Connection Limit on One Way Connection.

t3rm · Sun Nov 09, 2008 1:13 pm

Hello all,

I would like to apply connection limit for traffic over DVB i have.
It seemed it didnt worked.
Any solution using conn-limit for one way route ?

Thanks

Wed Nov 12, 2008 4:13 pm

you want to limit number of connections going out a specific interface?

/ip firewall filter add chain=forward out-interface=wan protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

this would allow only 5 connections out of WAN interface (rule says to drop the 6th packet per one IP (subnet mask /32))

radocicala · Fri Dec 05, 2008 1:34 pm

I used this rule for both ways in and out in firewall and doesnt work, one ip has more than 6 connections.

here are my rules:

 0   chain=forward action=drop tcp-flags=syn protocol=tcp out-interface=WAN 
     connection-limit=6,32 

 1   chain=forward action=drop tcp-flags=syn protocol=tcp in-interface=WAN 
     connection-limit=6,32

Fri Dec 05, 2008 2:08 pm

No it doesn't - I see only 2 connections there.

Rest are only received packets on interface - firewall most probably drop them a little bit latter inside the router - I'm sure if you will take a look on other side (opposite interface) you will see only 2 connections.

radocicala · Fri Dec 05, 2008 2:41 pm

Ok thanks, and what will happen if somebody is using p2p(many connections) - but this rule allows just 5. What if he want then open website, will he be able to open website?

And also I had loaded p2p program it opened a lot of connections(they are still in connections), and p2p program is now closed. Is way to remove it from there, is that good idea?

COuld it work for p2p, when I instead of TCP(sync), put: all-p2p and the same limit for ip? Or how to limit e.g 20 connections for all p2p?

Fri Dec 05, 2008 3:53 pm

It will allow only first 5 connections, doesn't matter what connections is that. it is possible to have some filters, but it will not solve the problem - connection limiting for customer traffic on permanent bases is bad thing. You can use it to stop some kind of flud for some time if user is infected, but in all other cases it will much more problems.

Why do you need to restrict P2P?

In here we just informe customer that he has 1Mbps of traffic and if he will use it for other things such as p2p he will have a browsing problem. So only thing I case is to how provide customer with strict limit, and then apply priorities to global stream of summarized all customer traffic.

radocicala · Fri Dec 05, 2008 5:17 pm

Thanks I decided to limit just p2p number of connections, what is ideal for ip for download(I was thinking 30 per ip) and upload(20per ip).
Also I read somewhere that it can be used for p2p prioritize to use limit(is under connection limit), like this, please can you explain what is that limit doing and what rate is ideal to put there:
like this .e.g:

 3   ;;; CN-limit-p2p1
     chain=forward action=drop protocol=tcp packet-mark=p2p1-in 
     connection-limit=50,32 

 4   chain=forward action=drop protocol=tcp packet-mark=p2p1-out 
     connection-limit=30,32 

 5   ;;; PR-limit-p2p1
     chain=forward action=accept packet-mark=p2p1-in limit=150,30 

 6   chain=forward action=drop packet-mark=p2p1-in 

 7   chain=forward action=accept packet-mark=p2p1-out limit=150,50 

 8   chain=forward action=drop packet-mark=p2p1-out

Connection Limit on One Way Connection.

Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Re: Connection Limit on One Way Connection.

Who is online