Community discussions

MikroTik App
 
jasenger
just joined
Topic Author
Posts: 4
Joined: Wed Oct 05, 2005 1:28 am
Location: Ponta Grossa, PR, Brasil

Connection limit

Sat Sep 01, 2007 3:12 am

Hi folks,

P2P connections are causing big problems to my network.
When the P2P traffic is more intense my client's latency grows up too, and all other services are affected.
I try to solve this problem limiting my client's connections with the following rules:

# rule 1
chain=forward protocol=tcp
connection-limit=25,32 connection-state=new action=drop

# rule 2
chain=forward protocol=udp dst-port=!53 limit=1,1 action=drop

My intention is to limit the connections of each client to 25, and also the UDP !53 to 1/second.
With those rules my problem is solved for some days. But, suddenly, my clients cannot access any site until my router reboot. I think that those rules maybe are treating other kinds of traffic.
What rules are you guys using to limit connections?

Thanks a lot
 
gabriellauter
newbie
Posts: 25
Joined: Mon Aug 27, 2007 11:02 pm

Re: Connection limit

Tue Sep 04, 2007 11:04 pm

Hi,

I had the same problem here and solved it using the MANGLE table to mark TCP and UDP packages which are using ports higher then 1024 with a specific flag. Then, I created a queue with limited speed and selected the packages with the same flag used before to fall down on it. On the MANGLE table I also created rules for exceptions (services using high ports that should not be limited by the queue).

With this rules our clients can keep using P2P applications but the speed available for it does not affect the performance of the access point.

Another important tip is create rules on the FILTER table to block NETBIOS packages, broadcasts, packages to invalid networks and this kind of stuff.

You can also specify in your MANGLE rules that it should be applied only on specific times so your clients can keep using P2P applications at night while the traffic is not so intense.

I hope it help you... Please give us a feedback about your situation.

Gabriel Lauter
Brazil
 
jasenger
just joined
Topic Author
Posts: 4
Joined: Wed Oct 05, 2005 1:28 am
Location: Ponta Grossa, PR, Brasil

Re: Connection limit

Tue Sep 11, 2007 12:16 am

Hi Gabriel,
Thanks for your reply.
I'm testing these rules today and they're working fine for me.

Thanks again
Jorge
 
nick52
just joined
Posts: 15
Joined: Mon Mar 19, 2007 3:30 pm
Location: Avezzano - Italy

Re: Connection limit

Wed Sep 12, 2007 7:35 pm

Hi gabriellauter,
may you detail better the rules that you applied, please?

thanks,
nick52
 
gabriellauter
newbie
Posts: 25
Joined: Mon Aug 27, 2007 11:02 pm

Re: Connection limit

Mon Nov 19, 2007 2:08 pm

sorry about the time between posts... here goes my current setup...
[admin@MikroTik] > /ip firewall mangle print

