Sun Nov 27, 2022 8:28 pm
Yes. Look at limit and dst-limit matchers. It is not clear from your OP whether you have in mind a single source address or whether you want to apply the limits to each of many source addresses individually; if the latter, you need dst-limit, which maintains separate counters per each "target" (and occupies a corresponding amount of memory).
The rules have to be placed to an appropriate position in the firewall in order to do what you want; it is also important whether you want to limit the number of new connections or indeed the number of packets per unit of time even within already established connections. If the latter, you can place the rules before connection tracking, i.e. to table raw:
/ip firewall raw
chain=prerouting dst-address=d.d.d.d dst-limit=1,1,src-address action=accept
chain=prerouting dst-address=d.d.d.d action=drop
chain=prerouting dst-limit=1/1m,1,src-address action=accept
chain=prerouting action=drop
BEWARE - this is a simplified example, so if you use it verbatim, it will filter also access to the router itself, and 1 packet per minute will definitely lock you out!
If you actually want to limit the number of new connections established per unit of time, you have to place the rules to the filter table, where the connection-state labels assigned by the connection tracking module are already available, and use them to handle the initial packets of connections.