Hi,
I have searched the forum and docs but been unable to answer this:
The connection-limit function limits each local IP to the specified tcp connection limit I do know. But is it possible to do it so the connections are limited to an ammount of connections per server on the internet and an overall limit per local IP also?
also can anybody from Mikrotik say if the Udp connlimit that is a patch available to netfilter/iptables will be added to Mirotik?
I’m using 2.8 right now.
you can specify a rule to match any criteria given in the avaiable fields.
Just speficy the network that you want to llimit the connections on or the host and set the connection-limit and chose an action (drop/accept/…)
Just define the rule to match the traffic you want to limit…
Would it work if I specified:
0.0.0.0/32 as the src address and limit to 2 connections
would that limit each client to 2 connections per server on the internet
and if I added another rule:
0.0.0.0/24 as the dst address limit to say 10
would that give each client 2 connections per webserver and a max total of 10 all together with the subnet addressing a single machine and the next rule addressing the whole subnet?
Thanks for any replys and also for the previous reply 
/32 is going to mean a full 32 bit IP address (10.200.4.14/32)
so like…
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2
that would limit all packets from 10.10.10.5 to 2 connections.
to do a full /24 network it would look something like this…
/ip firewall rule forward add src-address=10.10.10.0/24 limit-count=10
That would limit the whole network 10.10.10.0/24 to 10 connections…
now if you flipped the script and specified the dst-address that would only allow “x” ammount of connections to that specific host/network.
So could the syntax:
0.0.0.0/32 to apply a connection limit to any individual dst address on the internet?
thanks.
0.0.0.0/0 is used for default routes and wildcard (to mean all traffic).. if you specified a /32 it would only match packets with the src/dst of 0.0.0.0. Since that’s not a valid IP address I dont think its going to match any traffic at all?
I have sucessfully used the syntax:
0.0.0.0/24 dst address to limit connections to ALL hosts by x per local IP.
So it kinda makes sense that:
0.0.0.0/32 dst address would limit connections to EACH host by x per local IP
I will have to try it and let you know?
Also anybody know about the UDP connlimit patch for Netfilter would make it’s way to MT
I do not follow, what makes you think so? The 0.0.0.0/32 source address is for connections that router makes itself, and for which no source address has been determined yet. I have no idea how would the destination of 0.0.0.0/32 would be useful. Please enlighten us…
Well I don’t know for sure if it will work but it does make sense to me anyway!
It would theoretically apply to all individual connections but set a limit per each server IP rather than per all server IP’s.
As above you will see the 0.0.0.0/24 applies the rule to a connection limit per LAN ip of x connections total max connections to the internet. I know that works OK.
But this has a problem with IE that some web pages with lots of adverts make many connections to limiting below say 50 causes browsing problems.
To address this issue I looked into limiting connections per server IP rather than an overall connlimit and nobody could really help so that was my best theory I figured that the 0.0.0.0 would apply to all connections and the subnet 32 would indicate each remote IP rather than all!
The general idea was to get some feedback and maybe the correct syntax to do what I want to do?? Maybe nobody does this kind of stuff. I only have to to get a satellite connection to be reliable and not many people use satellite broadband with it’s limitations.
add proto=tcp tcp-options=syn connection-limit=5 action=drop
Every computer can make no more than 4 TCP connections through the router.
Code:
add proto=tcp tcp-options=syn connection-limit=5 action=drop
Every computer can make no more than 4 TCP connections through the router.
I know that,
but I need to limit connections per internet IP address rather than a limit overall for all because that way will cause browsing problems and you would need to allow like 70 connections which would defeat the whole object of the task in the first place.
wildbill showed how to limit connections from a single client
/ip firewall rule forward add src-address=10.10.10.5/32 limit-count=2
you could use this next snippet for a specific server outside your network which you know the IP of:
/ip firewall rule forward add dst-address=165.165.165.165/32 limit-count=20
so all of your clients would be limited to 20 connections to that server
this i believe you know and is not the question. are you trying to limit each client to a specific amount of outgoing connections? or limit your entire netork to a set amount of connections to every possible IP in the world?
Connection-limit in v2.9 limits connections per address block.
I know how to limit max connections outgoing and that works fine.
What I want to do is limit the number of connections per any server on the internet but not limit on total connections. I know that if I knew the IP of a server I can do that but I want to put a rule that will apply to any webserver address so a user can only open say one connection per web server but still be able to connect to multiple servers at the same time.
You will see an explanation of why this is necissary above.
why not do aggressive firewalling and bandwidth shaping if your backhaul is getting maxed out?
I do that also. You will only realise if I tell you we have to use a satellite link of 2mbps down and 512kbps up the satellite link is very good bandwidth wise and we pretty much get 2mbps all the time but the sat link is limited to 100 tcp connections. I have PCq the overall link to 2mbps/512kbps and each user is limited to 1mbps/256kbps. The problem is the connection limit on the link. I have about 100 computers on this network and when a user gets on p2p th econnection limit is always reached. I have limited the connections on ports below 80 to 10. port 80 to 60 and above port 80 to 5 connections to stop this sat link clogging up. This works pretty well but really I would like to do less connections on port 80 too but this will cause browsing problems on heavy adverted sites because each web server can open several connections and before you know it your getting timeouts. There needs to be a way to limit also the max connections to each and every web server without entering all the ip’s.
The trade off is keeping the customers happy. You see if my firewallig is too agressive I will have complaints to deal with, but If I do it this way they do not realise it just stops their applications getting out of controll and maybe suffer some performance but who cares for p2p and aggressive stuff. It’s just unfortunatly the big selling point for a brodband connection so to block is bad.
There needs to be a way to limit also the max connections to each and every web server without entering all the ip’s.
There is, just make a rule with the dst and src 0.0.0.0/0 and set your connection limit to <100 that will limit all connections to sub 100 connections.. or whatever value you specify.
I use a rule similar to this to block SYN_flood attacks on my network.
This will limit all connections, ingoing/outgoing and for any protocol.
::EDIT::
You could even get more specific and create rules for ingress and egress traffic.. limit the incoming connections to something real low and allow more outgoing connections. Just specify your entire network in either the src/dst field.
You might also want to create a conn-limit for peer2peer applications specifically.. and limit that to like 5-10.. because those applications are going to make a lot of connections.
I know what you’re saying, but if it’s effecting your overall network performance and other users, I’d just assume block it until you can get a decent backhaul.
Thanks. It’s not long until new types of connections are available in our area.
hmm what rule action i must set to limit connections?
accept, drop ?
src-address=192.168.1.0/24 flow=p2p-src-local limit-count=500
action=accept??