Using a mikrotik router and need to figure out how one would go about making a global per user tcp limit. basically i want to limit every host behind the mikrotik to 60 max tcp connections.

Anyone know what im supposed to be setting in the ip-firewall area for a rule? ive found what im looking for i think, but since i could not find anything about this in the manual i figure i should ask first.

v2.9 router os btw.

Not sure if there is a difference with 2.9 and 3.20 but here is what I've used.
This example will limit each user on the 10.0.102.0 network to 70 connections.

What does the limit mask (connection-limit=71,32) of 32 mean in this case? You allow 71 connections per individual source IP to a /32 range (individual IP)? So you allow 71 connections from any source to any destination? Shouldn't this be connection-limit=71,0 ? So you limit the global total connections going anywhere from an individual IP?

I guess I don't really know if this limit mask aplies to the source or the destination range ... the documentation says nothing about this.

Geza

It limits based on source address connections. /32 is per ip address of network in src-address.
70 connections permitted. 71st connection is dropped.
Change the numbers to suit your needs.

will give that a try, think i figured out how to do that in the gui. testing on the workbench later today. thanks guys.

ran a bitt torrent download a well seeded one, it appears to be working. doesnt go over the connection limit. forgot to set the tcp flag to syn. wasnt working till i did that.

i have a problem, that rule seems to have limited the entire 10.10.1.0 ip range to 60 connections. not 60 connections per ip address.

this is what i have set when i display the firewall rule in console:

Flags: X - disabled, I - invalid, D - dynamic
0 ;;; tcp connection for 10.10.0.0
chain=forward action=drop tcp-flags=syn protocol=tcp src-address=10.10.1.0/24
connection-limit=61,32


if i fire up bit torrent off one computer in the same ip range the other computer looses connection.


any ideas?

tried to set the source address to a single IP address, so a rule for 1 ip.

speedtesting on one computer while another is downloading a torrent, i see major performance issues one the one that is not bit-torrenting.

on a RB433 board, running router OS 3.22.

is this kind of thing just not supported or something?

Is there any solution, i have the same problem! I have created two filter rules in chain:

chain=forward action=add-src-to-address-list tcp-flags=syn
address-list=80 konekcija address-list-timeout=10m protocol=tcp
connection-limit=80,32

chain=forward action=drop src-address=192.168.1.0/24
src-address-list=80 konekcija protocol=tcp connection-limit=80,32

pppoe-users are attached to 192.168.1.0/24, after a while looks like the following rule is applied to all ip range, then to single ip user!

Any suggestions?

Just tried the same rule on 3.23 version,

ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop tcp-flags=syn protocol=tcp
src-address=192.168.66.0/24 connection-limit=5,32

One user's connections are not borrowed from other, in other words 5 connections are not shared between users in 192.168.66.0/24 network.
You specify 5,32 in connection-limit, 32 means for every client in the particular network, 5,24 is for the entire network.

Please, make sure that user 1 does not use 60 connections, while user 2 has 60 connections as well. Torrent programs are extremely "heavy" about created connection number.

You can check /ip firewall connection print (I suggest to use Winbox) to review all connections, which are created by users. There you should see all picture.

Firstly, thank you sergejs for your post!

Second,

Are you recommending me to upgrade to OS 3.23 ? I have 3.13 on x86 platform.

So according to my chain rules above your reply, everything is ok? Since i am using 32bit netmask it applies to
single IP user not the whole IP range for pppoe-users?! But still after i while, since one user fills the 80 connections it starts to apply to the whole ip range! Your quote "Please, make sure that user 1 does not use 60 connections, while user 2 has 60 connections as well. - Is this refers to 80,24 ?? I didn`t understand quite well! But if i put 150 connections it behaves the same! Since P2P traffic is quite heavy and opens a lot connections!

I am also using winbox , tracking connection in Firewall to see all the connections

It was a typo, I was thinking about 80 connection (not 60).
Yes, rules are correct and these rules are working fine for me at 3.23/3.24.
Make sure router has connection tracking enabled, /ip firewall connection

i will try upgradint to the latest software and try again and see if i have any luck.

have upgraded to 3.25 and am having issues still. I am using pppoe, so first i make sure the bridge is using the ip firewall for pppoe.

set the rules like you have it, and when i fire up bit torrent on one computer, the other computer's performance suffers. like it has limited 60 connections for everyone as opposed to 1 person.

serjejs: what do you mean by not allowing 60 connections for one user then 60 connections for another? i thought that was the whole point? i need to limit every ip to 60 tcp connections.

anyone who has successfully implimented this willing to have a look at my test unit? i can pm ip details and user/pass. I am completely out of rope. Im going to have to add a neteq to every tower site now if this doesnt work.

