Connection Limit question?

RouterOS General
1

When we are setting up a connection limit. When we say 10 connections are allowed for a netmask of 32. What address is that based on. Does it limit it to 10 connections for the source address, destination address, or both addresses combined?

Thanks

2

32 has to set connection restritcion to each router user.

3

I know 32 is for each user. But does it limit them to only ten from their address and 10 to their address or does it limit them to 10 to and from their address? I was messing arround with this last night and it seems that it was only limiting them to 10 connections to their address as I watched more than 10 connections being made from the customer.

Here is my rule

chain=P2P - Trojans protocol=tcp p2p=all-p2p connection-limit=10,32 action=drop

and after 1 night of running I still have more than 10 connections from users.

  • PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT

0 SA tcp X.X.163.238:3207 85.128.67.10:12486 established 33m52s
1 SA tcp X.X.163.238:4342 82.32.231.88:7957 established 2m34s
2 SA tcp X.X.163.238:4381 83.26.111.101:10233 established 4m40s
3 SA tcp X.X.163.238:4483 67.35.103.209:6881 established 4m5s
4 SA tcp X.X.163.238:4595 69.196.70.35:1720 established 4m59s
5 SA tcp X.X.163.238:4609 82.32.231.88:7957 established 5m4s
6 SA tcp X.X.163.238:4693 69.136.162.173:13096 established 6m5s
7 SA tcp X.X.163.238:4696 67.35.103.209:6881 established 6m5s
8 SA tcp X.X.163.238:4796 70.48.205.99:6881 established 6m37s
9 SA tcp X.X.163.238:4843 84.40.177.248:27732 established 8m27s
10 SA tcp X.X.163.238:4883 61.47.112.236:6881 established 8m37s
11 SA tcp X.X.163.238:4969 82.134.38.11:2175 established 7m24s
12 SA tcp X.X.163.238:1047 71.210.33.245:5015 established 9m13s
13 SA tcp X.X.163.238:1097 69.79.100.75:22286 established 10m4s
14 SA tcp X.X.163.238:1220 69.136.162.173:13096 established 10m12s
15 SA tcp X.X.163.238:1277 67.35.103.209:6881 established 11m1s
16 SA tcp X.X.163.238:1293 82.134.38.11:2175 established 11m11s
17 SA tcp X.X.163.238:1305 211.31.251.142:23435 established 11m18s
18 SA tcp X.X.163.238:1308 69.158.177.204:6881 established 11m20s
19 SA tcp X.X.163.238:1310 60.49.45.126:27738 established 11m21s
20 SA tcp X.X.163.238:1320 69.136.162.173:13096 established 11m31s
21 SA tcp X.X.163.238:1391 69.79.100.75:22286 established 13m48s
22 SA tcp X.X.163.238:1458 62.38.73.188:19714 established 12m58s
23 SA tcp X.X.163.238:1470 211.31.251.142:23435 established 13m8s
24 SA tcp X.X.163.238:1476 68.198.255.205:8717 established 13m10s
25 SA tcp X.X.163.238:1551 60.49.74.117:6883 established 13m59s
26 SA tcp X.X.163.238:1557 69.136.162.173:13096 established 14m
27 SA tcp X.X.163.238:1558 69.136.162.173:13096 established 14m
28 SA tcp X.X.163.238:1581 62.38.73.188:19714 established 14m22s
29 SA tcp X.X.163.238:1588 82.134.38.11:2175 established 14m26s
30 SA tcp X.X.163.238:1589 211.31.251.142:23435 established 14m27s
31 SA tcp X.X.163.238:1593 69.136.162.173:13096 established 14m30s
32 SA tcp X.X.163.238:1594 69.158.177.204:6881 established 14m31s
33 SA tcp X.X.163.238:1599 217.164.253.183:6881 established 14m33s
34 SA tcp X.X.163.238:1623 71.210.33.245:5015 established 14m56s
35 SA tcp X.X.163.238:1643 69.136.162.173:13096 established 15m5s
36 SA tcp X.X.163.238:1651 68.198.255.205:8717 established 15m8s
37 SA tcp X.X.163.238:1657 69.158.177.204:6881 established 15m10s
38 SA tcp X.X.163.238:1670 211.31.251.142:23435 established 15m22s
39 SA tcp X.X.163.238:1724 69.136.162.173:13096 established 15m56s
40 SA tcp X.X.163.238:1816 82.134.38.11:2175 established 16m55s
41 SA tcp X.X.163.238:1829 63.228.149.248:11795 established 17m
