Ask Slashdot: Managing Device-Upgrade Bandwidth Use?

First time accepted submitter wallydallas writes "I'm close to a solution, but I wonder how other people block their many devices and operating systems from updating in working hours. For example: I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine. We do this with our router (DDWRT) by blocking MESU.APPLE.COM. Many guests bring in Windows 7 laptops, and I want to welcome them, but not their updates. How can I block updates on Android Phones and Linux Laptops? I have a 4G device at home, and I'd like to apply the same tricks 24 hours a day so that I don't use up the bandwith from my vendor. And my many home visitors should have their updates blocked."

For Windows

[jones_supa]

For Windows, you could try blocking the addresses listed in the Microsoft Knowledge Base article 818018.

Re:For Windows

That is not a complete list. We setup our DNS to return 127.0.0.1 for all of those hostnames, and Microsoft still found a way to do a forced update to MSIE10 that broke all of the Dell desktops running Windows in our office. We had to reimage all of Dells to get them running again. We found the IP addr Microsoft was using for their abuse and blocked it, but then about four months later Microsoft found another way to do yet another forced update and breaking of our desktops. Again, we had to reimage to get the systems to boot.

Again, that list is not complete. If you block just those, Microsoft will still find a way to break your systems.

Re:For Windows

[byornski]

Broke, or fixed?

Re: For Windows

[wallydallas]

Blocking the domains in that KB article Is known to break windows update for us and others on this posting. Then we must re build our master image. Blocking apple iOS has no side effect.

Re: For Windows

[wallydallas]

Gpedit.MSC works half way. Only on our win 7 pro desktops. Not on guest computers.

It depends on your environment.

If there are a lot of people that want to do the updates, AND you have the space, a cacheing service can ease the pain. The first time an update is done, the cache (proxy) saves the reply, then when someone else asks for the update, it is supplied locally rather than downloading it again.

Re:It depends on your environment.

[CohibaVancouver]

So if a solution is not 100% perfect, it has to be thrown into trash can?

Of course. This is Slashdot - Where the edge use case wins, every time - Where perfect is the enemy of good.

Re:It depends on your environment.

[weilawei]

What planet do you live on? Plenty of corporations and schools mandate that you allow them to MITM you. Accept this certificate or don't use our network.

Re:It depends on your environment.

[fuzzyfuzzyfungus]

you cannot proxy https and about anything that uses authentication

You can't (easily) MiTM clients that you don't manage; but many, perhaps most, update mechanisms don't use SSL or authentication. It's assumed that ineligible users either have absolutely no interest, or (as in the case of pirates) are probably sophisticated enough that trying to keep them from scoring a copy somehow isn't worth the effort.

As for SSL, that's extra overhead, and the server is shovelling out the same set of patches to everyone and (on all remotely recent and non-insane update systems) the update client is verifying the package signature before installation, so protecting the package on-the-fly isn't a high priority.

There are likely to be exceptions, which you'll have to block or suck up; but SSL is not a priority in basic patching scenarios (though the fact that some of the big guys, like Windows update, use BITS rather than HTTP will be modestly inconvenient, since HTTP proxies are incredibly common compared to other flavors).

Re:It depends on your environment.

[Architect_sasyr]

There are two options available to you - 1. Apple's caching server works perfectly (so long as your external IP doesn't change and everyone is on iOS 7 and Mountain Lion or Mavericks) - you download once (on demand rather than syncing the whole repo "WSUS" style) and distribute to many. This saves heaps of space without screwing with the end user, and it doesn't need to be managed via GP or anything like that. 2. SCCM on demand packages. Not an SCCM guy, but if you can replicate the caching server from Apple in SCCM, you're on the way.

Neither of these options gives a flying crap about HTTPS or Authentication.

3Mbps?!??

Wasn't there billions of dollars spent by the government like 10 years ago to get every school connected with high speed internet?

Re:3Mbps?!??

[The_Wilschon]

Wasn't 3 Mbps "high-speed" ten years ago?

Re:3Mbps?!??

[lactose99]

Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

Re:3Mbps?!??

[queazocotal]

If you happen to be in range of an existing tower.

Re:3Mbps?!??

