Community discussions

MikroTik App
 
User avatar
samsoft08
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

AGAIN ..... Limiting connections !!!

Sun Aug 13, 2006 11:57 pm

hello

there were some topics about connection limit , and the manual explain that also , and i'm using this line in the firewall :

chain=forward in-interface=localnet src-address=192.168.1.0/24
protocol=tcp tcp-flags=syn connection-limit=7,32 action=drop

it suppose to limit each user connections to 8 only , i just wanna know whts the meaning of 8 ? is it 8 connections per sec ?? does it mean that the user can make 80 connections in 10 sec ??
the problem is that i have LINKSTAR satellite modem and it has a limited number of connections , so if the users keep making connections as they want , the DNS ping start timing out , and the internet will stop ..

i put another line in the firewall filter , i thought it will help me but i dont know exactly if its correct :

chain=input in-interface=localnet src-address=192.168.1.0/24 protocol=tcp
tcp-flags=syn connection-limit=15,32 action=drop

so that i limited every input connection , is it right to do so ??

please i need help coz this problem make me rebooting mu MT every 10 min !!!!!!
any help please ??
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: AGAIN ..... Limiting connections !!!

Mon Aug 14, 2006 12:36 am

it suppose to limit each user connections to 8 only , i just wanna know whts the meaning of 8 ? is it 8 connections per sec ?? does it mean that the user can make 80 connections in 10 sec ??
No, it limits concurrent connections, not the creation rate of new connections.
i put another line in the firewall filter , i thought it will help me but i dont know exactly if its correct :
chain=input in-interface=localnet src-address=192.168.1.0/24 protocol=tcp 
     tcp-flags=syn connection-limit=15,32 action=drop 
so that i limited every input connection , is it right to do so ??
The input chain is for traffic that is entering the MT router and destined for the router itself and not being forwarded through the router and beyond. Thus, the input chain is probably not what you want to use.

By the way, you probably should not drop when the maximum number of concurrent connections has been reached but rather reject with tcp-reset, or client TCP connections will hang while trying to be established rather than being immediately cut down.

--Tom
 
User avatar
samsoft08
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Mon Aug 14, 2006 2:25 am

thanx alot ,

my problem is i'm using a satellite modem which has limited connections , i need any rule that deny any no of connections more that what the modem accept .
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Mon Aug 14, 2006 9:59 am

my problem is i'm using a satellite modem which has limited connections , i need any rule that deny any no of connections more that what the modem accept .
How, exactly, does this modem define a "connection"? Does it really examine the TCP layer? Is this really just a modem or does this box try to do other things on layer 3, such as masquerading, and runs into limits at that point?

--Tom
 
User avatar
samsoft08
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Mon Aug 14, 2006 2:15 pm

yes it examine TCP layer , and it has a REAL or Public IP given by my provider , as the MT has a second Public IP , its IP defined as the Gateway IP in MT ..
 
User avatar
samsoft08
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Mon Aug 14, 2006 4:09 pm

Really i dont know when the connection limiting rule begin to limit the connections .. i set 4,32 .. i opened a group of 25 site at the same time and no limiting happened ??
also i downloaded 3 files at the same time using a download accl. which splits each file to 5 splits , nothing happened !!! no limiting at all .. i can see the limitaion in another rule with action = log .. no limiting at all !!!!
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6625
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Tue Aug 15, 2006 9:29 am

Post rule, which you have used for limiting TCP connections.
ip add chain=forward protocol=tcp tcp-flags=syn connection-limit=4,32 action=drop
, rule should work fine for traffic (users), who pass traffic trough the router.
 
User avatar
samsoft08
Long time Member
Long time Member
Topic Author
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Tue Aug 15, 2006 9:52 pm

chain=forward in-interface=localnet src-address=192.168.1.0/24
protocol=tcp tcp-flags=syn connection-limit=7,32 action=drop

this is the rule which is doesnt effect the situation described above ..

Who is online

Users browsing this forum: vecernik87, Znevna and 122 guests