Community discussions

 
User avatar
winet
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

how to limit every src client to have only 2 connections?

Wed Feb 11, 2009 4:14 am

i have src nat, from local to internet. i want to limit that every client of the src nat can only open 2 connections, how to set them up?

thanks before :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24276
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: how to limit every src client to have only 2 connections?

Wed Feb 11, 2009 1:04 pm

2 connections is too little, they won't have any connectivity at all. example how to limit to 5:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
(6th connection per /32 subnet (each IP) will be dropped)
No answer to your question? How to write posts
 
gmsmstr
Trainer
Trainer
Posts: 940
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: how to limit every src client to have only 2 connections?

Wed Feb 11, 2009 9:44 pm

Figure 15-20 for residential customer, and 50-80 for business, depending on the number of computers etc.

Firefox and IE will create between 8-15 by default for every page.
Dennis Burgess, MCTCE, MTCNA, MCTCTE, MTCWE, MTCNIE, A+, N+, MCP, MTCSE Mikrotik Certified Consultant / Trainer
Need Mikrotik Support: http://www.linktechs.net -- Link Technologies, Inc.
-- Author of "Learn RouterOS: Second Edition"
 
User avatar
winet
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to limit every src client to have only 2 connections?

Thu Feb 12, 2009 12:42 pm

i see
so i could add src-address-list to that script? as the src-address-list are my client IPs?
also if may i ask, what does TCP-flags=syn do? i'm sorry if i ask so noobie questions, i'm trying to figure out everything i will do.

thanks before
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: how to limit every src client to have only 2 connections?

Thu Feb 12, 2009 6:10 pm

Yes you can add src-address-list to the rule -- it just adds another "and if" to the logic.

My 2-cents on the idea of limiting connections is that you'll just drive up support costs as you break various applications and have to take a support call on it. I rather like the method of bandwidth-jail whereby if a customer uses more than X bytes per 24 hour period, the router automatically adds a queue putting them in bandwidth jail for the next 24 hour period, severely limiting their speeds during the jail period. This seems to quickly teach the users to be more "fair" in their use of the connection and doesn't break applications.
 
User avatar
ahmedsaffar76
Member
Member
Posts: 307
Joined: Sun Feb 17, 2008 2:56 pm
Location: Iraq

Re: how to limit every src client to have only 2 connections?

Fri Feb 13, 2009 1:49 am

Hi ;
you do not have to limit the connections , because if you did this they will not work fine .
openning yahoo messenger will open a connection to port 443 and then to port 443 and then open telnet port and also open port 80 .
so if he open i web page and yahoo messenger he will become crazy of the internet .
you could limit the upload and this will kill the internet , he will not be able to request too many as the upload for him had been totally swallowed by previous connections .
i have 2 Mbit and when the upload be slow the internet be like dial-up speed .

also could you explain how to implement the jail policy ? i have many hungry users and i am using now queue tree .
with best regards .
 
User avatar
winet
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to limit every src client to have only 2 connections?

Fri Feb 13, 2009 4:48 am

my internet isn't so nice when there is so many connection being opened, there are kind of maximum for connections allowed being opened, so if it reach the maximum, some already opened will be closed. that's why i need this script, because one of my client whenever he connects, his computer will open about 50 connections at a time. those connections are small(about 20kbps each). and yes, i queued him already.
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how to limit every src client to have only 2 connections?

Fri Feb 13, 2009 7:49 pm

I disagree with the "jail policy" and the connection limiting. All you need is good QoS, and maybe move this-and-that around the QoS queue tree to lower priority of hog users.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
User avatar
winet
Member Candidate
Member Candidate
Topic Author
Posts: 272
Joined: Fri Mar 16, 2007 4:49 pm
Location: Indonesia

Re: how to limit every src client to have only 2 connections?

Sat Feb 14, 2009 1:25 pm

I disagree with the "jail policy" and the connection limiting. All you need is good QoS, and maybe move this-and-that around the QoS queue tree to lower priority of hog users.
i wish i knew what you're saying :)
 
InoX
Forum Guru
Forum Guru
Posts: 1963
Joined: Tue Jan 09, 2007 6:44 pm

Re: how to limit every src client to have only 2 connections?

Sun Feb 15, 2009 1:33 am

i have a 200 connections limit for my clients.
QoS will not help if clients have viruses or something...
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1369
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: how to limit every src client to have only 2 connections?

Sun Feb 15, 2009 9:23 am

Recently I saw that viruses got nastier. They disabled some Antivir soft and evaded some admin tools, etc.etc. This is very very bad. I was thinking that we must develop a way to detect virus activity @ routers. We now have L7 on our side. As well as scripting, e-mail notification, etc. Let's start a discussion topic...
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 12:23 pm

2 connections is too little, they won't have any connectivity at all. example how to limit to 5:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
(6th connection per /32 subnet (each IP) will be dropped)
Plz Normis, i do not get this very clearly.
Assuming my clients are in the dhcp of network range from 192.168.0.10 -254, how do write this script using winbox.

Thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 4:34 pm

add firewall filter fule:

chain=forward
src-address=192.168.0.10-192.168.0.254
protocol=tcp
tcp-flags=syn
connection-limit=6,32
action=drop
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 6:09 pm

add firewall filter fule:

chain=forward
src-address=192.168.0.10-192.168.0.254
protocol=tcp
tcp-flags=syn
connection-limit=6,32
action=drop
Thanks Chupaka, i will try it wen i get home, but wat is the meaning of the 32, i tot it is the subnet of the network in question.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 9:56 pm

32 is subnet, in which connections are counted. /32 - is per user. /24 - per your network
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 10:27 pm

32 is subnet, in which connections are counted. /32 - is per user. /24 - per your network
I am getting more confused. Do U advice i use /32 instead of /24 which is my network subnet. Moreover i want to effect the limit based on per user in the subnet of /24.

This is my lan ip settings: 192.168.0.10 - 254
subnet is 255.255.255.0
and gateway: 192.168.0.1

thanks
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: how to limit every src client to have only 2 connections?

Wed Aug 05, 2009 11:05 pm

"src-address=192.168.0.10-192.168.0.254" - these users are affected

"connection-limit=6,32" - every of these users is limited by 6 connections

"connection-limit=6,24" - all these users are limited to 6 connections (if first user uses 4 connections, second user - 2 connections, then third user cannot establish a connection)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: how to limit every src client to have only 2 connections?

Thu Aug 06, 2009 5:28 pm

Thanks,
Will try it b4 the end of today.

What if I have like some people who are using ti for cyber cafe. How do I split them and make some get maximum connection of say 60 connections while personal users make use of 6. This is cus some people in the hotspot are using it for cyber cafe.

Again, Will setting up web proxy cache affect my hotspot. ab both work 2gether? If yes, How do i go about the configuration and the firewall.

Who is online

Users browsing this forum: No registered users and 15 guests