[Grishnakh]

3Mbps isn't blazing fast, but it's not completely horrible (though I don't think it's quite fast enough for Netflix).

The problem is if you're trying to run an entire school on it, rather than a single person's apartment.

Re:3Mbps?!??

[Albanach]

3mb isn't a lot for a school, especially where there might be a need for streaming video. It would be pretty straightforward to add another connection or two and do some load balancing. Combining that with the QoS suggestion others have made might make the whole network a lot nicer to use.
 

Re:3Mbps?!??

[queazocotal]

They are good for 30 miles - if there is a clear path.
This is not just line of sight - but slightly more than this - the path cannot go just past obstacles.
http://www.proxim.com/products/knowledge-center/calculations/calculations-fresnel-clearance-zone

For a 30 mile link, the fresnel zone reaches 100 feet in the middle of the link - if anything is in this zone, then the signal will be severely affected.
Add to this the limitation of sight due to a non-flat horizon - 150 feet towers are needed just to get minimum line of sight.
For flat land with trees up to 30 feet in places in the middle, for example, that adds up to a total of (100/2)+30+150 =
230 feet towers.

If one end is at altitude - you still may need a significant tower in order to clear the fresnel zone.

Re:3Mbps?!??

[dugancent]

I watch Netflix on a 3Mbit connection with no problem. That said, I have a standard-def TV.

Re:3Mbps?!??

[aaronb1138]

Too bad so many of those providers have insufficient backhaul. For every small town with reportedly good line of sight wireless, there are 5 with ISDN like peak daytime speeds due to congestion and crap equipment.

Re:3Mbps?!??

[Cramer]

Reading the post, I immediately said, "not the best you can buy, just the best you're willing to pay for."

Re:3Mbps?!??

[i.r.id10t]

I have 1.5mb down DSL - its all I can get. Well, I can "get" 3 but I'm so far out at the end of the run it randomly disconnects 5 or 10 times a day and refuses to reconnect, requiring a power cycle of the "modem" (ISP provided) or router (and I've tried quite a few).

Re:3Mbps?!??

[mysidia]

Wasn't there billions of dollars spent by the government like 10 years ago to get every school connected with high speed internet?

Discounted telecommunication services available to schools under E-Rate.

For every 1000 students; there should be 100 Megabits.

This is like saying.... for our school lunch program; the budget we have allocated, only allows us to buy 10 pounds of meat. All 10000 of you will just have to share it.

By the way; if any of you are hungry because you skipped breakfast: we're going to have to take measures to block you from accessing the serving dish, since we find that such users are likely to eat a lot more food.

Re:3Mbps?!??

[mysidia]

Hell, I still think the FCC counts it as high-speed even now in their broadband reports.

It is high speed, for a typical household of 3 people.

Hell; 1 Megabit per 10 students is high-speed.

1 Megabit per 20 students is NOT.

3 Megabits per 100 students is insanely crappy.

3 Megabits per 1000 students is a friggin joke.

Re:3Mbps?!??

[mysidia]

Reading the post, I immediately said, "not the best you can buy, just the best you're willing to pay for."

Yeah.... use of freebie or low-end consumer-grade broadband services in a large scale instruction environment.

If your school spends more in a month on toilet paper; or getting the grounds mowed or floors cleaned, in costs, than on your internet connection, then you are doing it wrong.

Re:3Mbps?!??

[Bert64]

Of course any company will always focus on their profit above all else, that's the sole reason they exist.

Re:3Mbps?!??

[datapharmer]

Here at home we can't get any better here without shelling out 10k for a fiber run and 400/month or more for the link after, so we are stuck with crapy AT&T 3Mbps dsl. Netflix actually works fine surprisingly. Initial start on a video will be a bit blocky but it clears up quickly. Quality on other video sources varies wildly, so the service provider's technology clearly makes a big difference. Youtube is decent but has a long buffer time, videos from Aol's news or Fox news will hardly even play and take 10 minutes or more to buffer a 1 minute clip.

Re:3Mbps?!??

[chipperdog]

Your school should qualify for e-rate service...I know the e-rate bid winner for schools around here (which wasn't the monopoly phone company or cable company, but a CLEC) built out their own fiber to each school, so I'm guessing they can get any speed they want...

