Community discussions

MikroTik App
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

limit number of connection

Thu Sep 22, 2011 6:33 am

hello
in my network
for example a user make a big number of downloads in the same time
i want to limit his connections with the router
for example i want to limit for him 4 conections on the tcp protocol and all other connections will be dropped
so i could force him to limit his connections in the idm download program
thanks alot in advancd
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: limit number of connection

Thu Sep 22, 2011 12:05 pm

Yes, it is possible,

To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

In my opinion limiting connections is not effective way to stop download managers, just regular bandwidth limit should do the job fine.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Thu Sep 22, 2011 1:31 pm

Yes, it is possible,

To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

In my opinion limiting connections is not effective way to stop download managers, just regular bandwidth limit should do the job fine.




thanks sir i will try it
if that is right , it will help in my case
as i use some codes to limit the packets by its size like distinguishing between download and browsing to get the most benefit of the data rate
so all users affect each other by downloading and making a big number of connections
and the queue take some time to catch all these connections
so i want to limit the number of connections for ever user so it is distributed fairly
i will try that

why do u use net mask 32 ??
i imagine that we should use net mask 30

any other idea will help in my case ??? , i will be grateful
thanks a lot
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Thu Sep 22, 2011 1:53 pm

Yes, it is possible,

To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

In my opinion limiting connections is not effective way to stop download managers, just regular bandwidth limit should do the job fine.


unfortunately , this way doesnt achieve my target sir
i want when i open ip ---- firewall ---- connections not see more than 5 connections for every client and all other connection dropped by the firewall
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1072
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: limit number of connection

Thu Sep 22, 2011 4:24 pm

why do u use net mask 32 ??
i imagine that we should use net mask 30
Because the network with netmask 32 has only one IP Device, while
the network with netmask 30 does have 2 of them.
So the rule would be applied to one device when you specify the netmask 32
instead of two when you specify netmask 30
-Toni-
Don't crash the ambulance, whatever you do
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Thu Sep 22, 2011 8:10 pm

why do u use net mask 32 ??
i imagine that we should use net mask 30
Because the network with netmask 32 has only one IP Device, while
the network with netmask 30 does have 2 of them.
So the rule would be applied to one device when you specify the netmask 32
instead of two when you specify netmask 30


thank u very much


any idea about the solution of my case??
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Fri Sep 23, 2011 5:49 am

is there any solution
i think it will be the end of my troubles in my network
please help in this subject
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8464
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: limit number of connection

Fri Sep 23, 2011 12:47 pm

try
/ip firewall filter add chain=forward in-interface=LAN connection-state=new connection-limit=6,32 action=drop
in v5.7
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1072
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: limit number of connection

Fri Sep 23, 2011 1:00 pm

i want when i open ip ---- firewall ---- connections not see more than 5 connections for every client and all other connection dropped by the firewall
The rule in question would not do that. It would drop only the tcp connections in syn state.
In firewall connection you would see all connections from one host (udp, established tcp, etc.)
So if you would want all tcp connections to be dropped you will need to remove for the rule
the tcp syn flag:
/ip firewall filter add chain=forward protocol=tcp connection-limit=6,32 action=drop
But I am afraid this would mess up your internet performance to the hosts.
-Toni-
Don't crash the ambulance, whatever you do
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Sat Sep 24, 2011 5:35 am

i want when i open ip ---- firewall ---- connections not see more than 5 connections for every client and all other connection dropped by the firewall
The rule in question would not do that. It would drop only the tcp connections in syn state.
In firewall connection you would see all connections from one host (udp, established tcp, etc.)
So if you would want all tcp connections to be dropped you will need to remove for the rule
the tcp syn flag:
/ip firewall filter add chain=forward protocol=tcp connection-limit=6,32 action=drop
But I am afraid this would mess up your internet performance to the hosts.



ok thanks alot i tried this
but internet download manager is still able to do 16 download connection for one download link
and the client is still able to download from 2 or more links in the same time

i will explain my case again

1- i used the mangle to mark the packets that have a specified size and named it "downloads"
2- i made a queue that limit the download rate for downloads packets

the problem
clients are able to download from one link in the same time and this affect the others bad
another thing the queue take some time to limit the rate when there is alot of connections


what i want
for every user , the connections limit on the marked packet called "downloads" is only 5 connections so the user wont be able to download by 16 connection for one link

what i tried in this
chain= forward protocol = tcp packet mark = downloads
connections limit = 5 netmask = 32 action = drop


but unfortunatly there is no result

how could i achieve that
thaks alot in advance
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1072
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: limit number of connection

Sat Sep 24, 2011 8:38 pm

I am starting to sound like an old record, because I keep recommending the following link
to every one who wants to do some QOS:

http://wiki.mikrotik.com/wiki/Connection_Rate

but I feel very comfortable with that.
Any way, I would like to see also the rule which marks the packets as "download".
may be there are some connections which are generated by download manager, but
don't match the rule which marks them as "download".
-Toni-
Don't crash the ambulance, whatever you do
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Sat Sep 24, 2011 9:52 pm

I am starting to sound like an old record, because I keep recommending the following link
to every one who wants to do some QOS:

http://wiki.mikrotik.com/wiki/Connection_Rate

but I feel very comfortable with that.
Any way, I would like to see also the rule which marks the packets as "download".
may be there are some connections which are generated by download manager, but
don't match the rule which marks them as "download".



