connection-limit for home user, and free connection-limit

aitsecurity · Tue Jun 06, 2006 11:11 pm

my scenary:

have a little Wisp, with normal user (home user, one PC), and SOHO, cyber or office with 10 or more PC

now, if apply this rule

/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward
this rule limits to 6 conections for each user

i will have problem for my SOHO customer, but work for home user.

now i have two segment the normal user segment is 192.168.150.x/24,
and for SOHO is 192.168.200.x/24

if apply this rule

add chain=forward src-address=192.168.150.0/24 protocol=tcp tcp-flags=syn \
connection-limit=5,32 action=drop comment="limit one pc \
internet for home" disabled=no

work??? my question is because i put in src-address the /24, and connection-limit the mask is 32 bits ????

or the correct rule is

add chain=forward src-address=192.168.150.0 protocol=tcp tcp-flags=syn \
connection-limit=5,24 action=drop comment="limit one pc \
internet for home" disabled=no

look i change in src-address put only the segment no put /24, and in connection-limit put the mask 24 bits

i want control the normal user, i want the normal user no can share the internet, but the SOHO customer, can share the internet

Best Regards
Daniel White

janisk · Wed Jun 07, 2006 1:41 pm

if you want limit coonections for one host than you enter /32 if you wnt limit whole network then use /24 but remember if you limit whole network, that one user of netowrk can use all available conenctions and other ppl on that network would not be able to use network at all.

and no you cannot detect if home user is using router with properly configured NAT (masquarade)

maxfava · Wed Jun 07, 2006 4:28 pm

I have many dubt on limiti connection per user.
Is this rule limit new connection opened at the same time? or total?
I tried to open a p2p on a client and his statistic shows 400 connection while on the mk the limit was set to 50.

The manual is not very clear.

janisk · Wed Jun 07, 2006 4:52 pm

connections to router or through?

maxfava · Thu Jun 08, 2006 2:05 am

I have added a rule like this
add chain=forward src-address=192.168.150.0 protocol=tcp tcp-flags=syn connection-limit=5,24 action=drop

samsoft08 · Thu Jun 08, 2006 2:06 am

well , i always saying we need a MANUAL to read MT MANUAL

janisk · Thu Jun 08, 2006 8:26 am

as we can read in manual

To only allow not more than 5 simultaneous connections from each of the clients, do the following:
Code: Select all
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

Thu Jun 08, 2006 8:58 am

Note, limit is for TCP connections.
And if you want to set limit for each network client, use janisk
provided command.

maxfava · Thu Jun 08, 2006 9:35 am

Thank you.

OK but simultaneous, what does it means:
total connection opened?
connection opened per sec?

in some case client router hang up because the number of connection opened is too high.

What do you sugest?

aitsecurity · Fri Jun 09, 2006 4:46 am

if you want limit coonections for one host than you enter /32 if you wnt limit whole network then use /24 but remember if you limit whole network, that one user of netowrk can use all available conenctions and other ppl on that network would not be able to use network at all.

and no you cannot detect if home user is using router with properly configured NAT (masquarade)

Thanks for you anwser , what is for you ppl?

janisk · Fri Jun 09, 2006 9:50 am

ppl is short for "people"

music · Sat Jul 08, 2006 4:46 pm

as we can read in manual
To only allow not more than 5 simultaneous connections from each of the clients, do the following:
Code: Select all
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

Ok. very good. But if I want to limit user with IP 192.168.1.1/32 to 300 connections and all others to 5...

How to do that?

maxfava · Sat Jul 08, 2006 5:15 pm

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=300,32 action=drop src-address=192.168.1.1

But I do not knwo if it goes in conflict with the previous rule.
differite the rules by src-address.

music · Sat Jul 08, 2006 9:03 pm

Is it enough to add first rule in the chain with IP address and after that rule for all others?

1. rule in the chain - for user 192.168.1.1 limit at 300 connections:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=300,32 action=drop src-address=192.168.1.1

2.rule in the chain - for all others 6:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

connection-limit for home user, and free connection-limit

connection-limit for home user, and free connection-limit

Who is online