Community discussions

MikroTik App
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

connection-limit question

Thu Mar 17, 2005 2:02 am

Hi,
I have searched the forum and docs but been unable to answer this:

The connection-limit function limits each local IP to the specified tcp connection limit I do know. But is it possible to do it so the connections are limited to an ammount of connections per server on the internet and an overall limit per local IP also?

also can anybody from Mikrotik say if the Udp connlimit that is a patch available to netfilter/iptables will be added to Mirotik?

I'm using 2.8 right now.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Thu Mar 17, 2005 9:18 am

you can specify a rule to match any criteria given in the avaiable fields.

Just speficy the network that you want to llimit the connections on or the host and set the connection-limit and chose an action (drop/accept/....)

Just define the rule to match the traffic you want to limit...
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Thu Mar 17, 2005 2:13 pm

Would it work if I specified:

0.0.0.0/32 as the src address and limit to 2 connections

would that limit each client to 2 connections per server on the internet

and if I added another rule:

0.0.0.0/24 as the dst address limit to say 10

would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?

Thanks for any replys and also for the previous reply :)
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Thu Mar 17, 2005 5:41 pm

Would it work if I specified:

0.0.0.0/32 as the src address and limit to 2 connections

would that limit each client to 2 connections per server on the internet

and if I added another rule:

0.0.0.0/24 as the dst address limit to say 10

would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?

Thanks for any replys and also for the previous reply :)
/32 is going to mean a full 32 bit IP address (10.200.4.14/32)

so like...
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2
that would limit all packets from 10.10.10.5 to 2 connections.

to do a full /24 network it would look something like this...
/ip firewall rule forward add src-address=10.10.10.0/24 limit-count=10
That would limit the whole network 10.10.10.0/24 to 10 connections...

now if you flipped the script and specified the dst-address that would only allow "x" ammount of connections to that specific host/network.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Thu Mar 17, 2005 9:05 pm

So could the syntax:

0.0.0.0/32 to apply a connection limit to any individual dst address on the internet?

thanks.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Fri Mar 18, 2005 8:35 pm

So could the syntax:

0.0.0.0/32 to apply a connection limit to any individual dst address on the internet?

thanks.
0.0.0.0/0 is used for default routes and wildcard (to mean all traffic).. if you specified a /32 it would only match packets with the src/dst of 0.0.0.0. Since that's not a valid IP address I dont think its going to match any traffic at all?
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Sat Mar 19, 2005 3:07 pm

I have sucessfully used the syntax:

0.0.0.0/24 dst address to limit connections to ALL hosts by x per local IP.

So it kinda makes sense that:

0.0.0.0/32 dst address would limit connections to EACH host by x per local IP

I will have to try it and let you know?

Also anybody know about the UDP connlimit patch for Netfilter would make it's way to MT
 
User avatar
lastguru
Member
Member
Posts: 432
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:

Mon Mar 21, 2005 1:08 pm

0.0.0.0/32 dst address would limit connections to EACH host by x per local IP
I do not follow, what makes you think so? The 0.0.0.0/32 source address is for connections that router makes itself, and for which no source address has been determined yet. I have no idea how would the destination of 0.0.0.0/32 would be useful. Please enlighten us...
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Tue Mar 22, 2005 1:02 pm

Well I don't know for sure if it will work but it does make sense to me anyway!

It would theoretically apply to all individual connections but set a limit per each server IP rather than per all server IP's.

As above you will see the 0.0.0.0/24 applies the rule to a connection limit per LAN ip of x connections total max connections to the internet. I know that works OK.

But this has a problem with IE that some web pages with lots of adverts make many connections to limiting below say 50 causes browsing problems.

To address this issue I looked into limiting connections per server IP rather than an overall connlimit and nobody could really help so that was my best theory I figured that the 0.0.0.0 would apply to all connections and the subnet 32 would indicate each remote IP rather than all!

The general idea was to get some feedback and maybe the correct syntax to do what I want to do?? Maybe nobody does this kind of stuff. I only have to to get a satellite connection to be reliable and not many people use satellite broadband with it's limitations.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 986
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Mar 22, 2005 5:57 pm

add proto=tcp tcp-options=syn connection-limit=5 action=drop
Every computer can make no more than 4 TCP connections through the router.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Tue Mar 22, 2005 7:30 pm

Code:
add proto=tcp tcp-options=syn connection-limit=5 action=drop


Every computer can make no more than 4 TCP connections through the router.

