Limiting pps

rzirzi · August 16, 2007, 11:50am

I have to limit one of destination LAN IP address with maximum packets per second. But it have to be limited everything except port 80, 443 and 53. How to write that rule to firewall? Could you help me, please?

sergejs · August 16, 2007, 12:40pm

dst-limit is used to limit pps, more information at the documentation.
You need to add accept rules for 80, 443, 53, then add rule with dst-limit to limit pps.

rzirzi · August 16, 2007, 12:56pm

OK, thank you. But, should i use accept or drop with dst-limit? I have read documentation, but i don’t understand how to use dst-limit at all.
Could you write any example of that rule, please?

janisk · August 16, 2007, 1:02pm

if all expressions of firewall rule returns true, then it does action it is said to do, if it is said pps=10 action=accept then 10 packets per second will be accepted and all the rest will be dropped

changeip · August 16, 2007, 2:37pm

then 10 packets per second will be accepted and all the rest will be dropped

You don’t mean dropped, you mean allowed to go to the next rule in the firewall chain. You have to make sure that you disallow the remaining packets in another rule.

rzirzi · August 21, 2007, 10:55pm

OK, i have accept rules for ports 80,53, and other that i don’t want to limit, but last two rules are:

chain=forward dst-limit=100,5,dst-address/1m40s action=accept
chain=forward action=drop

But it seems not to work, not limiting pps to 100 for other ports. Why?
Why there is a problem to give any example for me?

rzirzi · August 22, 2007, 9:10am

Any idea?

janisk · August 22, 2007, 11:28am

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings

rzirzi · August 22, 2007, 11:41am

So, you mean that it will not work for other protocols and ports than icmp? or will be working but with buggy setting, for instance “if you set …100 to 10000 = 100” ?

normis · August 22, 2007, 11:44am

no, it will work fine, but you will have to use that conversion table janisk pasted below. if you want to limit it to 24pps, you have to use the number 33 instead. also this means that you can’t set it to anything higher than 100, as it will treat it as ‘unlimited’

we are fixing it already

janisk · August 22, 2007, 11:57am

to clear things up - it will work with any protocol

but mainly this feature was intended for ICMP protocol, because using this on tcp is close to nonsense, why - IMO because tcp will retransmit the packet and your infrastructure will be loaded anyway

rzirzi · August 23, 2007, 9:42am

But it should work with UDP, usefull with some p2p applications, for instance.

normis · August 23, 2007, 11:28am

you can’t limit it to anything more than 100pps, which is useless for UDP or anything other than ICMP. Please wait until this is fixed, then you will be able to use it

skot · May 3, 2012, 11:38pm

I have been trying to understand “limit” and “dst-limit”, and they were not working normally. After I found this post, now I understand. But I’m using 5.15 and apparently they are not yet fixed? Results below:

rzirzi · May 9, 2012, 7:29am

When it will be fixed? We are waiting, because we need this feature.

Dmitriy34 · February 13, 2019, 4:41am

In version 6.43.12 still not resolve.

This would be a good function to able to control the device under DDOS attacks on conntrack table.
(I need to control 900kpps on CCR1036)

mstead · October 7, 2019, 1:05am

I have raised a ticket for this - it’s Ticket#2019100422002897 in case @janisk is reading this

rpingar · December 1, 2020, 7:11pm

another ticket has been opened:
support #[SUP-35291]

may you fix it??!?!?!??!!??!?