Community discussions

MikroTik App
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Limiting pps

Thu Aug 16, 2007 2:50 pm

I have to limit one of destination LAN IP address with maximum packets per second. But it have to be limited everything except port 80, 443 and 53. How to write that rule to firewall? Could you help me, please?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Limiting pps

Thu Aug 16, 2007 3:40 pm

dst-limit is used to limit pps, more information at the documentation.
You need to add accept rules for 80, 443, 53, then add rule with dst-limit to limit pps.
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Thu Aug 16, 2007 3:56 pm

dst-limit is used to limit pps, more information at the documentation.
You need to add accept rules for 80, 443, 53, then add rule with dst-limit to limit pps.
OK, thank you. But, should i use accept or drop with dst-limit? I have read documentation, but i don't understand how to use dst-limit at all.
Could you write any example of that rule, please?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Limiting pps

Thu Aug 16, 2007 4:02 pm

if all expressions of firewall rule returns true, then it does action it is said to do, if it is said pps=10 action=accept then 10 packets per second will be accepted and all the rest will be dropped
 
changeip
Forum Guru
Forum Guru
Posts: 3819
Joined: Fri May 28, 2004 5:22 pm

Re: Limiting pps

Thu Aug 16, 2007 5:37 pm

then 10 packets per second will be accepted and all the rest will be dropped
You don't mean dropped, you mean allowed to go to the next rule in the firewall chain. You have to make sure that you disallow the remaining packets in another rule.
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Wed Aug 22, 2007 1:55 am

OK, i have accept rules for ports 80,53, and other that i don't want to limit, but last two rules are:

chain=forward dst-limit=100,5,dst-address/1m40s action=accept
chain=forward action=drop

But it seems not to work, not limiting pps to 100 for other ports. Why?
Why there is a problem to give any example for me?
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Wed Aug 22, 2007 12:10 pm

Any idea?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Limiting pps

Wed Aug 22, 2007 2:28 pm

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Wed Aug 22, 2007 2:41 pm

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps
So, you mean that it will not work for other protocols and ports than icmp? or will be working but with buggy setting, for instance "if you set ...100 to 10000 = 100" ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Limiting pps

Wed Aug 22, 2007 2:44 pm

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps
So, you mean that it will not work for other protocols and ports than icmp? or will be working but with buggy setting, for instance "if you set ...100 to 10000 = 100" ?
no, it will work fine, but you will have to use that conversion table janisk pasted below. if you want to limit it to 24pps, you have to use the number 33 instead. also this means that you can't set it to anything higher than 100, as it will treat it as 'unlimited'

we are fixing it already
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Limiting pps

Wed Aug 22, 2007 2:57 pm

to clear things up - it will work with any protocol

but mainly this feature was intended for ICMP protocol, because using this on tcp is close to nonsense, why - IMO because tcp will retransmit the packet and your infrastructure will be loaded anyway
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Thu Aug 23, 2007 12:42 pm

to clear things up - it will work with any protocol

but mainly this feature was intended for ICMP protocol, because using this on tcp is close to nonsense, why - IMO because tcp will retransmit the packet and your infrastructure will be loaded anyway
But it should work with UDP, usefull with some p2p applications, for instance.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Limiting pps

Thu Aug 23, 2007 2:28 pm

you can't limit it to anything more than 100pps, which is useless for UDP or anything other than ICMP. Please wait until this is fixed, then you will be able to use it
 
User avatar
skot
Long time Member
Long time Member
Posts: 586
Joined: Wed Nov 30, 2011 3:05 am

Re: Limiting pps

Fri May 04, 2012 2:38 am

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings
I have been trying to understand "limit" and "dst-limit", and they were not working normally. After I found this post, now I understand. But I'm using 5.15 and apparently they are not yet fixed? Results below:
You do not have the required permissions to view the files attached to this post.
 
rzirzi
Member
Member
Topic Author
Posts: 387
Joined: Mon Oct 09, 2006 2:33 pm

Re: Limiting pps

Wed May 09, 2012 10:29 am

you can't limit it to anything more than 100pps, which is useless for UDP or anything other than ICMP. Please wait until this is fixed, then you will be able to use it
When it will be fixed? We are waiting, because we need this feature.
 
Dmitriy34
just joined
Posts: 7
Joined: Wed Sep 09, 2015 7:03 am

Re: Limiting pps

Wed Feb 13, 2019 6:41 am

In version 6.43.12 still not resolve.

This would be a good function to able to control the device under DDOS attacks on conntrack table.
(I need to control 900kpps on CCR1036)
 
mstead
Member Candidate
Member Candidate
Posts: 113
Joined: Sat Mar 04, 2006 2:41 am

Re: Limiting pps

Mon Oct 07, 2019 4:05 am

In version 6.43.12 still not resolve.

This would be a good function to able to control the device under DDOS attacks on conntrack table.
(I need to control 900kpps on CCR1036)

I have raised a ticket for this - it's Ticket#2019100422002897 in case @janisk is reading this

Who is online

Users browsing this forum: angriukas, eworm, hauskaimneha, kvstudio6, Lifz, olivier2831 and 60 guests