Community discussions

MikroTik App
 
draguzet
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Jul 01, 2011 10:28 am

Firewall settings on Base station to limit connection ?

Thu Mar 01, 2012 11:25 pm

Hi !

I have problem on Base station similar to this thread: http://forum.mikrotik.com/viewtopic.php?f=7&t=46374 , it seems that my problem is also torrent user's :(
First I put this rule (10.52.152.0/24 = wireless users network)
add action=drop chain=forward connection-limit=100,32 disabled=no protocol=tcp \
    src-address=10.52.152.0/24
But after day-two, problems are back, 11000 connections are active on base station that hold's 40 client's, that is too much in my opinion ?

Now i put this firewall rules:
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=12h \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=\
    5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward disabled=no dst-port=25 protocol=tcp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-port=21 protocol=tcp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-port=80 protocol=tcp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-port=443 protocol=tcp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-port=53 protocol=udp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-port=110 protocol=tcp \
    src-address=10.52.152.0/24
add action=accept chain=forward disabled=no dst-address=10.52.152.2 \
    src-address=10.52.152.0/24
add action=log chain=forward connection-limit=100,32 disabled=no log-prefix="" \
    src-address=10.52.152.0/24
add action=log chain=forward connection-limit=100,32 disabled=no dst-address=\
    10.52.152.0/24 log-prefix=""
add action=drop chain=forward connection-limit=100,32 disabled=no dst-address=\
    10.52.152.0/24
add action=drop chain=forward connection-limit=100,32 disabled=no src-address=\
    10.52.152.0/24
Any recommendation, is this ok, because I see that many connections are UDP, and now I block all trafic below limit "100" per IP, and see that bloking many UDP trafic !
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 19 guests