How to limit number of concurrent connections in Mikrotik

maximo401 · August 8, 2012, 11:42am

Good day to all!

We would like to provide free 1 hr Internet access to customers but we would like to limit concurrent connections on Mikrotik to say 100 (active connections) only. Then after 1 hour use, if active connections is less than 100, he should be able to use the Internet again say after 5 minutes. Is there a way to control or do this in Mikrotik? I am thinking of using the Free Trial feature but how can we control concurrent connections?

Please help. Thanks

Ivoshiee · August 8, 2012, 12:06pm

I haven’t seen that kind of functionality within ROS. It should be there, but I am afraid it is not.
Maybe it will get implemented under connection tracking?
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Connection_tracking

maximo401 · August 8, 2012, 12:34pm

Hi Ivoshiee, thank you for your prompt input.

I tried to look at the Connection Tracking feature but couldn’t see a possible way to count and control concurrent connections. A single user can have multiple connections depends on his activity.

Looking around, it came to my mind of using the DHCP scope. Say limit the IP available to 100 and expiration is 1 hour only. But the concern that I am thinking that would come up is that, since it will be a /25, there will be some spare IP from the scope (since we only need 100) that users may guess and set statically? How should or how can we address it?

Ivoshiee · August 8, 2012, 1:02pm

I am afraid the DHCP is not the right place to make it. Hopefully some ROS guru will step in and enlighten us hot to properly implement that.

maximo401 · August 8, 2012, 1:21pm

Thank you again, Ivoshiee

Let us see what the Forum Gurus would recommend.

greencomputing · August 8, 2012, 2:09pm

Hi sir
To limit the number of concurrent sessions, you can do it using the property connection-limit under /ip firewall filter. Using an example found on this forum (and on the wiki) :

max 100 connection for every host ip (32 bit of netmask) :

/ip firewall 
add chain=forward protocol=tcp tcp-flags=syn connection-limit=100,32 action=drop comment="connection limit" disabled=no

in this case , max 100 connection for every host ip (32 bit of netmask).

Historically , for UDP case, it was a suffering pain but after RoS 5.7-5.8 you can finally use this useful property connection-limit to limit both udp and tcp case.

Hoping this will drive you in the right direction to implement your control.
have a nice day

maximo401 · August 8, 2012, 4:38pm

Dear Mr. greencomputing,

Thank you very much for your input. I will test this on a workbench starting with a 2 users maximum and will an update here. Thanks again.