I am still having the same problems. I thought that problem was because of OS 3.13! But since derr12 has upgraded and still has issues, i am without a clue. After a while people are calling me complaining that they can ping google, but when they open browser, it won`t load a page!
As soon as i change action to "accept" instead of "drop" in Firewall filter settings it starts working normally. I explained my settings above, and everything is ok!

Milos, yes, everything that you wrote is correct.

Users can ping google, but they are not able to browse google.
Your limit rule is working only for TCP traffic, ping are ICMP and are not blocked.
I'm still have the idea, that user is not able to open web-page, because actual connection limit is reached (by torrent or any other connection hungry program), check /ip firewall connection for the active connection, which are opened by the particular IP address.

Thans again for your reply Sergejs.

Unfortunetely i am having the same problems. I had tried everything. I`ve checked connection tracking after a phone call from one client complaining that he cannot open any page, i have checked connection tracking he had only 5 connections! again my rules are correct - i suppose that something is wrong and that somehow rules are applied to the whole IP range 80,24 instead of 80,32.

I saw something very interesting!! In the "address list" section where it tracks and shows all the clients that had reached "80 connections" instead of only 192.168.1.0/24 (ip range given to track as source address) there are also a lot of other addresses, addresses like x.x.x.x/24 or x.x.x.x/32 ??? How is that happening ??

post your exact rule here

based on the above topic. I have d same issue whihc i want to aachieve. assuming I have 3 NIC in the MT. ether2 is for my lan users, while ether3 is for my hotspot users/wireless users.

how do i run the command to affect both the lan users and and hotsppt users. My lan users ip range are 192.168.0.1/24 running static while my hotspot users ip range are 193.168.20.1/24 (dhcp) assigned.

Well it looks like limiting tcp connections on a pppoe session is not doable. I cant even use a neteq to do that because the pppoe connection hides the local ip from the neteq.

looks like there are a couple possibility's

1. abandon pppoe and authenticate/set speeds from the access point or SM instead of using radius. most people have had no issues limiting tcp connections this way.
2. mikrotik adds an extended radius attribute for use with aradial radius server software so that the pppoe sessions peramaters recieved from the radius server can include connection limits.
3. mikrotik releases a firmware that makes tcp connection limits work per pppoe session.

wouldnt mind if the developers had a poke at this issue to see if these units were ever intended to have this functionality with pppoe.

Ok my rules are,

chain=forward action=add-src-to-address-list tcp-flags=syn
address-list=80 konekcija address-list-timeout=10m protocol=tcp
connection-limit=80,32

chain=forward action=drop src-address=62.x.x.x/24
src-address-list=80 konekcija protocol=tcp connection-limit=80,32

In the address list section, i have some ip addresses that are not the same as given in the source like 172.x.x.x and they should be 62.x.x.x
Are my rules correct ?

remove first rule, and unset 'src-address-list' in second rule and post the results...

i use the INPUT chain to limit tcp connection per user.

ADD chain=input in-interface=Local protocol=tcp connection-limit=20,32 action=drop

best regards

'input' is router's connections. for users, use 'forward'

but every tcp connection come to router from clients is to INPUT chain. and i put it on forward but nothing happen.

well, if you use proxy - then yes, you should use both 'input' and 'forward'

do u mean if i put the rule in INPUT chain only i will limit the conection to webproxy? and if i put it in forward i will limit the direct connection to the internet as messenger and voip etc,,,?

and this rule is right ? or i miss something in it?
add chain=input in-interface=Local protocol=tcp connection-limit=20,32 action=drop
NB: i want to put it in forward and Input chain.

Well, i did as you said Chupaka, but since i have removed src-address i can`t see which IP/user is making given amount
of connections ? Based on removed things for almost 1 day i had no problems, except i can`t see who is making them

Well, i did as you said Chupaka, but since i have removed src-address i can`t see which IP/user is making given amount
of connections ? Based on removed things for almost 1 day i had no problems, except i can`t see who is making them

you may add a rule before you dropping rule to first add src-address to address list =) then you will see, who was blocked at least once =)

based on the above topic. I have d same issue whihc i want to aachieve. assuming I have 3 NIC in the MT. ether2 is for my lan users, while ether3 is for my hotspot users/wireless users.

how do i run the command to affect both the lan users and and hotsppt users. My lan users ip range are 192.168.0.1/24 running static while my hotspot users ip range are 193.168.20.1/24 (dhcp) assigned.

No one has responded to my question above. How can the rule be applied to a system with 3 network cards. Will I have 2 rules for each src address or is there a way t write a script that will take care of them all.

