limit connection per IP

conchalnet · November 14, 2005, 9:34am

Hi all,

I’m trying to limmit the max connections py host on my network but I don’t know if I’m doing right.

I got the rule below on the forum (http://forum.mikrotik.com/t/limit-connection-count-on-a-per-ip-basis/3607/1 ):

/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward

This rule has some packets and bytes on the statistcs but if I go to the connections tab on the winbox (IP-FIREWALL-CONNECTIONS TAB) I can count more than 5 TCP connections by host .

How can I limit the connections on my network??? I want that each client connected on my mikrotik AP can open 10 connection simultaneos.

Thanks in advance.

Fabrício Fadel Kammer

sergejs · November 14, 2005, 10:31am

Than you have change 5 to 11 for 10 connections (11,32).
Clear information in connection table.

Do not forget, given rule limits new TCP connections.

conchalnet · November 14, 2005, 2:55pm

I think that isn’t work, because I can see an IP with about 100 connections open on the connection table.

How can I prevent this??? I want tha a same IP has a maximum of 10 connection opened at same time.

Thanks

maxfava · January 16, 2006, 5:34pm

Regarding the maximum number opened by a Client, that can be called syn attack, I’m asking but our Internet service provider how manage this issue or state?

Because I monitoring the number of connection on my ADSL line and it support until 1700 connection /sec.
But on my internal net I must reduce it to 70-80 to have not syn attack detection.

Is there someone that know?

Ciao

Hugh_Hartman · January 16, 2006, 6:27pm

conchalnet
Are all the connections TCP or is there some UDP mixed in?

sroa · January 27, 2006, 5:53pm

Hello, I was having the same problem, but If you check the user´s manual, when you see CONNECTIONS in firewall it reports connections from hours ago (or days) and specially the TCP connections are kept for days even if the client has been disconnected. Why dont you try to monitor one client ip with torch in the winbox, you will see that connlimit is working.

djape · January 27, 2006, 6:00pm

Just go to connection tracking and reduce Established TCP connections from 5 days to 1 hour. It works great for me…

ns-c0de · May 8, 2006, 8:15pm

But doesn’t that just reduce the time Tik tracks the connection? What happends to connections that ARE still established, but are not currently active (for example somebody on p2p queue)?

hendra · January 30, 2021, 11:08pm

can some one answer this question, i have same problem