t to stop it(I don’t want to go down that rabbit hole). Just to stop the network from being taken down every time someone wants to install linux as fast as they can.
-I guess my biggest concern is that the wifi on the access points is being taken out. replacing 1 router isn’t a big deal, but replacing 5-6 of them would be annoying. It’s an old home with a lot of small rooms and a lot of walls needing the access points spread out for coverage (I have them running on different 80mhz channels for throughput).
-re x86. I find laptops usually don’t have a “power on after power failure”, but I have been thinking of putting in an old q6600 system. Just power hungry and doesn’t solve the wifi issue.
xize
-clients only connect via wifi. ethernet is only used to connect between the routers.
-the acting router I can’t see the logs (thinking of running alog server, but not sure if error will get sent out before watchdog).
-the acting access points don’t really show anything that stands out to me
-I will keep the STP loop issue in mind, but in this case I feel its not so much a network throughput issue but rather a connection number issue. I think the throughput when the main router crashed was only peaking at about 35mbits/sec. A speed test from wifi under normal circumstances gives 250mbits (probably 20ft from closest access point).
general
This is why I was thinking a simple firewall rule that could limit connections by dropping new ones over a certain amount. I would be ok if it was based on wifi ssid, or ip or mac or maybe something else. and yes, the 128mb ram thing is a concern of mine
meantime
-I’m going to look into if there is a method of inserting a rule between the wifi and lan connection in openwrt. maybe it ebtables can do what I want?
-I will also look into (i think it’s conntrack) on the router to do what I want. I have used it int he past but it was usually to limit connections to a port. I never did it to limit connections to every known device on the network. (I worry about memory issues here if done on an acting router)
-Also Hoping someone with experience with this jumps in
Worth digging further what are the 3000+ connections. I assume it's some kind of p2p Linux ISO sharing app. Then given your 1000/50 internet, the uplink 50mbits will get saturated fast.
A simple mitigation could be limiting number of connections per IP address at the router's firewall. Say a limit of 5 connections per incoming IP might appreciably improve the situation and have a stable system.
As router, the archer c7 maxes out around 170-200 MBit/s, less if you try smart rate limiting of any kind. Therefore it would make sense (as a first step) to offload the routing tasks to a more capable (purpose built x86_64 makes a lot of sense for this use case) router, as mere AP these c7 should be more forgiving (but even there you would see a speedup potential - but as-is, this kind of natural speed cap might be beneficial for you).
Once you have a more powerful router I would highly recommend to setup SQM on it. This should help to distribute bandwidth between the different users.