Thanks

something like

add chain=forward out-interface=ether1 protocol=tcp connection-limit=N,32 action=drop

unless u write all these things and rules, why not some expert write the necessary rules to limit TCP connection with and without webproxy and end this large dicusions?

because you have to understsand what is what in routeros. And you have to exactly know what means what in these diagrams:
http://wiki.mikrotik.com/wiki/Packet_Flow

so then you understand where is the difference between prerouting postrouting chains, what is the difference between forward, input and output chains.

when it is better to use interface and when ip address etc.

actually i read it alot but didn't understand anything i think MT is more simple. INPUT where all connections get in router, forward when routing operations happen and output when connection leave the MT.

Reviving an old thread...

I have had the tcp connection limit working for quite some time, but i want to make an exception for a commercial client. this should work yes?

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 X chain=forward action=log protocol=tcp connection-limit=60,32
log-prefix="I reset this session"

2 ;;; commerical exception
chain=forward action=drop protocol=tcp src-address=10.0.0.57
connection-limit=200,32

3 ;;; tcp connection limit
chain=forward action=drop protocol=tcp connection-limit=80,32

yes, that is the ip of the person i want to have 200 connections instead of the 80 connections everyone else gets.

Oh i see what you mean, there is anexception tag i needed to add. perfect, thanks.

so if i was to add another exception would i just add a comma and then another address, and then the other limiting rule?

for several addresses, use Address List

got it, thanks!

should look like this right?

0 X ;;; tcp connection limit
chain=forward action=drop protocol=tcp src-address-list=!exclude
dst-address-list=!exlcude connection-limit=80,32

that would not apply the rule if it was coming from or going to the IP's in the list "exclude"

Ok how about this then, lets say i wanted to limit a list of ip ranges to 80 tcp connections but leave everyone else alone without having to add an ip address to the exclude list everytime i commision a server or add a commercial client.

would i do this? does this limit connections either to OR from or too AND from only?

0 X ;;; tcp connection limit
chain=forward action=drop protocol=tcp src-address-list=include
dst-address-list=include connection-limit=80,32


or would i have to do two rules to limit 40 up and 40 down?

0 X ;;; tcp connection limit
chain=forward action=drop protocol=tcp src-address-list=include
connection-limit=40,32

1 X ;;; tcp connection limit
chain=forward action=drop protocol=tcp
dst-address-list=include connection-limit=40,32

TCP connection is bi-directional

hey ,

its easy man to do it in ip firewall filter
all you need that you should have a pool for your profile for example 112.113.3.0/24 for 265KB profile then in the filter add this rule by changing the limit to the number you want.

/ip firewall filter
add action=drop chain=forward comment="256 KB Limit Session" connection-limit=41,32 disabled=no protocol=tcp src-address=112.113.3.0/24 tcp-flags=syn

Try it

TCP connection is bi-directional

So the first rule would work then yeah?

Oh wait, i dont need the dst address. in the first rule. durp.

Hi, sorry I know this an old post but I didn't understand this rule:

Code: Select all

/ip firewall filter set 3 src-address=!10.0.0.57

An how would be the example with the address list?

Thanks.

I DONT KNOW WHY
i tried all of these rules and there is no result

please i need an obvious rule
thanks in advance

Hi, sorry I know this an old post but I didn't understand this rule:

Code: Select all

/ip firewall filter set 3 src-address=!10.0.0.57

An how would be the example with the address list?

Thanks.

this changes one rule (specifically rule #3) in firewall to not match traffic from certain address since all arguments in rule are processed with logical AND.

better write what you want to achieve, and what rule you have to do that (what you have tried)

Hi, thanks for your reply. I need a rule to bypass the ips in an address list from this rule:

add action=drop chain=forward connection-limit=101,32 disabled=no protocol=tcp src-address=172.165.15.0/24 tcp-flags=syn

Thanks.

Hi, thanks for your reply. I need a rule to bypass the ips in an address list from this rule:

add action=drop chain=forward connection-limit=101,32 disabled=no protocol=tcp src-address=172.165.15.0/24 tcp-flags=syn

Thanks.

so, just replace "action=drop" with "action=add-src-to-address-list address-list=YOUR_LIST_NAME" in that rule

Thanks Chupaka, but what I don't know how to do is make a rule to bypass the limitation rule not to add to the adress list, could you please help me with that?

Best regards.

if you don't want to add to address-list - just disable/remove that rule %)
I don't understand the problem...

What I need to do is to bypass some clients from the limit rule

oh, now it's cleas. just add 'src-address-list=!your_allowed_list' to the rule

Hi...

Just wonder know, how we can count on the tcp session?
it based on ???

thanks...

it's based on the info from Connection Tracking