ip firewall mangle
add action=mark-packet chain=postrouting comment="" connection-bytes=\
131072-4294967295 disabled=no new-packet-mark=downloads out-interface=lan \
passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 disabled=no in-interface=wan new-packet-mark=downloads \
out-interface=lan passthrough=no protocol=tcp



/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="" \
direction=both disabled=no dst-address=0.0.0.0/0 interface=all limit-at=\
1M/1M max-limit=2500k/2500k name=Download packet-marks=downloads parent=none \
priority=8 queue=default-small/default-small total-queue=default-small


that is the code i use to manage my network and limit the download rat for all the network
but the problem is as i mentioned before
any idea about the solution?,,please
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Sun Sep 25, 2011 6:28 pm

guys , , , is it possible??
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1072
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: limit number of connection

Sun Sep 25, 2011 10:21 pm

ip firewall mangle
add action=mark-packet chain=postrouting comment="" connection-bytes=\
131072-4294967295 disabled=no new-packet-mark=downloads out-interface=lan \
passthrough=no protocol=tcp
add action=mark-packet chain=forward comment="" connection-bytes=\
131072-4294967295 disabled=no in-interface=wan new-packet-mark=downloads \
out-interface=lan passthrough=no protocol=tcp
passthrough=no means packets are no longer processed in the mangle, so the next
rule that makes use of it is not actually capturing them. You need to let the packets
go through passthrough=yes.

Any way, look at the link i posted before about connection rate. I think it is a better approach.
-Toni-
Don't crash the ambulance, whatever you do
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Wed Sep 28, 2011 2:31 am

thaks alot ,
is there a way to limit the connection of download programs
iam suffering from alot of connection for only one file
please i want to understand
 
MRMISSY
newbie
Posts: 45
Joined: Sun Mar 07, 2010 3:26 pm

Re: limit number of connection

Wed Sep 28, 2011 3:14 am

thaks alot ,
is there a way to limit the connection of download programs
iam suffering from alot of connection for only one file
please i want to understand
some rules that drop the connection depending on the type of the files you can add more types like pdf,wav .....etc

/ip firewall filter
add action=drop chain=forward comment="5 connection exe" connection-limit=\
5,30 content=.exe disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection rar" connection-limit=\
5,30 content=.rar disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection zip" connection-limit=\
5,30 content=.zip disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection mp3" connection-limit=\
5,30 content=.mp3 disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection mp4" connection-limit=\
5,30 content=.mp4 disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection flv" connection-limit=\
5,30 content=.flv disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection iso" connection-limit=\
5,30 content=.iso disabled=no protocol=tcp

it is effective with download programs
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Wed Sep 28, 2011 8:17 am

thaks alot ,
is there a way to limit the connection of download programs
iam suffering from alot of connection for only one file
please i want to understand
some rules that drop the connection depending on the type of the files you can add more types like pdf,wav .....etc

/ip firewall filter
add action=drop chain=forward comment="5 connection exe" connection-limit=\
5,30 content=.exe disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection rar" connection-limit=\
5,30 content=.rar disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection zip" connection-limit=\
5,30 content=.zip disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection mp3" connection-limit=\
5,30 content=.mp3 disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection mp4" connection-limit=\
5,30 content=.mp4 disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection flv" connection-limit=\
5,30 content=.flv disabled=no protocol=tcp
add action=drop chain=forward comment="5 connection iso" connection-limit=\
5,30 content=.iso disabled=no protocol=tcp

it is effective with download programs



thank u very much but i tried this before
and it is a very weak way
i want to limit depending on the downloads packets that i marked before in the mangle
any idea ???
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: limit number of connection

Sat Oct 01, 2011 5:26 pm

is there any way ?

can it be applied depending on the layer 7 protocol depending on the extensions of files
as when i depend on content it is work to some extent
but i want to use the layer 7 as it is more accurate
thanks in advance
and sorry for disturbing you
 
MICPROF
Member Candidate
Member Candidate
Posts: 106
Joined: Thu Jan 27, 2011 7:22 pm
Contact:

Re: limit number of connection

Sun Oct 18, 2015 11:23 pm

/ip firewall layer7-protocol
add comment="" name=IDM-LIMIT regexp="^.*get.+\\.(exe|rar|zip|7z|cab|asf|mov|wmv\

    |mpg|mpeg|mkv|avi|flv|pdf|wav|rm|mp3|mp4|ram|rmvb|dat|daa|iso|nrg|bin|vcd|\

    mp2|3gp|mpe|qt|raw|wma|ogg|doc|deb|tar|bzip|gzip|gzip2|0[0-9][0-9]).*\$"
/ip firewall mangle
add action=mark-packet chain=forward comment=IDM-LIMIT disabled=yes \

    layer7-protocol=IDM-LIMIT new-packet-mark=IDM-LIMIT-packet passthrough=no protocol=tcp
/queue type
add kind=pcq name=IDM pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=64k pcq-src-address6-mask=64
/queue tree
add max-limit=64k name=IDM-Limit packet-mark=IDM-LIMIT-packet parent=global queue=IDM
Thanks!

Best Regards.


--------------------
If my answer helped you and my question good too, please give me karma
 
kukithanki
just joined
Posts: 2
Joined: Tue May 17, 2016 9:51 am

Re: limit number of connection

Wed May 25, 2016 10:58 am

try
/ip firewall filter add chain=forward in-interface=LAN connection-state=new connection-limit=6,32 action=drop
in v5.7

just change in-nterface wtih out-interface and it will work perfectly...

Who is online

Users browsing this forum: Bing [Bot] and 102 guests