Re:3Mbps?!??

[snobody]

That's nothing. Back in 2004, I was working for a school district in Michigan and almost all of the K-12 buildings were on token ring. We were always just one lightning strike away from having a building offline for the rest of the school year. We used to surf ebay looking for old replacement parts to buy and keep, just in case. Of course, now I'm sure they've probably upgraded to 10 megabit ethernet hubs. :)

Re:3Mbps?!??

[Bengie]

FCC considers broadband in general as "high speed" and has a speed requirement to be considered "broadband". In this case, "high speed" just means faster than dial-up.

Re:3Mbps?!??

[toddestan]

Should is the key word, I've seen some unbelievably crappy modems.

Re: 3Mbps?!??

[wallydallas]

We don't qualify for e rate as we are private. Non profit for disabled. We shopped but best deal in rural spot is t1 at $600 a month. Netflix tests OK now when no guest devices on our lan. I can't ban win laptops nor ban android phones of staff and students.

Re: 3Mbps?!??

[wallydallas]

We are not incompetent. Even when we load balance with a Cisco dual wan router the updates from devices slam us. Read the many more details I have added.

Re:3Mbps?!??

[nobuddy]

Wall Street loves to forgo $10 tomorrow to make $1 today. We see companies trashed constantly by short sighted profit gains. HP went from a blue chip tech stock standard to a common stock overnight when Carly took over and reigned in all their long-term profit goals in favor of short term gains at a fraction of the profit. (I was inside watching this one happen. It made me ragequit, eventually.)

Re:3Mbps?!??

[nobuddy]

I quit unpacking updates to prevent aneurism by rage when I started seeing this. "Hmm.. 128Mb patch, lots of useless crap attached, duplication of DLL's with the same size/signature.. about 600k of new data. Now I want to break something."

Pfsense

[bhenson]

Use PFsense and use the package squidguard(or dansguardian) and use the software downloads list.

pfSense

http://www.pfsense.org/

install pfsense plus squid and block the update sites.

pfsense wan goes to the modem
pfsense lan goes to the access point.

Don't block it, QoS it.

[phizi0n]

There's no reason to avoid using your bandwidth when you can use QoS to deprioritize it so that they can still update any time the bandwidth is available. Most any linux router can do this with tc and iptables, or sometimes with less configurability through their GUI's.

At home you have control over the devices and can just disable them from automatically updating.

Re:Don't block it, QoS it.

[fisted]

Then why is he fine with people updating after hours?

Re:Don't block it, QoS it.

[lesincompetent]

He\she only talked about bandwidth, not traffic limitations.
BTW, how effective can QoS really be? I'm a little bit skeptical.

Re:Don't block it, QoS it.

[tlhIngan]

He's paying per MB downloaded . . . it costs him money for them to download their patches using his bandwidth, even if nothing else is going on.

Except he's fine with them updating after hours, when the demand on the connection is far lower.

Basically, he doesn't want updates to bog down the internet link during school hours and making everyone's experience slow and annoying (especially Apple updates - want a good speed test? Apple seems to push the bits out). But after hours when the link is idle, update away because no one else is likely to notice.

Re:Don't block it, QoS it.

[msobkow]

He's dealing with two locations: his home, where he pays for bandwidth, and his work, where the concern is peak hour traffic.

Re:Don't block it, QoS it.

[jones_supa]

He's paying per MB downloaded

You made that up. He didn't say that.

Re:Don't block it, QoS it.

[Zocalo]

The article doesn't actually mention costs at all, so I don't think that's an issue so much as people soaking up the scarce bandwidth when others are trying use the connection for its primary intended purpose; schoolwork. If it were a problem, then I'd have expected the question to have included asking for advice on caching proxies and such like to save bandwidth. If there's no cap, then QoS would be a good part of a solution for this as it lets you make maximum use of your circuit, while avoiding degrading the experience for people just surfing the web.

Re:Don't block it, QoS it.

[ewieling]

BTW, how effective can QoS really be? I'm a little bit skeptical.

You can only QoS the transmits. To do it correctly, you must do QoS on both ends of the circuit. You can do some "poorman's QoS" by putting it on the transmit side of your router, but that only helps with TCP, not UDP and relies on TCP's throttling.

