limit connections per one dst-address

maximt · February 13, 2013, 11:43am

is there any way to limit connections per one dst-address for each user?

example: each user can open maximum 10 connections to 1.2.3.4:80

derr12 · February 13, 2013, 8:34pm

Here ya go,

/ip firewall filter
add action=drop chain=forward comment=“tcp connection limit”
connection-limit=100,32 disabled=no protocol=tcp

This is set to drop the 101rst tcp connection per ip address

you can modify it by specifying the destination IP and port to get really specific if you want.

maximt · February 14, 2013, 11:41am

yes, but i need limit connections to 10 per ANY dest-address

derr12 · February 14, 2013, 9:41pm

Be as specific or as not specific as you like. a 10 connection limit to any address would look like this:

/ip firewall filter
add action=drop chain=forward comment=“tcp connection limit”
connection-limit=10,32 disabled=no protocol=tcp

I should warn you that web browsing would be very difficult with that setting. Id suggest a minimum of 40 connections.

derr12 · February 14, 2013, 9:44pm

If you want to limit 10 connections to any IP on the following 192.168.3.0/24 destination network;

add action=drop chain=forward comment=“tcp connection limit”
connection-limit=10,32 disabled=no dst-address=192.168.3.0/24 protocol=
tcp

maximt · February 18, 2013, 2:29am

thanks for answer

in general, i need limit total connections to 100 (from 1 user) and no more 10 per anyone dest-address

/ip firewall filter
add action=drop chain=forward src-address=192.168.1.0/24 comment=“no more 100” connection-limit=10,32 disabled=no protocol=tcp
add action=drop chain=forward comment=“no more 10 per anyone” connection-limit=10,32 disabled=no protocol=tcp

is that right?

derr12 · February 21, 2013, 11:33pm

looks good to me.