These rules apply filtering according to the state of the connection. The firewall has connection tracking so it “remembers” each connection
and you can e.g. pass all traffic related to established connections. When you put that rule at the start, the router does not have to evaluate
all your rules for each packet passing by, but it can pass packets related to established connections (which it has validated before) quicker.
Limiting to 100 connections in this way makes you susceptible to a DoS attack. Any SIP device on the internet will get scanned multiple times a day by various bots, which could exhaust available connections and block genuine clients.
The doubt regarding why is that lines at the beginning is over!
Regarding the connection limit. What I want is just limit the maximum connection at one’s time (not the total )that the PBX can handle. Becuase it depends on the ISP bandwidth connection, upstream connection because that are for packages which are coming from the public network.
So what I want is limit the number of signaling (sip packages) which are forwarding the router.
It’s wrong the code for what I want to do?
ip firewall filter add chain=forward dst-address=100.64.0.2 protocol=udp dst-port=5060 action=accept connection-limit=100,32
Due to the connection-tracking required, I think connection-limit only applies to TCP traffic, not UDP.
I may be wrong on this one, but I’m fairly sure that’s what your problem is. You also want to be on the forward chain, not the input chain (your three connection-tracking rules).