Re:Don't block it, QoS it.

[Desler]

No, you're actually confusing what they said.

I'm the IT guy who blocks iPads from updating when school is in session because we are in a rural location. 3mbps is the best WAN we can buy. Devices can update after hours just fine.

The person you responded to was correct in saying that his post said they were allowed to update devices after hours. The part about his own devices at home was a completely separate part of the post.

Re:Don't block it, QoS it.

[Cramer]

Actually, the router does transmit... to the inside interface. With a bit of buffering, or dropping traffic -- but as it's already crossed the link, you don't want to have to receive it again -- it is entirely possible to rate limit traffic in both directions. Knowing *what* to rate limit is the issue. If he knew what sites were "update" sites, he'd just block them entirely.

Re:Don't block it, QoS it.

[girlintraining]

There's no reason to avoid using your bandwidth when you can use QoS

You seem to forget that many ISPs sport bandwidth caps, which is a misnomer; they're actually limiting the amount of data transferred during a given timeframe. QoS doesn't stop a fat bill from showing up the next month showing you used up 1.5TB on an account purchased at a 200GB level.

Re:Don't block it, QoS it.

[AmiMoJo]

QoS can only do so much when a number of clients are trying to use a slow connection at the same time because it can only control outgoing packets. Incoming packets are queued at the ISP and sent to the modem at its maximum speed in the order they arrived. Worse still many servers cheat and ignore tcp/ip rate limiting.

Re:Don't block it, QoS it.

[Port-0]

I did IT work for a private university for 14 years, I managed bandwidth by blocking certain protocols to various networks and hosts until Naptster, and the following peer to peer protocols, after a couple of years trying to manage bandwidth by blocking protocols, sites, advertising, etc. I gave up on that. Ultimately all of that damages the user's experience, and increased my work load. It puts the IT guy in the position of chasing the users behaviors, always responding to the latest fire and worse it put the IT guy in the position of determining what is important to the users, which it turns out is different to each class of user. So next I tried using one of the many products that allow the IT guy to create classes of users, and classify traffic, apply rules by class, build QoS rules based on all classes. Turns out this is the same nightmare with a prettier UI. I ultimately found the Net Equalizer (netequalizer.com) it is an elegant solution at a fraction of the cost. If you want to be the network nazi and control who uses what protocol, this isn't for you. But if you want to forget about bandwidth problems, this is it. It took about an hour to read the manual, play with options and plug it in, then I only touched it when we increased our bandwidth beyond its capacity a few years later. I don't work for the company or anything like that. It is just one device I bought that performed way beyond my expectations. Their web site has all the info about what it does and how. I would encourage everyone check this out if you have less bandwidth than you feel you need.

Re:Don't block it, QoS it.

I don't work for the company or anything like that.

Really? Because in your entire post, while you praised the device (Service? Software?) plenty, you never actually said what it does.

Re:Don't block it, QoS it.

[Agripa]

While it is true that receiving the data again across a slow link is inefficient, dropping packets is the only universal way to signal IP congestion. (ECN) Explicit Congestion Notification can signal congestion at the IP level without dropping packets but of course few devices implement it or perhaps even go out of their way to ignore it in the quest for individual performance at the cost of degrading the network for all other devices.

http://en.wikipedia.org/wiki/Explicit_Congestion_Notification

Traffic shaping does indeed work for outgoing *and* incoming data. Obviously on the incoming side the packets get dropped after the expense of sending them over the slow link but using it does have the advantage of minimizing queue depth and lowering latency.

Re:Don't block it, QoS it.

[Agripa]

Traffic shaping on the incoming side is still effective though even given that it has to drop packets that have already been sent over the most expensive part of the link. Dropping packets is the one sure fire way to signal to the transmitter that it should stop sending so quickly and while the server can ignore ECN, it cannot ignore dropped packets.

If the incoming aggregate flow rate is kept below the level of the slowest link which is almost always the customer's link, then the intervening buffers will tend to be depleted minimizing latency. At the very least, the transmit buffer immediately on the other side of the customer's link can be kept at a minimum level.

Re:Don't block it, QoS it.

[Agripa]

You could have found articles discussing their product in a modicum of time that are prominently linked on the first page of their web site and gotten your answer undiluted.

