I’m trying to limit the number of inbound TCP connections to each of my wireless users (grouped by IP). I’ve already figured out how to use the connection-limit/drop function to limit outbound connections (works perfectly). But inbound does not work as expected. Here is a rule I have tried:
Based on my observations it’s looks like inbound is limited based on src-address. Meaning that each IP outside my network gets 50 connections total to my LAN side, not the other way around.
Is there a way to have the mikrotik limit inbound connections?
50,32 indeed means “50 connections per /32 network”, and of course a /32 describes a single host. Try 50,0 for inbound limiting. That means “50 connections per /0 network”, which would cover all possible IPv4 addresses under the same umbrella.
On a side note, 50 is probably too little. I don’t do anything special at home - browse, email, xbox - no servers. Some torrents. I regularly have hundreds of TCP connections. Web servers without TCP reuse and a site with lots of CSS sheets, pictures, and JavaScript resources can temporarily cause dozens of connections by themselves. If you implement a very low limit, at least read up on optimizing the connection tracking settings. By default half open connections stay around for quite a while. Someone idly port scanning your users could deny them service within seconds.
Without specifying dst-address (for inbound) and src-address (for outbound), does the router pool inbound and outbound connections when calculating the total? I’m just wondering if I have to create 2 rules per user IP (this could mean 1000+). Ideally I’d like x number for out, and y for in, without sharing.