I know that,
but I need to limit connections per internet IP address rather than a limit overall for all because that way will cause browsing problems and you would need to allow like 70 connections which would defeat the whole object of the task in the first place.
 
yogi
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri May 28, 2004 4:23 pm

Thu Mar 24, 2005 10:45 am

wildbill showed how to limit connections from a single client
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2
you could use this next snippet for a specific server outside your network which you know the IP of:
/ip firewall rule forward add dst-address=165.165.165.165/32 limit-count=20
so all of your clients would be limited to 20 connections to that server

this i believe you know and is not the question. are you trying to limit each client to a specific amount of outgoing connections? or limit your entire netork to a set amount of connections to every possible IP in the world?
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 986
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

2 spire2z

Thu Mar 24, 2005 11:44 am

Connection-limit in v2.9 limits connections per address block.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Thu Mar 24, 2005 2:57 pm

I know how to limit max connections outgoing and that works fine.

What I want to do is limit the number of connections per any server on the internet but not limit on total connections. I know that if I knew the IP of a server I can do that but I want to put a rule that will apply to any webserver address so a user can only open say one connection per web server but still be able to connect to multiple servers at the same time.

You will see an explanation of why this is necissary above.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Thu Mar 24, 2005 5:51 pm

why not do aggressive firewalling and bandwidth shaping if your backhaul is getting maxed out?
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Thu Mar 24, 2005 6:09 pm

I do that also. You will only realise if I tell you we have to use a satellite link of 2mbps down and 512kbps up the satellite link is very good bandwidth wise and we pretty much get 2mbps all the time but the sat link is limited to 100 tcp connections. I have PCq the overall link to 2mbps/512kbps and each user is limited to 1mbps/256kbps. The problem is the connection limit on the link. I have about 100 computers on this network and when a user gets on p2p th econnection limit is always reached. I have limited the connections on ports below 80 to 10. port 80 to 60 and above port 80 to 5 connections to stop this sat link clogging up. This works pretty well but really I would like to do less connections on port 80 too but this will cause browsing problems on heavy adverted sites because each web server can open several connections and before you know it your getting timeouts. There needs to be a way to limit also the max connections to each and every web server without entering all the ip's.

The trade off is keeping the customers happy. You see if my firewallig is too agressive I will have complaints to deal with, but If I do it this way they do not realise it just stops their applications getting out of controll and maybe suffer some performance but who cares for p2p and aggressive stuff. It's just unfortunatly the big selling point for a brodband connection so to block is bad.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Thu Mar 24, 2005 6:22 pm

There needs to be a way to limit also the max connections to each and every web server without entering all the ip's.
There is, just make a rule with the dst and src 0.0.0.0/0 and set your connection limit to <100 that will limit all connections to sub 100 connections.. or whatever value you specify.

I use a rule similar to this to block SYN_flood attacks on my network.

This will limit all connections, ingoing/outgoing and for any protocol.

::EDIT::

You could even get more specific and create rules for ingress and egress traffic.. limit the incoming connections to something real low and allow more outgoing connections. Just specify your entire network in either the src/dst field.
Last edited by wildbill442 on Thu Mar 24, 2005 6:27 pm, edited 1 time in total.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Thu Mar 24, 2005 6:24 pm

You might also want to create a conn-limit for peer2peer applications specifically.. and limit that to like 5-10.. because those applications are going to make a lot of connections.

I know what you're saying, but if it's effecting your overall network performance and other users, I'd just assume block it until you can get a decent backhaul.
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Fri Mar 25, 2005 8:00 pm

Thanks. It's not long until new types of connections are available in our area.
 
Art
Member Candidate
Member Candidate
Posts: 123
Joined: Thu Jan 27, 2005 10:14 pm

Fri Apr 01, 2005 1:43 pm

hmm what rule action i must set to limit connections?
accept, drop ?

src-address=192.168.1.0/24 flow=p2p-src-local limit-count=500
action=accept??
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Fri Apr 01, 2005 3:25 pm

Eugene mentioned "drop" in a previous post.
Which to me seems to make sense :D
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Fri Apr 01, 2005 8:54 pm

0   in-interface=WAN protocol=tcp tcp-options=syn-only limit-count=100 
     limit-burst=10 limit-time=1s action=return 