Summary:

It implements stream based flow control while evaluating the behavior of each stream and penalizing the misbehaving ones.

Re: Don't block it, QoS it.

[wallydallas]

Thanks port 0. I will look in to that. Great reflections . I agree.

Consider caching instead

[nemesisrocks]

Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

The first person who downloads them would cause a drain on the network, but at least all future attempts would be served up from your cache. You could even have a spare machine downloading the updates overnight, pre-populating the cache for your visitors, to reduce the burden updates cause during the day.

I've used the instructions here with great success on Squid: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

Apparently Apple iOS updates can be cached too, e.g.: http://lkrms.org/caching-ios-updates-on-a-squid-proxy-server/

Re:Consider caching instead

[Enry]

Between this and QoS it should take care of the problem.

Re:Consider caching instead

[Sez+Zero]

Caching helped me a bunch. We have a little Mac mini and I turned on Caching service on OS X server. Works great for software updates, App Store purchases, for local Mac and iOS devices. It works much better since iOS 7, keeping those iPhones in check.

Re:Consider caching instead

[mysidia]

Since you're in such a remote area, your visitors very likely also have slow connections at home too. Why not cache the updates instead? You'll be contributing towards a safer, more secure internet.

Not only that.... but malware can suck up your bandwidth just as fast, or faster than updates; the consequences of failing to update can over time be adverse to your own network's performance.

Re:Consider caching instead

[Larry_Dillon]

I used to use Squid for caching Windows Updates and it sped things up about 1000% percent.

I would recommend using something like Ntop to figure out where your bandwidth is actually being consumed and target that for caching.

Much like freeing up space on disks, you can waste time trying to figure out every little thing, or you can target the biggest files and get the most results.

The only down-side of Squid caching is that it can't work with https:

DPI. deep packet inspection

[sgt+scrub]

You can put snort on DDWRT. There are signatures that can be added and removed via script and cron. The signatures are able to block Microsoft Updates, normal and BITS, as well as specific services on iTunes.

Re: DPI. deep packet inspection

[wallydallas]

Nice. Thanks. Will try.

Why just device updates?

[ChaseTec]

Any particular reason you've singled out device updates? Seems like you'd be want to block or QoS all large or multi-range binary transfers. You should have a transparent caching proxy server in place (which is where you'll be able to inspect and block large transfers).

Re:Why just device updates?

[forkazoo]

Well, if he has identified it as taking up a large amount of the available bandwidth, then it certainly makes sense to consider it a target for reductions. Perhaps more importantly, users tend not to care about updates like that. A user actively downloading a file from some source is probably more important than some automated process the user doesn't care about, and can be deferred until the user gets home without them noticing anything.

That said, I've been saying for a while that there needs to be some sort of bandwidth discovery protocol. My original thought process was driven by apps on mobile phones, but this seems like it would benefit for the same reasons. Wireless oeprators are always concerned about using scarce bandwidth resources so we get plans with low data caps and such. Imagine if there was a completely standardised way for an application (say an email app on a phone) to "ping" bandwidthdiscovery://mail.foo.com with some sort of priority metric. If nothing responded back, it would act normally, so the system would be completely backwards compatible. If something did respond back along the route (for example, the wireless ISP you are connected to, but it could theoretically be something local or distant. The school's DDWRT router in the OP example.) it could reject the session, or encourage a delay. That way an email app set to check every 5 minutes could occasionally get a polite rejection from the ISP asking the app to hold off since circuits are overloaded. The phone would then wait a few minutes before trying again. Eventually the phone would download new email, but at high traffic times, it might wind up going 15 minutes instead of 5, saving the network some trouble. Software updates might defer a download for days or weeks if there is a continual rejection.

My Android phone lets me set software updates and podcast downloads to only happen over wifi, under the assumption that cellular data is expensive, but wifi data is unlimited. But, if I connect to a Mifi access point connected to a cellular connection, my phone currently has no way to discover that it is actually using (limited) cellular data. With a bandwidth discovery protocol, it would get the same rejections from the ISP that it would get if it had directly connected to the cellular data itself. And, local admins could easily set up rejection rules like the OP would be interested in, while still allowing the possibility of user overrides in cases where the school IT guy really wants to manually update the school's computer systems and whatnot. Think of it as a sort of queryable QoS.

