Using a mikrotik router and need to figure out how one would go about making a global per user tcp limit. basically i want to limit every host behind the mikrotik to 60 max tcp connections.
Anyone know what im supposed to be setting in the ip-firewall area for a rule? ive found what im looking for i think, but since i could not find anything about this in the manual i figure i should ask first.
v2.9 router os btw.
Not sure if there is a difference with 2.9 and 3.20 but here is what I’ve used.
This example will limit each user on the 10.0.102.0 network to 70 connections.
add action=drop chain=forward comment="TCP Connection Limits" \
connection-limit=71,32 disabled=no protocol=tcp src-address=10.0.102.0/24 \
tcp-flags=syn
What does the limit mask (connection-limit=71,32) of 32 mean in this case? You allow 71 connections per individual source IP to a /32 range (individual IP)? So you allow 71 connections from any source to any destination? Shouldn’t this be connection-limit=71,0 ? So you limit the global total connections going anywhere from an individual IP?
I guess I don’t really know if this limit mask aplies to the source or the destination range … the documentation says nothing about this.
Geza
It limits based on source address connections. /32 is per ip address of network in src-address.
70 connections permitted. 71st connection is dropped.
Change the numbers to suit your needs.
will give that a try, think i figured out how to do that in the gui. testing on the workbench later today. thanks guys.
ran a bitt torrent download a well seeded one, it appears to be working. doesnt go over the connection limit. forgot to set the tcp flag to syn. wasnt working till i did that.
i have a problem, that rule seems to have limited the entire 10.10.1.0 ip range to 60 connections. not 60 connections per ip address.
this is what i have set when i display the firewall rule in console:
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; tcp connection for 10.10.0.0
chain=forward action=drop tcp-flags=syn protocol=tcp src-address=10.10.1.0/24
connection-limit=61,32
if i fire up bit torrent off one computer in the same ip range the other computer looses connection.
any ideas?
tried to set the source address to a single IP address, so a rule for 1 ip.
speedtesting on one computer while another is downloading a torrent, i see major performance issues one the one that is not bit-torrenting.
on a RB433 board, running router OS 3.22.
is this kind of thing just not supported or something?
Is there any solution, i have the same problem! I have created two filter rules in chain:
chain=forward action=add-src-to-address-list tcp-flags=syn
address-list=80 konekcija address-list-timeout=10m protocol=tcp
connection-limit=80,32
chain=forward action=drop src-address=192.168.1.0/24
src-address-list=80 konekcija protocol=tcp connection-limit=80,32
pppoe-users are attached to 192.168.1.0/24, after a while looks like the following rule is applied to all ip range, then to single ip user!
Any suggestions?
Just tried the same rule on 3.23 version,
ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop tcp-flags=syn protocol=tcp
src-address=192.168.66.0/24 connection-limit=5,32
One user’s connections are not borrowed from other, in other words 5 connections are not shared between users in 192.168.66.0/24 network.
You specify 5,32 in connection-limit, 32 means for every client in the particular network, 5,24 is for the entire network.
Please, make sure that user 1 does not use 60 connections, while user 2 has 60 connections as well. Torrent programs are extremely “heavy” about created connection number.
You can check /ip firewall connection print (I suggest to use Winbox) to review all connections, which are created by users. There you should see all picture.
Firstly, thank you sergejs for your post!
Second,
Are you recommending me to upgrade to OS 3.23 ? I have 3.13 on x86 platform.
So according to my chain rules above your reply, everything is ok? Since i am using 32bit netmask it applies to
single IP user not the whole IP range for pppoe-users?! But still after i while, since one user fills the 80 connections it starts to apply to the whole ip range! Your quote "Please, make sure that user 1 does not use 60 connections, while user 2 has 60 connections as well. - Is this refers to 80,24 ?? I didn`t understand quite well! But if i put 150 connections it behaves the same! Since P2P traffic is quite heavy and opens a lot connections!
I am also using winbox , tracking connection in Firewall to see all the connections 
It was a typo, I was thinking about 80 connection (not 60).
Yes, rules are correct and these rules are working fine for me at 3.23/3.24.
Make sure router has connection tracking enabled, /ip firewall connection
i will try upgradint to the latest software and try again and see if i have any luck.
have upgraded to 3.25 and am having issues still. I am using pppoe, so first i make sure the bridge is using the ip firewall for pppoe.
set the rules like you have it, and when i fire up bit torrent on one computer, the other computer’s performance suffers. like it has limited 60 connections for everyone as opposed to 1 person.
serjejs: what do you mean by not allowing 60 connections for one user then 60 connections for another? i thought that was the whole point? i need to limit every ip to 60 tcp connections.
anyone who has successfully implimented this willing to have a look at my test unit? i can pm ip details and user/pass. I am completely out of rope. Im going to have to add a neteq to every tower site now if this doesnt work.
I am still having the same problems. I thought that problem was because of OS 3.13! But since derr12 has upgraded and still has issues, i am without a clue. After a while people are calling me complaining that they can ping google, but when they open browser, it won`t load a page!
As soon as i change action to “accept” instead of “drop” in Firewall filter settings it starts working normally. I explained my settings above, and everything is ok!
Milos, yes, everything that you wrote is correct.
Users can ping google, but they are not able to browse google.
Your limit rule is working only for TCP traffic, ping are ICMP and are not blocked.
I’m still have the idea, that user is not able to open web-page, because actual connection limit is reached (by torrent or any other connection hungry program), check /ip firewall connection for the active connection, which are opened by the particular IP address.
Thans again for your reply Sergejs.
Unfortunetely i am having the same problems. I had tried everything. I`ve checked connection tracking after a phone call from one client complaining that he cannot open any page, i have checked connection tracking he had only 5 connections! 
again my rules are correct - i suppose that something is wrong and that somehow rules are applied to the whole IP range 80,24 instead of 80,32.
I saw something very interesting!! In the “address list” section where it tracks and shows all the clients that had reached “80 connections” instead of only 192.168.1.0/24 (ip range given to track as source address) there are also a lot of other addresses, addresses like x.x.x.x/24 or x.x.x.x/32 ??? How is that happening ??