hello
in my network
for example a user make a big number of downloads in the same time
i want to limit his connections with the router
for example i want to limit for him 4 conections on the tcp protocol and all other connections will be dropped
so i could force him to limit his connections in the idm download program
thanks alot in advancd
Yes, it is possible,
To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
In my opinion limiting connections is not effective way to stop download managers, just regular bandwidth limit should do the job fine.
thanks sir i will try it
if that is right , it will help in my case
as i use some codes to limit the packets by its size like distinguishing between download and browsing to get the most benefit of the data rate
so all users affect each other by downloading and making a big number of connections
and the queue take some time to catch all these connections
so i want to limit the number of connections for ever user so it is distributed fairly
i will try that
why do u use net mask 32 ??
i imagine that we should use net mask 30
any other idea will help in my case ??? , i will be grateful
thanks a lot
unfortunately , this way doesnt achieve my target sir
i want when i open ip ---- firewall ---- connections not see more than 5 connections for every client and all other connection dropped by the firewall
why do u use net mask 32 ??
i imagine that we should use net mask 30
Because the network with netmask 32 has only one IP Device, while
the network with netmask 30 does have 2 of them.
So the rule would be applied to one device when you specify the netmask 32
instead of two when you specify netmask 30
thank u very much
any idea about the solution of my case??
is there any solution
i think it will be the end of my troubles in my network
please help in this subject
try
/ip firewall filter add chain=forward in-interface=LAN connection-state=new connection-limit=6,32 action=drop
in v5.7
i want when i open ip ---- firewall ---- connections not see more than 5 connections for every client and all other connection dropped by the firewall
The rule in question would not do that. It would drop only the tcp connections in syn state.
In firewall connection you would see all connections from one host (udp, established tcp, etc.)
So if you would want all tcp connections to be dropped you will need to remove for the rule
the tcp syn flag:
/ip firewall filter add chain=forward protocol=tcp connection-limit=6,32 action=drop
But I am afraid this would mess up your internet performance to the hosts.
ok thanks alot i tried this
but internet download manager is still able to do 16 download connection for one download link
and the client is still able to download from 2 or more links in the same time
i will explain my case again
1- i used the mangle to mark the packets that have a specified size and named it “downloads”
2- i made a queue that limit the download rate for downloads packets
the problem
clients are able to download from one link in the same time and this affect the others bad
another thing the queue take some time to limit the rate when there is alot of connections
what i want
for every user , the connections limit on the marked packet called “downloads” is only 5 connections so the user wont be able to download by 16 connection for one link
what i tried in this
chain= forward protocol = tcp packet mark = downloads
connections limit = 5 netmask = 32 action = drop
but unfortunatly there is no result
how could i achieve that
thaks alot in advance
I am starting to sound like an old record, because I keep recommending the following link
to every one who wants to do some QOS:
http://wiki.mikrotik.com/wiki/Connection_Rate
but I feel very comfortable with that.
Any way, I would like to see also the rule which marks the packets as “download”.
may be there are some connections which are generated by download manager, but
don’t match the rule which marks them as “download”.
ip firewall mangle
add action=mark-packet chain=postrouting comment=“” connection-bytes=
131072-4294967295 disabled=no new-packet-mark=downloads out-interface=lan
passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=“” connection-bytes=
131072-4294967295 disabled=no in-interface=wan new-packet-mark=downloads
out-interface=lan passthrough=no protocol=tcp
/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment=“”
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=
1M/1M max-limit=2500k/2500k name=Download packet-marks=downloads parent=none
priority=8 queue=default-small/default-small total-queue=default-small
that is the code i use to manage my network and limit the download rat for all the network
but the problem is as i mentioned before
any idea about the solution?,please
guys , , , is it possible??
ip firewall mangle
add action=mark-packet chain=postrouting comment=“” connection-bytes=
131072-4294967295 disabled=no new-packet-mark=downloads out-interface=lan
passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=“” connection-bytes=
131072-4294967295 disabled=no in-interface=wan new-packet-mark=downloads
out-interface=lan passthrough=no protocol=tcp
>
passthrough=no means packets are no longer processed in the mangle, so the next
rule that makes use of it is not actually capturing them. You need to let the packets
go through passthrough=yes.
Any way, look at the link i posted before about connection rate. I think it is a better approach.thaks alot ,
is there a way to limit the connection of download programs
iam suffering from alot of connection for only one file
please i want to understand
some rules that drop the connection depending on the type of the files you can add more types like pdf,wav …etc
/ip firewall filter
add action=drop chain=forward comment=“5 connection exe” connection-limit=
5,30 content=.exe disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection rar” connection-limit=
5,30 content=.rar disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection zip” connection-limit=
5,30 content=.zip disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection mp3” connection-limit=
5,30 content=.mp3 disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection mp4” connection-limit=
5,30 content=.mp4 disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection flv” connection-limit=
5,30 content=.flv disabled=no protocol=tcp
add action=drop chain=forward comment=“5 connection iso” connection-limit=
5,30 content=.iso disabled=no protocol=tcp
it is effective with download programs
thank u very much but i tried this before
and it is a very weak way
i want to limit depending on the downloads packets that i marked before in the mangle
any idea ???
is there any way ?
can it be applied depending on the layer 7 protocol depending on the extensions of files
as when i depend on content it is work to some extent
but i want to use the layer 7 as it is more accurate
thanks in advance
and sorry for disturbing you
/ip firewall layer7-protocol
add comment="" name=IDM-LIMIT regexp="^.*get.+\\.(exe|rar|zip|7z|cab|asf|mov|wmv\
|mpg|mpeg|mkv|avi|flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|\
mp2|3gp|mpe|qt|raw|wma|ogg|doc|deb|tar|bzip|gzip|gzip2|0[0-9][0-9]).*\$"
/ip firewall mangle
add action=mark-packet chain=forward comment=IDM-LIMIT disabled=yes \
layer7-protocol=IDM-LIMIT new-packet-mark=IDM-LIMIT-packet passthrough=no protocol=tcp
/queue type
add kind=pcq name=IDM pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=64k pcq-src-address6-mask=64
/queue tree
add max-limit=64k name=IDM-Limit packet-mark=IDM-LIMIT-packet parent=global queue=IDM
just change in-nterface wtih out-interface and it will work perfectly…