And because any intermediate system on the route can let apps know to reduce bandwidth usage, a server being slashdotted can have some queries be rejected, rather than everything being on the link local side near the user. Obviously, none of this helps the admin in the immeadiate term. But, it would seem like that's how it ought to work.

It's not the updates, it's the cloud sync

[whoever57]

On our network, we have seen one Apple machine running at 20Mbps to the Internet for hours on end. I believe this is a cloud sync. Looking at QoS to throttle this, but the external IP addresses appear to be a disparate and unknown set, so will have to throttle the firewall -> LAN IP connection.

Re:It's not the updates, it's the cloud sync

[chromas]

It's not just any cloud; p2p is cumulonimbus. Huge swarms of nodes all over the world and you don't have to care where they are to get what you want. Also, some of its usage may be legally cloudy. Cloud cloud cloud!

Unintended consequences

[Kardos]

If you block updates, windows particularly, then you'll have higher chances of infected systems that may be used for DDoS etc.

Re:Unintended consequences

[jones_supa]

Eh. You're stretching it a bit. I think those machines will soon enough find some other time or other network to get the updates in. The update check interval for Windows is 20 hours anyway.

Re:Unintended consequences

[mysidia]

There's a chance they might not connect to any other network; or might not connect when updates are "allowed" --- especially machines on site.

There may be machines regularly used only on that network, and not connected to a network at other times.

So there is some level of increase in risk, regardless

Why do you let them on your home network?

Blocking these types of downloads at a school I can understand, not a lot of schools have funding for high bandwidth connections.

At home that's another story, if you don't trust them, don't let them on. Why would you let them on your home network if you don't trust them. I consider letting them use my home network for phone and app updates be a good host. Overall my initial reaction to reading the question posed, was the thought that your are very much on the verge of being a control freak

what?

I'm in Juneau Alaska. The only way in and out of town is via plane or boat ... we are WORSE than rural. ... As of noon today, we just got 100Mb ..... something is wrong there.

Re:what?

[PopeRatzo]

I'm in Juneau Alaska. The only way in and out of town is via plane or boat ... we are WORSE than rural. ... As of noon today, we just got 100Mb ..... something is wrong there.

100Mb? But we're talking about network connections, not the size of your flash drives.

Wide scale blocking.

[Lumpy]

I strongly suggest you also block all the common advert servers such as doubleclick as they consume far more bandwidth than the updates do.

Re: Wide scale blocking.

[wallydallas]

Good idea.

Local update server

[LMariachi]

Mavericks Server has Caching Server 2, which I haven't personally used but their blurb for it sounds like exactly what you want, at least as far as Apple devices.

Re:Local update server

Caching Server 2 works great for OTA updates and Apps to iOS , so long as you have 1 pipe out to the internet.

It won't help you 6->7 because 6 doesn't know it exists.

If you disable "local networks only" anything inside your private LAN (as opposed to just the subnet the caching server is on) will use it, including iTunes on desktops.

Its pretty neat all in all - pretty much any Mac capable of running Mavericks sitting in a wiring closet or machine room somewhere can do this readily.

Ditch the WRT

[kroby]

WRT is great for tinkering and home users, but good god, please don't put it in a production network. Get something like a SonicWALL or a FortiGate, learn to use it, and thank me later. QoS will get you nothing, there is no such thing as QoS on the internet. However, bandwidth management and throttling could help a lot. Before you can prioritize traffic you need to be able to identify it, and this is where life becomes much easier with a UTM appliance. You can prioritize by device type (MAC address), source, destination, protocol, or application. With application awareness you can easily see what is sucking up the most bandwidth, and it classifies all the traffic for you automagically based on signatures ran against deep packet inspection. A caching proxy, as mentioned in other posts, would help speed up the internet and reduce bandwidth consumption. Something like Squid would work here, or you could go the appliance route. Bonus, with a UTM device you also get IDS/IPS, botnet filtering, gateway antivirus, spam filtering, RBL filter, content filtering, application control, SSL VPN, wireless controller, and more. They cost money, but you will not find these features for free, and if you do it is going to be a nightmare to manage.