 1   in-interface=WAN protocol=tcp tcp-options=syn-only action=drop
I have a jump rule from the forward chain to this chain.

it returns "good" traffic and drops excessive syn attempts.
 
waylockwisp
just joined
Posts: 15
Joined: Tue Nov 09, 2004 3:00 am
Location: Midwest USA

excessive syn attempts

Fri Apr 01, 2005 10:08 pm

I use a rule similar to this to block SYN_flood attacks on my network.
Code:
0 in-interface=WAN protocol=tcp tcp-options=syn-only limit-count=100
limit-burst=10 limit-time=1s action=return

1 in-interface=WAN protocol=tcp tcp-options=syn-only action=drop



I have a jump rule from the forward chain to this chain.

it returns "good" traffic and drops excessive syn attempts.

wildbill442, would be willing to elaborate a bit more on these syn_flood attacks with respects to any negatives to implementing this rule? How can I determine if 100 is the right amount for a given system? I'm trying to get up to speed on the various attacks, how to identify an attack on my system while it is occuring (or afterwards) and how to mitigate any potential damage through aggressive firewalling.

Thanks,

-CW
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Fri Apr 01, 2005 11:07 pm

syn attack is when people send tcp packets with syn flag (from almost always spoofed source addresses) at such a rate that the victim computer gets it's resources exhausted (unable to make new connections that are valid or runs out memory/cpu time). Most stateful firewalls will roll over and crash or will be unable to forward/service valid requests because it's state table is full/memory exhausted.
Syn packets makes a request to open a socket and traditionally computers will allocate all the necessary resources for that socket when it receives the syn packet.
Syn floods are less useful to the attacker when recipient does not have any tcp ports open.
Syn floods are more lethal on a wireless lan due to the amount of packets generated, but then so is any other flood due to the low maximum of packets per second the 802.11 protocol will permit.
This is the most common attack as there is really no way to differentiate between a good or a bad syn packet so you kind of have to keep an eye out.

There are no ways to stop spoofed addresses unless everyone performs ingress filtering (not allowing invalid addresses to be forwarded/leave their network). If i was the proud owner of say 123.0.0.0/8 i would make sure that no packet could leave my network unless it had a valid 123.0.0.0/8 address. This should be enforced as early as possible in a network so that spoofing can not occurr internally in a network.

Google about the different floods, you will find it interesting and DoS does occur often, not because they know who you are or what services you have but most often customers mess with the wrong types of people in chat rooms.
Dont let your network be a haven for DDoS zombies, dont let spoofed packets run on your network.
 
wildbill442
Forum Guru
Forum Guru
Posts: 1055
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Fri Apr 01, 2005 11:30 pm

what he said ^^

http://cio.cisco.com/warp/public/707/4.html

I chose 100 because the filter is applied to residential users who are not allowed to run servers on my network, therefore should not need an excessive amount of inbound syn requests.
 
waylockwisp
just joined
Posts: 15
Joined: Tue Nov 09, 2004 3:00 am
Location: Midwest USA

Thank you!

Fri Apr 01, 2005 11:49 pm

I must say, that is probably the best response I've had thus far in this forum. Thank you very much. I appreciate the responses.

-CW :D
 
Art
Member Candidate
Member Candidate
Posts: 123
Joined: Thu Jan 27, 2005 10:14 pm

Wed Apr 06, 2005 6:59 pm

I have problem p2p-connection-limit :

rules
/ ip firewall rule forward
add src-address=192.168.1.0/24 flow=p2p-src-local p2p=all-p2p limit-count=100 limit-time=1s action=drop comment="" \
    disabled=no
add dst-address=192.168.1.0/24 flow=p2p-dst-local p2p=all-p2p limit-count=100 limit-time=1s action=drop comment="" \
    disabled=no

[...]

/ ip firewall mangle
add src-address=192.168.1.0/24 p2p=all-p2p action=passthrough mark-flow=p2p-src-local comment="" disabled=no
add dst-address=192.168.1.0/24 p2p=all-p2p action=passthrough mark-flow=p2p-dst-local comment="" disabled=no
P2P does not work, cannot connect to the server and download anything.
I just want to limit connections to 100 per 1 s for p2p.

Is some thing wrong with that rules above?

thx for answer.

Who is online

Users browsing this forum: bananaboy1101, davidhirka, dido1236, jamesperks, Michiganbroadband, tinodj and 84 guests