42 SA tcp X.X.163.238:1928 62.38.73.188:19714 established 19m48s
43 SA tcp X.X.163.238:1933 62.38.73.188:19714 established 19m51s
44 SA tcp X.X.163.238:1952 82.134.38.11:2175 established 18m33s
45 SA tcp X.X.163.238:1996 211.31.251.142:23435 established 19m6s
46 SA tcp X.X.163.238:2008 67.42.250.21:12454 established 19m16s
47 SA tcp X.X.163.238:2016 67.35.103.209:6881 established 19m20s
48 SA tcp X.X.163.238:2051 63.228.149.248:11795 established 21m17s
49 SA tcp X.X.163.238:2078 216.58.9.109:25679 established 20m7s
50 SA tcp X.X.163.238:2093 63.228.149.248:11795 established 20m19s
51 SA tcp X.X.163.238:2111 63.228.149.248:11795 established 20m35s
52 SA tcp X.X.163.238:2115 172.214.139.247:14144 established 20m37s
53 SA tcp X.X.163.238:2123 62.38.73.188:19714 established 20m41s
54 SA tcp X.X.163.238:2131 63.228.149.248:11795 established 20m44s
55 SA tcp X.X.163.238:2169 62.38.73.188:19714 established 21m11s
56 SA tcp X.X.163.238:2181 63.228.149.248:11795 established 21m20s
57 SA tcp X.X.163.238:2214 172.214.139.247:14144 established 21m44s
58 SA tcp X.X.163.238:2217 62.38.73.188:19714 established 21m45s
59 SA tcp X.X.163.238:2261 67.42.250.21:12454 established 22m12s
60 SA tcp X.X.163.238:2263 70.48.205.99:6881 established 22m14s
61 SA tcp X.X.163.238:2319 62.38.73.188:19714 established 22m56s
62 SA tcp X.X.163.238:2342 62.38.73.188:19714 established 23m12s
63 SA tcp X.X.163.238:2359 201.124.106.98:15229 established 23m29s
64 SA tcp X.X.163.238:2373 63.228.149.248:11795 established 23m36s
65 SA tcp X.X.163.238:2403 62.38.73.188:19714 established 23m55s
66 SA tcp X.X.163.238:2460 63.228.149.248:11795 established 24m40s
67 SA tcp X.X.163.238:2461 60.49.45.126:27738 established 24m38s
68 SA tcp X.X.163.238:2464 211.30.245.121:35363 established 24m40s
69 SA tcp X.X.163.238:2551 67.42.250.21:12454 established 26m2s
70 SA tcp X.X.163.238:2613 68.198.255.205:8717 established 26m45s
71 SA tcp X.X.163.238:2637 80.199.146.75:21336 established 27m
72 SA tcp X.X.163.238:2649 67.42.250.21:12454 established 27m11s
73 SA tcp X.X.163.238:2655 62.38.73.188:19714 established 27m14s
74 SA tcp X.X.163.238:2665 67.42.250.21:12454 established 27m29s
75 SA tcp X.X.163.238:2701 67.42.250.21:12454 established 28m
76 SA tcp X.X.163.238:2723 62.38.73.188:19714 established 28m20s
77 SA tcp X.X.163.238:2799 67.42.250.21:12454 established 29m29s
78 SA tcp X.X.163.238:2831 80.199.146.75:21336 established 30m6s
79 SA tcp X.X.163.238:2850 68.100.73.54:26113 established 30m19s
80 SA tcp X.X.163.238:2859 69.136.162.173:13096 established 30m30s
81 SA tcp X.X.163.238:2952 61.47.112.236:6881 established 31m43s
82 SA tcp X.X.163.238:2961 69.136.162.173:13096 established 31m49s
83 SA tcp X.X.163.238:3020 69.158.177.204:6881 established 32m40s
84 SA tcp X.X.163.238:3098 69.136.162.173:13096 established 33m42s
85 SA tcp X.X.163.238:3109 69.136.162.173:13096 established 33m47s
86 SA tcp X.X.163.238:3126 211.31.251.142:23435 established 34m9s
87 SA tcp X.X.163.238:3141 62.38.73.188:19714 established 34m26s
88 SA tcp X.X.163.238:3144 80.199.146.75:21336 established 34m27s
89 SA tcp X.X.163.238:3221 69.158.177.204:6881 established 35m23s
90 SA tcp X.X.163.238:3287 211.31.251.142:23435 established 36m31s
91 SA tcp X.X.163.238:3338 211.31.251.142:23435 established 37m3s
92 SA tcp X.X.163.238:3361 69.158.177.204:6881 established 37m22s
93 SA tcp X.X.163.238:3399 211.31.251.142:23435 established 37m42s
94 SA tcp X.X.163.238:3427 82.25.250.128:22354 established 38m6s
95 SA tcp X.X.163.238:3432 24.141.231.202:7080 established 38m7s
96 SA tcp X.X.163.238:3481 80.199.146.75:21336 established 38m32s