Re:Ditch the WRT

[Bengie]

$100 must be for one of their low end ones. Looking at their current new stuff, the $27,000 model would be required to handle 100mb/s, which I hope to get soon. Nice to know for people with really slow connections.

Linux

[jones_supa]

For Linux you will have to make rules for each distro. Ubuntu can be blocked with *.archive.ubuntu.com. Get the most popular distros covered, and you should be off pretty good.

Re:Linux

[DarwinSurvivor]

Only if they update from the default mirror. There are thousands of mirrors for each distro ranging from universities to ISP's and non-profit organizations. Good luck blocking those.

What you *may* have luck with is providing a local mirror for the major distros (say Ubuntu, Fedora and Mint), then advertise it to the students with the incentive that being a local mirror it will be WAY faster. Blocking people only makes them more determined, give them a better solution and they may just solve the problem for you.

Caching Servers

[jtara]

Somebody else posted this suggestion, and it got promptly shot down (in typical Slashdot fashion) by people who know nothing about the subject...

For at least Apple and Microsoft products, you can install a caching server that will cache the first download of any given update and then deliver from the cache on subsequent updates.

This is not the same as a caching HTTP server. (That what was shot-down...) These are specific servers made available by Apple and Microsoft, and meant specifically for caching software updates.

In fact, I have the Apple server installed on my Mac Mini. (It comes bundled with Mavericks Server, which is now just an optional package that installs on top of OSX.) It caches both iOS and OSX updates. I did an Xcode update (>1GB) on my Macbook in 2 minutes flat.

This would improve performance for your own updates, and would also permit you to offer updates to guests with little overhead, if you so choose.

Linux is more difficult, as there are quite a number of distributions with different update schemes. But I have to assume that a similar solution is available in most to all cases.

Re:Caching Servers

[L4t3r4lu5]

For Windows it's WSUS. It's a component of any Server OS, but I wouldn't like to run it on anything that ordinarily has any kind of workload. It's quite resource intensive.

If this guy has EES licensing I can't see why they wouldn't use it

Re: Caching Servers

[wallydallas]

We don't want to setup a ms server with WUS service. May be our only hope. Leaves us no other choice.

Re:why give them wifi?

[Cramer]

a) "school" now includes "internet" (unlike when I was a child and we learned from books)
b) devices do this shit entirely on their own with zero user interaction.

slow down partner

you're making a lot of assumptions about the fresnel zone without knowing the frequency the equipment is operating on.

Re:slow down partner

[queazocotal]

Quite - I arbitrarily assumed 2.4GHz.

In Soviet Russia, Windows phases out YOU!

[Thor+Ablestar]

My own personal solution to this problem is to phase out every and each program, OS and everything other that downloads upgrades without owner's intervention, and there would be a really serious need in order to leave such a program, with specific traffic shaping crafted specifically for it. You understand what I mean.

Also, when I was a sysadmin I just installed a very complicated firewall (ipfw on FreeBSD) that limited speed of every separate group of users so the bandwidth hog would affect his own group only. And the sniffer was installed so that I could see the update sources and limit them accordingly.

Girlfriend ?

Seriously, I know this is /. but If you get a girlfriend this letting your visitors use you internet is a moot point.

Re:it may not be available

[mysidia]

I just checked, and there are towns in my province (canadian prairies) that only have 1.5 mbps connectivity and most of the smaller places max out at 5mbps.

Virtually... in any town; small or not, there is plenty of fiber and other Telecommunications infrastructure. The telephone company essentially needs large digital trunks, just to deliver basic phone service.

If there are providers delivering 1.5 and 5 megabit connections to residents then they Do have high-speed links in the area --- the provider has to have access to some high speed links in the first place in order to be able to offer 5 megabit connections in the first place....

If significant bandwidth is available over wireless 4G, then again there must be nearby 4G towers in range of the area area that also must have access to high-speed links.

I'm not buying "the infrastructure is not there" argument, for those areas.

Now: it may be unavailable for political reasons, or the school not willing to spend more than a few $100 a month for a 100 megabit private circuit to an IP transit provider.

