Does anyone know how to block an IP address or limit connections for a user on a hotspot before they authenticate? I’ve tried the below
Limit connections on hotspot pre-authentication:
/ip firewall filter
add action=add-src-to-address-list address-list=“Black List”
address-list-timeout=2m chain=pre-hs-input comment=
“Add User To Address List Blacklist” connection-limit=51,32 protocol=tcp
src-address=192.168.16.0/22 tcp-flags=syn
add action=log chain=forward comment=“Log Blackllist Entry!” log-prefix=
“Blacklist Jared Test Router” protocol=tcp src-address-list=“Black List”
add action=drop chain=forward comment=“Drop Blacklist Users Packets!”
protocol=tcp src-address-list="Black List
Block IP Address:
/ip firewall filter add chain=output dst-address=x.x.x.x action=drop
My problem is I have giests that are coming in with different applications that are trying to update and if they haven’t authenticated but have connected to the wireless network they continually push traffic and scan all ports until they find an open port to get out on. This causes the CPU to reach it’s threshold and slow down the performance for everybody behind the gateway. Below is a shot from the connection list. Please keep in mind this is a fraction of the connections.
Any help would be nice. This is a nagging problem that I need a solution for ASAP.
Thanks!
do not waste time blacklisting IP, reject MAC address connection direcly on wifi…
Rextended,
Yes, I’ve been banning the guests regularly.
My only problem is I administrate about 250 properties throughout the states and this is a common problem.
I’d like to find a solution so I don’t have to pull myself away every day to ban a guest due to this issue.
And I do mean every day multiple times from different locations.
This is why I need to find a way to either limit connections or start banning these IP addresses.
I can ban addresses and limit connections post authentication. My first rule works well for limiting browsers and adding them to an address list and dropping their remaining packets. My problem is these 3rd party applications are getting by these rules…
Any ideas?
Thanks!
One idea: limit each user connection to only 10 concurrent connection for the same destination IP
I use this rule to discovery infected pc trying to send many mail at same time:
/ip firewall mangle
add action=add-src-to-address-list address-list=@SMTP_troppi_src chain=prerouting_smtp comment="Controllo SMTP troppe connessioni al minuto" connection-limit=5,32 protocol=tcp src-address-list=!@SMTP_troppi_src
if the user go over 5 connection (mail send) at same time for single ip (32) his ip are put to @SMTP_troppi_src address list, if are not already on that list
[If the connections are mail send are “jumped” before here to that chain…]
SORRY FOR MY ENGLISH…
Thanks Rex.
Looks like a good idea.
I’ll give it a try and let you know how it goes.