 0   ;;; teste de ping
     chain=input action=mark-packet new-packet-mark=icmp passthrough=no dst-address=200.200.200.9
 1   chain=output action=mark-packet new-packet-mark=icmp passthrough=no src-address=200.200.200.9
 2   chain=prerouting action=mark-packet new-packet-mark=icmp passthrough=no dst-address=200.200.200.202
 3   chain=prerouting action=mark-packet new-packet-mark=icmp passthrough=no src-address=200.200.200.202
 4   ;;; voip
     chain=prerouting action=mark-packet new-packet-mark=voip passthrough=no src-address=200.200.200.0/24 dst-port=5060 protocol=udp
 5   chain=prerouting action=mark-packet new-packet-mark=voip passthrough=no src-address=200.200.200.0/24 dst-port=10000-12000 protocol=udp
 6   chain=prerouting action=mark-packet new-packet-mark=voip passthrough=no dst-address=200.200.200.0/24 src-port=5060 protocol=udp
 7   chain=prerouting action=mark-packet new-packet-mark=voip passthrough=no dst-address=200.200.200.0/24 src-port=10000-12000 protocol=udp
 8   ;;; msn
     chain=prerouting action=accept dst-port=1863 protocol=tcp
 9   chain=prerouting action=accept src-port=1863 protocol=tcp
10   ;;; veneza, webcam da dani
     chain=prerouting action=accept src-address=200.200.200.66
11   chain=prerouting action=accept dst-address=200.200.200.66
12   ;;; jogo diablo cliente marselha
     chain=prerouting action=accept src-address=200.200.200.55 dst-port=6112-6119 protocol=tcp
13   chain=prerouting action=accept src-address=200.200.200.55 dst-port=6112-6119 protocol=udp
14   chain=prerouting action=accept dst-address=200.200.200.55 src-port=6112-6119 protocol=tcp
15   chain=prerouting action=accept dst-address=200.200.200.55 src-port=6112-6119 protocol=udp
16   chain=prerouting action=accept src-address=200.200.200.55 dst-port=4000 protocol=tcp
17   chain=prerouting action=accept src-address=200.200.200.55 dst-port=4000 protocol=udp
18   chain=prerouting action=accept dst-address=200.200.200.55 src-port=4000 protocol=tcp
19   chain=prerouting action=accept dst-address=200.200.200.55 src-port=4000 protocol=udp
20   ;;; p2p_up
     chain=prerouting action=mark-packet new-packet-mark=p2p_up passthrough=no src-address=200.200.200.0/24 dst-port=1025-65535 protocol=tcp
     time=8h-23h,sat,fri,thu,wed,tue,mon,sun
21   chain=prerouting action=mark-packet new-packet-mark=p2p_up passthrough=no src-address=200.200.200.0/24 dst-port=1025-65535 protocol=udp
     time=8h-23h,sat,fri,thu,wed,tue,mon,sun
22   ;;; p2p_down
     chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no dst-address=200.200.200.0/24 src-port=1025-65535 protocol=tcp
     time=8h-23h,sat,fri,thu,wed,tue,mon,sun
23   chain=prerouting action=mark-packet new-packet-mark=p2p_down passthrough=no dst-address=200.200.200.0/24 src-port=1025-65535 protocol=udp
     time=8h-23h,sat,fri,thu,wed,tue,mon,sun

[admin@MikroTik] > /ip firewall filter print

 0   ;;; bloqueios virus e worms
     chain=forward action=drop dst-address=192.168.0.0/16
 1   chain=forward action=drop dst-address=172.16.0.0/16
 2   chain=forward action=drop dst-address=10.0.0.0/8
 3   chain=forward action=drop dst-address=255.0.0.0/8
 4   chain=forward action=drop dst-port=135-139 protocol=tcp
 5   chain=forward action=drop dst-port=445 protocol=tcp
 6   chain=forward action=drop dst-port=135-139 protocol=udp
 7   chain=forward action=drop dst-port=445 protocol=udp

[admin@MikroTik] > /queue simple print

 0    name="Compusat" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=icmp direction=both priority=1 queue=default-small/default-small
      limit-at=0/0 max-limit=0/0 total-queue=default-small
 1    name="VoIP" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=voip direction=both priority=1 queue=default-small/default-small limit-at=0/0
      max-limit=0/0 total-queue=default-small
 2    name="p2p_up" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=p2p_up direction=both priority=8 queue=wireless-default/wireless-default
      limit-at=1000/1000 max-limit=150000/150000 total-queue=default-small
 3    name="p2p_down" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=p2p_down direction=both priority=8 queue=wireless-default/wireless-default

      limit-at=1000/1000 max-limit=300000/300000 total-queue=default-small
 4    name="itapema" target-addresses=200.200.200.91/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=5
      queue=wireless-default/wireless-default limit-at=250000/500000 max-limit=250000/500000 total-queue=default-small
 5    name="paraty" target-addresses=200.200.200.123/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=5
      queue=wireless-default/wireless-default limit-at=128000/256000 max-limit=128000/256000 total-queue=default-small

...   [supressed lines...]

26    name="inconfidente" target-addresses=200.200.200.40/32 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=5
      queue=wireless-default/wireless-default limit-at=128000/256000 max-limit=128000/256000 total-queue=default-small
good luck,

gabriel lauter
 
User avatar
DavidNol
just joined
Posts: 5
Joined: Sun Feb 22, 2009 11:02 pm
Location: Lebanon

Re: Connection limit

Wed Mar 14, 2012 2:41 am

chain=forward action=drop tcp-flags=syn protocol=tcp src-address=9.9.8.0/24
connection-limit=25,32


this will do for udp and tcp you can change values
David.G.Nol

Who is online

Users browsing this forum: VMAJSTER and 33 guests