Hi,
I’m using Router OS 4.6 and I don’t understand about limit attribute in the filter table:
The configuration of limit has:
Rate 50/min
Burst 3
What this means?
I think:
The router log at maximum 50 packets at minute (only packets that respond at the rule)
And what is the burst?
limit=50/min,3 means “match when on average you have seen 50 packets per minute, not counting 3 burst packets when calculating the rate”.
Sorry , but I don’t understand…
mmmm…
Can you explain with a pratical example?
I have a rule that log all incoming tcp traffic with dport 80.
At the interface I receive in total 15 packets in 25 seconds. I am under the limit then I don’t have any entry in log file right?
Yes. When the rule matches, the action gets executed. In case of ‘limit’ it only matches when that traffic rate is exceeded, so when the average traffic rate is under the specified limit, the rule doesn’t match, and the action associated with the rule is not executed. If your action it to send an entry to the logs, the entry will not be sent.
ok and the burst?
in any case in which way is it possible to log user traffic on mikrotik?
The burst means that it will ignore x number of packets before it starts counting.
It depends on what you are trying to log for.
A rule like /ip firewall filter add chain=forward action=log will log each and every packet being forwarded through the Mikrotik, this will be a TON of information, and will go by so quickly it will do you almost no good.
If however you would like to monitor how much is being downloaded on it and from what sources, netflows might be more what you are looking for, but finding a good netflows collector can be hard and very expensive. There are open source free ones out there I believe, but they do require a bit of work to set up and customize. It’s been a while since I set up a test with one, but I believe it will break down what local address went where, and how much traffic was downloaded and sent.