Apple Caching Service

[PhunkySchtuff]

On any Mac in your office, running 10.8 (Mountain Lion) or 10.9 (Mavericks) purchase (for $20 or so), download and install the OS X Server app.
Turn on the Caching service. Problem solved for Apple devices.

The server then registers itself with Apple, they see the registration coming from your IP, so when further devices from that IP address request a software update, these machines are pointed to your internal Caching server. Then, when a device (or a Mac) tries to download an update or purchase something from the App store, it will come from the persistent cache in preference to the WAN.

the BOFH way

[higuita]

Use iptables rules in the router to allow/disallow traffic at some hours of day, see this. You can totally block the traffic, or QoS it to oblivion on hot hours and increase it traffic later (join the iptables rules by hours to set the classid and then apply different QoS to then)

Finally, a caching transparent proxy might help, specially if everyone uses the same sites... it helps the normal browsing (by caching images, css, js, etc) and the updates (local copy if already downloaded). You just need a old computer with some HD and you are done.

For harder to filter services, you can usually block DNS for then... but if you allow it for some time, it might be cached by the clients on peak hours and still work.

Of course, if you control the clients, you can also configure most of then to only download off hours

Finally, you can be a BOFH, permit only allowed traffic and block the rest... or redirect it to some backdoor installer and enjoy the chaos generated

Re:Up to 3Mbps

[coolsnowmen]

I totally understand that they say "up to 5Mbs" on my consumer plan. But I use internet at all hours of the day, and can tell you I average above that at all times. So, while I have no legal retribution if they don't fulfill that (other than to just leave), I haven't had a problem with shared lines in the suburbs since Road Runner.

I've seen QoS work well in a few situations...

[Larry_Dillon]

The feature of Net Equalizer that lets you limit the number of active connections per client works well in limiting P2P traffic. But in other situations, just getting more bandwidth ends up making people happier and costs about the same as trying to limit it, if you include manpower. In an educational situation, Net Equalizer worked well for us. In a business setting, you should be able to mandate that users not do certain things, if management will back you up.

Another way to do this is to have more than one Internet connection and either route some protocols, users or servers over different connections. For example, it can work well to route ports 80 and 443 traffic over one connection and everything else over a second connection.

Do you...

[WillyWanker]

Also only serve your guests tap water so as not to use up your bottle water supply? Feed them only leftovers so not to tap into your personal food storage? Only let them watch TV on the small TV in the bedroom so you don't eat up electricity from the big screen??? Make them sit in the cold and dark by refusing to turn on the lights and heat, y'know, cause that shit costs money?

Geez, remind me never to be an invited guest over to your house. You sound like a real winner.

Re: why give them wifi?

[wallydallas]

Our students are all disabled. 50 of them. Many speech and text assist I've apps.

Re: Public network etiquette?

[wallydallas]

Amen. Think of airplane mode. Guest device limiting its own lan consumption on all apps with one switch the user can find.

And what for private schools?

[tepples]

Apparently, private schools don't qualify for e-rate. Or should the private school relocate next door to a public school?

Re:why give them wifi?

[tepples]

Some students finish their assignments before the bell or finish eating before the end of lunch hour. Some students even live in school-associated dormitories; this is most common for university undergraduates, but some K-12 schools are boarding schools.

Marking an SSID as metered on Android

[tepples]

My Android phone lets me set software updates and podcast downloads to only happen over wifi, under the assumption that cellular data is expensive, but wifi data is unlimited. But, if I connect to a Mifi access point connected to a cellular connection, my phone currently has no way to discover that it is actually using (limited) cellular data.

If the version of Android on your phone is anything like the version of Android on my Nexus 7 tablet, you can manually mark a specific SSID as metered. Try Settings > Data usage > Overflow menu (the three dot colon) > Mobile hotspots.

OS distinguishes metered and unmetered SSIDs

[tepples]

the os manufacturers need to have a network etiquette setting which disables updating at specific locations

Android makes a distinction between metered and unmetered SSIDs. Go to Settings > Data Usage > Overflow menu > Mobile hotspots. Windows 8 does something similar, but only for Windows Store apps as far as I know.

Re:it may not be available

[nobuddy]

And their backhaul is 5Mbps, from which they have sold 1.5Mb links to 1500 people....