how to limit every src client to have only 2 connections?

winet · February 11, 2009, 2:14am

i have src nat, from local to internet. i want to limit that every client of the src nat can only open 2 connections, how to set them up?

thanks before

normis · February 11, 2009, 11:04am

2 connections is too little, they won’t have any connectivity at all. example how to limit to 5:

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

(6th connection per /32 subnet (each IP) will be dropped)

gmsmstr · February 11, 2009, 7:44pm

Figure 15-20 for residential customer, and 50-80 for business, depending on the number of computers etc.

Firefox and IE will create between 8-15 by default for every page.

winet · February 12, 2009, 10:42am

i see
so i could add src-address-list to that script? as the src-address-list are my client IPs?
also if may i ask, what does TCP-flags=syn do? i’m sorry if i ask so noobie questions, i’m trying to figure out everything i will do.

thanks before

JJCinAZ · February 12, 2009, 4:10pm

Yes you can add src-address-list to the rule – it just adds another “and if” to the logic.

My 2-cents on the idea of limiting connections is that you’ll just drive up support costs as you break various applications and have to take a support call on it. I rather like the method of bandwidth-jail whereby if a customer uses more than X bytes per 24 hour period, the router automatically adds a queue putting them in bandwidth jail for the next 24 hour period, severely limiting their speeds during the jail period. This seems to quickly teach the users to be more “fair” in their use of the connection and doesn’t break applications.

ahmedsaffar76 · February 12, 2009, 11:49pm

Hi ;
you do not have to limit the connections , because if you did this they will not work fine .
openning yahoo messenger will open a connection to port 443 and then to port 443 and then open telnet port and also open port 80 .
so if he open i web page and yahoo messenger he will become crazy of the internet .
you could limit the upload and this will kill the internet , he will not be able to request too many as the upload for him had been totally swallowed by previous connections .
i have 2 Mbit and when the upload be slow the internet be like dial-up speed .

also could you explain how to implement the jail policy ? i have many hungry users and i am using now queue tree .
with best regards .

winet · February 13, 2009, 2:48am

my internet isn’t so nice when there is so many connection being opened, there are kind of maximum for connections allowed being opened, so if it reach the maximum, some already opened will be closed. that’s why i need this script, because one of my client whenever he connects, his computer will open about 50 connections at a time. those connections are small(about 20kbps each). and yes, i queued him already.

NetworkPro · February 13, 2009, 5:49pm

I disagree with the “jail policy” and the connection limiting. All you need is good QoS, and maybe move this-and-that around the QoS queue tree to lower priority of hog users.

winet · February 14, 2009, 11:25am

i wish i knew what you’re saying

InoX · February 14, 2009, 11:33pm

i have a 200 connections limit for my clients.
QoS will not help if clients have viruses or something…

NetworkPro · February 15, 2009, 7:23am

Recently I saw that viruses got nastier. They disabled some Antivir soft and evaded some admin tools, etc.etc. This is very very bad. I was thinking that we must develop a way to detect virus activity @ routers. We now have L7 on our side. As well as scripting, e-mail notification, etc. Let’s start a discussion topic…

dunga · August 5, 2009, 9:23am

normis:

2 connections is too little, they won’t have any connectivity at all. example how to limit to 5:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
(6th connection per /32 subnet (each IP) will be dropped)

Plz Normis, i do not get this very clearly.
Assuming my clients are in the dhcp of network range from 192.168.0.10 -254, how do write this script using winbox.

Thanks

Chupaka · August 5, 2009, 1:34pm

add firewall filter fule:

chain=forward
src-address=192.168.0.10-192.168.0.254
protocol=tcp
tcp-flags=syn
connection-limit=6,32
action=drop

dunga · August 5, 2009, 3:09pm

Thanks Chupaka, i will try it wen i get home, but wat is the meaning of the 32, i tot it is the subnet of the network in question.

Chupaka · August 5, 2009, 6:56pm

32 is subnet, in which connections are counted. /32 - is per user. /24 - per your network

dunga · August 5, 2009, 7:27pm

I am getting more confused. Do U advice i use /32 instead of /24 which is my network subnet. Moreover i want to effect the limit based on per user in the subnet of /24.

This is my lan ip settings: 192.168.0.10 - 254
subnet is 255.255.255.0
and gateway: 192.168.0.1

thanks

Chupaka · August 5, 2009, 8:05pm

“src-address=192.168.0.10-192.168.0.254” - these users are affected

“connection-limit=6,32” - every of these users is limited by 6 connections

“connection-limit=6,24” - all these users are limited to 6 connections (if first user uses 4 connections, second user - 2 connections, then third user cannot establish a connection)

dunga · August 6, 2009, 2:28pm

Thanks,
Will try it b4 the end of today.

What if I have like some people who are using ti for cyber cafe. How do I split them and make some get maximum connection of say 60 connections while personal users make use of 6. This is cus some people in the hotspot are using it for cyber cafe.

Again, Will setting up web proxy cache affect my hotspot. ab both work 2gether? If yes, How do i go about the configuration and the firewall.