Hi guys,
We originally started out with a different platform other than Mikrotik in the early days. This platform was unable to firewall the amount of open connections per ip. This caused us great problems in the early days with p2p file sharing when one customer would take over an entire AP.
So we had to introduce to the netowork a Netequalizer unit to control the connection per customer.
Now that we have moved over to Mikrotik some time ago and are about to out grow the Netequalizer licence, I was thinking of bypassing the Netequalizer all together and just create connection limiting rules on all the PPPoE concentrators on our network.
Before I do this though I need to know if the connection limiting firewall built into the Mikrotik Os is as effective as the Netequalizer for connection limiting?
It is as effective as you make it. To build exactly what you want could take you a little bit. I am sure with netequalizer there is a nice point and click GUI for your QoS options. You are going to have to learn a little bit setting this up on RouterOS. What exactly are you wanting to setup besides limiting the amount of connections per user?
Thanks for the reply. I am very familar with MT as I have been using it for some years now. I have come accross a lot of tutorials online on how to implament the connection limiting script, and they all seem to be the same method.
This is all I am looking to do, is connection limiting as we shape the customers traffic on the radius server.
The short answer is, Yes, you can limit the number of connections per IP for several years already:
For example:
/ip firewall filter add chain=forward protocol=tcp connection-limit=100,32 action=dropthe above would limit one IP (indicated by the netmask 32 in the above rule) to 99 connections, the 100th connection will be dropped.
this is total. the subnet of /32 indicates “per IP”. use “/24” and it will be “per /24 network”. to not affect certain IP addresses, use more specific rules, like specify certain “src-address” and enter your LAN network.
I have implamented this tonight on one of my busiest pppoe servers. There is over 120 clients on ether 2 and 3.
Looking at the graphs for the past few months, My traffic is down 10Mb than normal. I also see some regular pppoe disconnections in the logs.
Should I be concerned?
I myself have a ping of 28ms to local servers with a download of 6Mb and upload of 1Mb. so the speeds seem to be fine for me anyway.
Ok now I am seeing problems myself. I am doing nothing at the moment, just browsing the Mikrotik Forums and the pages are just hanging and expiring. Refreshing brings it back up but then a few mins later, it just hangs again.
Disabling the rule, brings my connection back instantly.
I may have the firewall configured wrong.
3 X chain=forward action=drop protocol=tcp src-address=10.12.16.0/24
connection-limit=100,24
This is not good way, if somebody makes more connections…has p2p or many sites open about ten connections…so you open 5 pages and sixth none…
narrow that spectrum for mark: p2p-all
This is not good way, if somebody makes more connections…has p2p or many sites open about ten connections…so you open 5 pages and sixth none…
narrow that spectrum for mark: p2p-all
Agh I see now, I assumed that the fact that I wanted to filter an entire subnet that I had to use /24. I have that changed now and re-enabled, so will see how it goes for the day.
On an other ether port of the same router, I have 10.12.18.0/24. There is an ap sitting on 10.12.18.254 in bridge mode on this interface.
Unusully on this ap the clients are also assigned an address in the 10.12.18.0/24 range.
Now If I implament this filter to cover the 10.12.18.0/24 range, will the ap get throttled to 100 connections as it is on the same subnet?
I still seem to be having problems with this. Some users are reporting no connection. When I try to log into their cpe which is an airgrid in router mode I can not even get in. Torching their connection I can only see about 10 open connections just passing a couple of bps.
As soon as I disable the conn limit rule I am able to get into their airgrid and traffic rises.
torrent opens 200 connections…you just allows 100, so 100 for torrent, you open page, want to surf…no WAY BECAUSE YOU ALLOWED JUST 100 CONNECTIONS THAT ARE USED BY TORRENT…
Do you understand? this is not the way…limit p2p:
chain=forward action=drop p2p=all-p2p protocol=tcp connection-limit=10,32
Thanks Rado3105. I belive I understand you. This was the problem I had with the Netequalizer. If a customer had two pc’s in the home, one file sharing, well then the other pc would suffer.
Does your rule not contradict itself some what? You are asking it do drop all p2p, then you are limiting it to 10 connections?
The fact that you have also selected tcp, will this effect regular tcp connections, or just tcp being used by p2p?
There is something still very wrong here. I have customers, whom I have not heard of for years ringing in with issues such as having to wait 2-3 minutes for a web page to load, having to press the refresh button several times, constant disconnections, etc, etc.
As soon as I disable the firewall rules, everything is flying it again.
Here is the rules I am using. anyone see anything wrong with them?
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; connection limit
chain=forward action=drop protocol=tcp src-address=10.11.16.0/24 connection-limit=100,32
1 ;;; p2p drop
chain=forward action=drop p2p=all-p2p protocol=tcp connection-limit=10,32