I deleted p2p connections our of the connection list last night after I put the rules into place. Is there something messed up with my rule or does it only limit it the other direction?

Thanks

4

For some reason my rules don’t seem to be working either way with P2P traffic. In the connections I am seeing that the mikrotik is determining that the connection if for a p2p program but then as I watch the number of connection that are established just keep climbing. after implementing these two rules the connections just keep climbing.

0 chain=Connection Limit protocol=tcp tcp-flags=syn p2p=all-p2p connection-limit=5,32 action=drop

1 chain=Connection Limit protocol=tcp p2p=all-p2p connection-limit=5,32 action=drop

After i put both of the rules into place I cleared the Connections for bit-torrent and then I watched as more than five connections where made from an IP and also more than 5 connections where made to an IP. Why it is not limiting the number of connections like it is supposed too?

Do I need to reboot the router before these rules will take affect and actually limit all connections? I see that one of the rule has caught some traffic but it surly didn’t stop more the user from making more than 5 connections.

New Connections



Thanks

  • 60 SA tcp 206.45.164.171:2324 216.67.151.217:6881 established 5h59m19s
    61 SA tcp 85.167.41.20:2025 216.67.151.217:6881 established 5h59m22s
    62 SA tcp 213.114.82.170:1082 216.67.151.217:6881 established 5h59m26s
    63 SA tcp 62.194.141.137:4668 216.67.151.217:6881 established 5h59m24s
    71 SA tcp 69.194.65.235:1634 216.67.151.217:6881 established 5h59m48s
    72 SA tcp 219.94.116.193:4885 216.67.151.217:6881 established 5h59m49s
    74 SA tcp 83.89.29.58:1553 216.67.151.217:6881 established 5h59m54s
    76 SA tcp 71.244.104.39:60070 216.67.151.217:6881 established 5h59m55s
    77 S tcp 193.138.140.9:4107 216.67.151.217:6881 close 9s
    78 SA tcp 82.148.175.10:3898 216.67.151.217:6881 established 5h59m49s
    79 S tcp 82.10.146.163:1182 216.67.151.217:6881 close 5h59m40s
    80 SA tcp 83.199.114.127:4233 216.67.151.217:6881 established 5h59m58s
    81 SA tcp 201.138.233.229:1797 216.67.151.217:6881 established 5h59m58s
    82 S tcp 193.138.140.9:4159 216.67.151.217:6881 close 5h59m50s
    83 S tcp 82.10.146.163:1163 216.67.151.217:6881 close 5h59m51s
    84 SA tcp 83.91.134.46:38462 216.67.151.217:6881 established 5h59m55s
    85 S tcp 86.105.223.239:3020 216.67.151.217:6881 close 5h59m52s

Thanks for any help you can give me with this.

5

I think it’s because you are applying the limit to syn only. The syn is not the true connection. syn connections are opened to request an open TCP connection I think. Limiting syns helps in DDOS prevention because they flood syn requests to generate open connections. To limit all connections choose the all parameter not syn only. I think that will work. Somebody correct me if i’m wrong!! Also you can lower the TCP connection timeout. I had to do that to get an effective p2p management setup.

6

Just to clear things up…
What is the purpose of limiting connections?

7

limit sessions for each user / subnet

Regards,

8

Yes, I understand that, but I am interested in purpose of that.
Why would I want to limit my customer`s p2p connection limit to , lets say, 10 connections? What do I gain by that?

9

Save bandwith… reduce congestion… ect ect…


Regards

10

I have tried both. A setting with Syn only and one with all packets. The rule does seem to catch more when i have it set to all packets instead of syn only. But the limit is still not working. I do have the connection timeout set to a lower number than the default. I also have manually gone in an cleared out all the connections that were for p2p and they just keep coming back with more than what I have the limit set to.

Any one else have any Ideas???

Thanks