the router is limiting my thoughoutput

RouterOS General
1

hello,

I am using a bandwidth provider that gives us a 6 Mb/s simmetric internet connection. We use a routerboard to smartly share the connection among 60 users.

If I connect a laptop to the internet gatway directly (no users, no routerboard) I can have 3 ftp sessions at more than 200 KB/s each, which gives an almost 5 Mb/s, this is good enough.

But then through the routerboard there is no way to have more traffic then 2,5 / 3 Mb/s. This is very strange since the routerboard opens connetions to full of sites like webpages, emule, edonkey that users are using. I also tried to slow down network traffic and perfom the same 3 ftp download and still stays below the 3 Mb/s.

I don’t understand it ?
any idea?

2

did you monitor the rouetrboard’s cpu usage?

If it is low, the issue should be related to some bad ethernet cards that uses more interrupt time it needs.

P.S
spero di essermi fatto capire. sorry I tought you were from Italy.

3

ok, but i am using a routerboard with embedded eth cards
anyhow it seems my problems come from too many connections opened by the users (we are now at 8.000) from emule,edonkey etc…

do you know any way to limitthe connections opened by each ip?

tgrazie
Gianluca

4

check out the “connection-limit” property for the firewall rules. There is an example of using it in the manual.

5

I have done it, put the limit on the number of connection in the fw rule.
But if I put for instance 60, and then I check the ip firewall connections i see a lot more connections, sometimes seems to be the double (120).

Then is seems it is also “limiting” a bit the others IPs. I mean if 1 IP has the p2p, it would limit teh amount of connections and from the same IP there would be a logical slow down on browsing, but the same slow down appears on others IPs on the same network

???

6

i am still with the same problem

with limit-connection on the fw rule, it limits all my local IPs, and not each IP

what can i do?

7

Maybe post an export of your firewall configuration and network diagram? :slight_smile:

