Community discussions

MikroTik App
 
mstead
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Mar 04, 2006 2:41 am

IPTables Quota Module / Patch Please

Sun Oct 21, 2007 6:02 am

Hi,

I was wondering if there was a way to add a client ip to an address list once their bytes passed had exceeded a set limit.

The nearest I could see in MT is the dst-limit feature which uses packets passed - sadly I cannot see this being a very accurate method.

I notice that IPtables has a quota module available these days - maybe Mikrotik would consider adding this feature in?? I think it would be useful to a lot of us.

Malcolm
 
User avatar
Equis
Forum Veteran
Forum Veteran
Posts: 888
Joined: Mon Jun 06, 2005 6:48 am

Re: IPTables Quota Module / Patch Please

Sun Oct 21, 2007 8:49 am

Would the hotspot package have what you need?
Perhasp even soem scripts that check usage.
 
mstead
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Mar 04, 2006 2:41 am

Re: IPTables Quota Module / Patch Please

Tue Oct 23, 2007 5:29 am

Would the hotspot package have what you need?
Perhasp even soem scripts that check usage.
Not being a hotspot user I installed the package for a look. I cannot see anything that would suit. TBH the quota module would be much easier for me as I could just add any overlimit IP to an address list and then flush that list at midnight. Am I the only one that would benefit from this or are there other lurkers here??

Any suggestions on how to achieve this with the existing routeros would be appreciated.

Regards,

Malcolm
 
User avatar
jorj
Member
Member
Posts: 398
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: IPTables Quota Module / Patch Please

Tue Oct 23, 2007 10:51 am

Read carrefully before posing questions.
See this:

http://wiki.mikrotik.com/wiki/Limiting_ ... of_traffic
http://wiki.mikrotik.com/wiki/Limiting_ ... traffic_II

It's good work. Instead of limiting, you can put limit at 1 kb/ 1 kb. And you're done. Or you can put the ip of it in firewall address list. Or whatever. Especially on 2nd example, is very easy to do it.
 
mstead
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Mar 04, 2006 2:41 am

Re: IPTables Quota Module / Patch Please

Sat Oct 27, 2007 11:51 pm

Hi,

I did plenty of searching jorj (thanks for asking :roll: ) but did not find that wiki entry about scripts. It is interesting alright but frankly the quota module would be a damn sight easier to deal with.

However, beggars cannot be choosy so I'll have to enter 508 dumb forwarding rules and get my box to trawl through them every 5 minutes.

Any way of doing this with a couple of rules would be great - make the whole thing more scalable.

Thanks

Malcolm

P.S. Am I the only one who finds this site impossible to search properly these days?
 
User avatar
jorj
Member
Member
Posts: 398
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: IPTables Quota Module / Patch Please

Sun Oct 28, 2007 8:27 pm

Can't see what exactly you don't get.
Take the second example. Put whatever addresses you have, and whatever limit you choose, and you're done.
set [find target-addresses=("192.168.1." . $i)] max-limit= 32000/64000
in the example should be for you:
add list=your_list_name address=("192.168.1." . $i) comment="" disabled=no 
If you can't really find that article, take a click here -->> http://wiki.mikrotik.com/wiki/Limiting_ ... traffic_II <<-- and you're there.
Or maybe change your browser...... :mrgreen:
If you really can't see the light...... seek help......
 
mstead
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Sat Mar 04, 2006 2:41 am

Re: IPTables Quota Module / Patch Please

Tue Oct 30, 2007 10:26 pm

Hi Jorj,

With regards to searching I meant that I did look for discussion on limiting traffic per user and did not find the wiki article - I felt you were under the impression I was one of those lazy bums that breeze in and ask stuff without bothering to look. I clicked the links in your post and had a good read and it got me a working solution - thank you for getting me this far!!

What I find awkward is putting in 508 forwarding rules so I can count all the users bytes received. The CPU goes to 50% on a P4 poweredge trawling all the rules looking for overlimit bytes. The quota module should allow for one rule to create new address list entries I would have thought. Kind of like connection limiting people with a single forwarding rule.

I have a simple queue using PCQ to deal with the abusers once identified.

Regards,

Malcolm
 
User avatar
jorj
Member
Member
Posts: 398
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: IPTables Quota Module / Patch Please

Wed Oct 31, 2007 9:06 am

Sorry.
Didn't mean to make you lazy.
At current i don't think you can make what you want without using simple queues.
Or by other means, using nothing else but the mt.
You can use traffic counter, and external tools, but not with only mt. You must have a separate machine to do it.
You can use a script to make simple queues, for whatever addresses you have. It's the simplest way.
And i have ~790 queues on a p2 machine, it's 15-30% cpu. Look closer at your setup...... maybe something else is eating cpu. But, in total, 50% busy, really means 50% free :) . So, you're up and running just fine.

Who is online

Users browsing this forum: AndyGs, cosambo, maxsaf and 95 guests