LINUX - IPTABLES:
"Conntrack - Component netfilter, which provides tracking and stateful packet classification in terms of belonging to a compound that allows netfilter to full stateful-filtering traffic … The notion of the connection status of artificially introduced to the protocols, in which it was initially absent (UDP, ICMP).
"
How in MikroTik - limit the number of “conventional” UDP connections from one IP address?
Connection-limit will help you solve this.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
connlimit? This is only for TCP.
How for UDP ?
So ?
The Manual does not say it will not work with UDP and I can see UDP ‘connections’ in firewall connection tracker, which suggests that MT could track UDP connections, however I agree that by definition, UDP is connection-less, so I can understand why it may not work. I also see that if you try to create a firewall rule with a match for udp protocol, connection-limit is then in turn, greyed out. Therefore unless MT finds a way to match such traffic patterns, it is currently not an available option.
My apologies if I mislead you.
In this way, I can not do limit the number of UDP "flows " from one IP address with MikroTik (for active p2p clients BitTorrent)
Why do you need this? What difference does it make if are there 100 UDP packets to 100 different destinations or 100 UPD packets to just 1 destination?
UDP is stateless, so only difference is number of conntrack entries. But problem is - conntrack is way before your firewall filters in packet flow diagram, so drop it or not all UDP “connections” will be in conntrack anyway.
in short - from RouterOS performance point of view this feature is useless
there are lots of needed UDP connections out there, what if they are outside your given number of connections?
I suggest to go for queues, if UDP is such a problem, mark all of them and put a nice SFQ queue for it.
Ok, Thank you very much
There is difference. 100 UPD packets to just 1 destination may be Skype, VoIP, or others.
100 UDP packets to 100 different destinations with connbytes > 5MB means p2p (e.g. new uTorrent). I’m looking for UDP connlimit solution for recogonizing p2p traffic.
If my eyes doesn’t lie to me - it looks lime connection-limit starting from v5.7 is protocol independent. So you can start your UDP limitation.
sounds like that, but you cannot edit this with WinBox - it’s grayed for everything except tcp %)
After a bit of testing, it looks like you can apply connection-limit to UDP streams in 5.7, you just need to do it by the terminal window. Hopefully they will fix this in winbox soon.
Hello,
que interesante, I´d like to know more.
How is it to use? Like conn-limit with tcp? Is there anything to find in wiki? Need a flag?
Regards
Uli
yes, it’s like with ‘protocol=tcp’, but without it =)
by the way, what does it count now? because earlier, when you use ‘connection-limit’, it counted ALL tcp connections, even if you set some limits, like ‘dst-port=25’. so, if you now set ‘protocol=tcp connection-limit=…’, what will it count: only TCP connections, or all connections from that IP?
I’m personally interested in limiting SMTP connections - is it (will it be) possible to do that?..
It looks like they fix this with 5.8. Winbox lets you select connection-limit with UDP now.
MT Staff?..
BSD Staff 
${ipfw} add allow tcp from “table(1)” to any setup limit src-addr 200
${ipfw} add allow udp from “table(1)” to any limit src-addr 200
####################---------Table 1 limited networks #200 tcp / 200 udp
${ipfw} table 1 add ...0/22
${ipfw} table 1 add ...128/25
####################-------------------------------------------
supout.rif → support@mikrotik.com
we have not noticed such behaviour.
after a bit of testing I see that at least version 5.8 is working good with that, false alarm