checking subet of IP

Artes · November 1, 2019, 10:06am

Hello! I’m curious, is it possible to check just specified subnet instead of whole IP address? For example, i have few incoming connections from various IPs, let’s say
192.168.1.23
192.168.2.24
192.168.5.1
192.168.7.2

I want to count how many new connections came from subnet 192.168 and if it reaches limit then trigger some action.

Zacharias · November 1, 2019, 12:48pm

Check the connection limit parameter in firewall…
Add the addresses in a list and then with scripts you can use those address lists as you want…

So yes, it seems possible…

Artes · November 1, 2019, 1:35pm

Yes i tried connection limit already but not sure how it works. I put limit to 10 and netmask to 16, as i thought it means 10 connections for x.x.0.0 subnet per second, but it blocks everything, whatever if i put 1 or even 100000 to limit.

Zacharias · November 1, 2019, 1:53pm

That’s why there is a manual…
connection-limit:
Matches connections per address or address block after given value is reached. Should be used together with connection-state=new and/or with tcp-flags=syn because matcher is very resource intensive.
Source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Artes · November 1, 2019, 2:31pm

I saw that piece in manual already and i have such rule for ‘new’ connections and with ‘syn’ flag already. To give better description - i have rule ‘accept’ new TCP connections on 80 port, and in such rule i put that Connection Limit. So i guess it accepts few connections and if limit is reached, then goes to next rule/action which is ‘add src to address list’. But still, even few connections trigger adding IP to list, considering that limit is high.

xvo · November 1, 2019, 3:55pm

Matches connections per address or address block > after given value is reached> .

If you have an accept rule, that means it starts accepting after you reach the limit.
Before that it work like a passthrough rule.

You should reverse the condition with “!”.

msatter · November 1, 2019, 5:53pm

I have just extended my script this morning do something like with subnets.

http://forum.mikrotik.com/t/feature-request-blocking-a-special-kind-of-ddos/133917/15

Earlier in the thread I explain the other bits.

Update: using limit is much easier for you as long you use that “!”.

msatter · November 1, 2019, 11:22pm

Thank you very much, I was asking myself for ages why does it not work for me. I had to turn my impression 180 degrees and now it working as I thought it would.

Zacharias · November 2, 2019, 6:24am

As you can see Artes i was right that it can work using the connection limit parameter and adress lists…

Msatter the manual clearly states that the rule works after matching value is reached…!

msatter · November 2, 2019, 8:24am

It clearly stated the opposite to me. I must must have read the manual on those two in the last two years a dozen times.

You don’t expect to have to reverse it to make it working as expected.

xvo · November 2, 2019, 11:20am

I guess it was designed to be used mainly with a “drop” rule: “passthrough all connections until they reach the limit, then drop”.
Opposed to logic you needed: “accept all connections until they reach the limit, then passthrough”.

Artes · November 5, 2019, 12:52pm

Ah, that makes sense, thanks!

thanks

Hah wow, seems not only me had such problem.