8

/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
add name=“customer” policy=none comment=“”
/ ip firewall rule customer
add protocol=tcp connection-state=established action=accept comment=“allow established TCP connections” disabled=no
add protocol=udp connection-state=established action=accept comment=“allow established UDP connections” disabled=no
add protocol=icmp action=accept comment=“” disabled=no
/ ip firewall rule forward
add src-address=192.168.5.162/32 protocol=tcp tcp-options=syn-only action=drop log=yes connection-limit=180 comment=“”
disabled=yes
add protocol=tcp tcp-options=syn-only action=drop log=yes connection-limit=500 comment=“” disabled=no
add out-interface=local action=jump jump-target=customer comment=“” disabled=no
/ ip firewall rule input
add protocol=tcp connection-state=established action=accept comment=“accept estblished TCP connections” disabled=no
add protocol=udp action=accept comment=“accept established UDP connections” disabled=no
add protocol=icmp action=accept comment=“allow ICMP commands” disabled=no
add src-address=192.168.5.252/32 action=accept log=yes comment=“allow access to listen IP addresses” disabled=no
add action=reject log=yes comment=“” disabled=yes
/ ip firewall mangle
add src-address=:53 protocol=udp action=accept mark-flow=dns comment=“” disabled=no
add dst-address=:53 protocol=udp action=accept mark-flow=dns comment=“” disabled=no
add connection=p2p_con172 action=accept mark-flow=p2p172 comment=“” disabled=no
add src-address=192.168.5.162/32 p2p=all-p2p action=passthrough mark-connection=p2p_con162 comment=“” disabled=no
add connection=p2p_con162 action=accept mark-flow=p2p162 comment=“” disabled=no
add src-address=192.168.5.252/32 p2p=all-p2p action=passthrough mark-connection=p2p_con252 comment=“” disabled=no
add connection=p2p_con252 action=accept mark-flow=p2p252 comment=“” disabled=no
add src-address=192.168.5.40/32 p2p=all-p2p action=passthrough mark-connection=p2p_con40 comment=“” disabled=no
add connection=p2p_con40 action=accept mark-flow=p2p40 comment=“” disabled=no
add src-address=192.168.5.184/32 p2p=all-p2p action=passthrough mark-connection=p2p_con184 comment=“” disabled=no
add connection=p2p_con184 action=accept mark-flow=p2p184 comment=“” disabled=no
add src-address=192.168.5.23/32 p2p=all-p2p action=passthrough mark-connection=p2p_con23 comment=“” disabled=no
add connection=p2p_con23 action=accept mark-flow=p2p23 comment=“” disabled=no
add src-address=192.168.5.174/32 p2p=all-p2p action=passthrough mark-connection=p2p_con174 comment=“” disabled=no
add connection=p2p_con174 action=accept mark-flow=p2p174 comment=“” disabled=no
add src-address=192.168.5.166/32 p2p=all-p2p action=passthrough mark-connection=p2p_con166 comment=“” disabled=no
add connection=p2p_con166 action=accept mark-flow=p2p166 comment=“” disabled=no
add src-address=192.168.5.176/32 p2p=all-p2p action=passthrough mark-connection=p2p_con176 comment=“” disabled=no
add connection=p2p_con176 action=accept mark-flow=p2p176 comment=“” disabled=no
add src-address=192.168.5.172/32 p2p=all-p2p action=passthrough mark-connection=p2p_con172 comment=“” disabled=no
add src-address=192.168.5.28/32 p2p=all-p2p action=passthrough mark-connection=p2p_con28 comment=“” disabled=no
add connection=p2p_con28 action=accept mark-flow=p2p28 comment=“” disabled=no
add src-address=192.168.5.11/32 p2p=all-p2p action=passthrough mark-connection=p2p_con11 comment=“” disabled=no
add connection=p2p_con11 action=accept mark-flow=p2p11 comment=“” disabled=no
add src-address=192.168.5.187/32 p2p=all-p2p action=passthrough mark-connection=p2p_con187 comment=“” disabled=no
add connection=p2p_con187 action=accept mark-flow=p2p187 comment=“” disabled=no
add src-address=192.168.5.58/32 p2p=all-p2p action=passthrough mark-connection=p2p_con58 comment=“” disabled=no
add connection=p2p_con58 action=accept mark-flow=p2p58 comment=“” disabled=no
add src-address=192.168.5.24/32 p2p=all-p2p action=passthrough mark-connection=p2p_con24 comment=“” disabled=no
add connection=p2p_con24 action=accept mark-flow=p2p24 comment=“” disabled=no
add src-address=192.168.5.151/32 p2p=all-p2p action=passthrough mark-connection=p2p_con151 comment=“” disabled=no
add connection=p2p_con151 action=accept mark-flow=p2p151 comment=“” disabled=no
add src-address=192.168.5.168/32 p2p=all-p2p action=passthrough mark-connection=p2p_con168 comment=“” disabled=no
add connection=p2p_con168 action=accept mark-flow=p2p168 comment=“” disabled=no
add src-address=192.168.5.0/24 p2p=all-p2p action=passthrough mark-connection=p2p_con comment=“” disabled=no
add connection=p2p_con action=accept mark-flow=p2p comment=“” disabled=no
add src-address=213.4.114.108/32 action=accept mark-flow=speed_test comment=“telefonica” disabled=no
add src-address=213.4.130.91/32 action=accept mark-flow=speed_test comment=“terra” disabled=no
add src-address=69.93.0.234/32 action=accept mark-flow=speed_test comment=“www.upseros.net” disabled=no
add src-address=69.93.147.210/32 action=accept mark-flow=speed_test comment=“www.adslayuda.com” disabled=no
add src-address=66.59.227.169/32 action=accept mark-flow=speed_test comment=“www.dslreports.com” disabled=no
add src-address=195.5.65.181/32 action=accept mark-flow=speed_test comment=“arrakis desde aui.com” disabled=no
add src-address=212.81.128.129/32 action=accept mark-flow=speed_test comment=“www.velocimetro.org” disabled=no
add src-address=217.76.134.15/32 action=accept mark-flow=speed_test comment=“arsys desde aui.com” disabled=no
add src-address=80.251.75.5/32 action=accept mark-flow=speed_test comment=“albura desde aui.com” disabled=no
add src-address=217.116.2.136/32 action=accept mark-flow=speed_test comment=“acens desde aui.com” disabled=no
add src-address=:80 protocol=tcp action=accept mark-flow=http comment=“” disabled=no
add dst-address=:80 protocol=tcp action=accept mark-flow=http comment=“” disabled=no
add dst-address=:443 protocol=tcp action=accept mark-flow=http comment=“” disabled=no
add src-address=:443 protocol=tcp action=accept mark-flow=http comment=“” disabled=no
add src-address=192.168.5.0/24 protocol=icmp action=accept mark-flow=system_commands comment=“” disabled=no
add src-address=192.168.5.0/24:23 protocol=tcp action=accept mark-flow=system_commands comment=“” disabled=no
add dst-address=207.226.195.112/32 action=accept mark-flow=messenger comment=“” disabled=no
add dst-address=168.226.195.112/32 action=accept mark-flow=messenger comment=“” disabled=no
add src-address=192.168.5.0/24:5004-65535 protocol=udp action=accept mark-flow=messenger comment=“” disabled=no
add dst-address=:6901 protocol=tcp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=:6901 protocol=udp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=192.168.5.0/24 dst-address=:5004-65535 protocol=udp action=accept mark-flow=messenger comment=“”
disabled=no
add dst-address=:6901 protocol=udp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=:6901 protocol=tcp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=:1863 protocol=tcp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=:25 protocol=tcp action=accept mark-flow=mail comment=“” disabled=no
add dst-address=:1863 protocol=tcp action=accept mark-flow=messenger comment=“” disabled=no
add src-address=:26000 protocol=tcp action=accept mark-flow=game comment=“” disabled=no
add dst-address=:26000 protocol=tcp action=accept mark-flow=game comment=“” disabled=no
add src-address=:6667 protocol=tcp action=accept mark-flow=irc comment=“” disabled=no
add dst-address=:6667 protocol=tcp action=accept mark-flow=irc comment=“” disabled=no
add src-address=:21 protocol=tcp action=accept mark-flow=ftp comment=“” disabled=no
add dst-address=:21 protocol=tcp action=accept mark-flow=ftp comment=“” disabled=no
add dst-address=:2 protocol=tcp action=accept mark-flow=ftp comment=“” disabled=no
add dst-address=:20 protocol=tcp action=accept mark-flow=ftp comment=“” disabled=no
add src-address=:20 protocol=tcp action=accept mark-flow=ftp comment=“” disabled=no
add src-address=:110 protocol=tcp action=accept mark-flow=mail comment=“” disabled=no
add dst-address=:110 protocol=tcp action=accept mark-flow=mail comment=“” disabled=no
add dst-address=:25 protocol=tcp action=accept mark-flow=mail comment=“” disabled=no
add action=accept mark-flow=all_the_rest comment=“” disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=no
set gre disabled=no
set h323 disabled=no
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall src-nat
add out-interface=public action=masquerade comment=“” disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=1m tcp-syn-received-timeout=1m tcp-established-timeout=1d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

9

can someone help me ?
I have CPU usage 50% and memory as well left as much as 50% (I am using a 64 Mb memory). I would like to use it in a 6Mb/s trunck with 8.000 connections opened

10

You do realize that this thread is 12 years old