We have LAN2 on our MT set up for guest access. We want to limit the total number of connections for all the clients on LAN2. It’s not clear to me whether this rule limits “per client” or globally on the LAN2 interface:
;;; Drop invalid connections
chain=forward in-interface=LAN2 connection-state=invalid action=drop
;;; Allow established connections
chain=forward in-interface=LAN2 connection-state=established action=accept
;;; Allow only 40 connections
chain=forward in-interface=LAN2 protocol=tcp connection-limit=40,24 connection-state=new action=reject
Can someone let me know if this will do what we want; specifically to limit total connections on LAN2 to 40?
;;; Drop invalid connections
chain=forward in-interface=LAN2 connection-state=invalid action=drop
;;; Allow only 40 connections
chain=forward in-interface=LAN2 protocol=tcp tcp-flags=syn connection-limit=40,24 action=reject reject-with=tcp-reset
;;; Allow established connections
chain=forward in-interface=LAN2 connection-state=established action=accept
Why put the reject before allowing established connections? Would it not work essentially the same way if after that rule? Or did I misunderstand what you were saying?
If you put the rule to Allow established connections before, all the packets or connections that match (good connections) will exit the filter section and will not continue with the next rule that limits to 40.
You could try changing to 3 or 4 connections instead of 40 and then see the counters in Winbox to see if it limit to the number of connections that you want.