Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall: Limit PPS on per IP basis

Post Reply
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 11:57 am

Hello Folks.

I would like to limit the packets per second from a source IP to a destination IP.
I know that this has already been approached, but the solutions given are old and don't work very well.

So, i would like to add a source IP to a address list if that IP passes the limit of 100K PPS to a destination IP.
I have checked this thread (viewtopic.php?t=106044), but it dates from 2016. I guess there were some improvement since then to limit this out. no?

Regards
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 12:39 pm

You can use Dst-limit matcher.
But as it performs desired action when under the limit, then applies passthrough, and that behaviour is not reversible (like with Limit matcher), you will need a custom chain for it.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 12:43 pm

You can also use a queue tree and the appropriate packet marking rules in mangle.
This provides a smoother approach (the packets exceeding limit are not immediately dropped, but they are first kept in a queue and delayed).
Top
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 12:50 pm

You can use Dst-limit matcher.
But as it performs desired action when under the limit, then applies passthrough, and that behaviour is not reversible (like with Limit matcher), you will need a custom chain for it.
Can you please provide an example?
I am using custom chains ;)
This is what i have in this moment:
Code: Select all
/ip firewall filter
add action=jump chain=forward comment="=> Block Specific UDP" dst-address-list=OwnIPs in-interface=ETH1 jump-target=UDPConnections \
limit=5k,20k:packet protocol=udp src-address-list=!secured
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections protocol=udp src-port=123,11211,3702,389
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections dst-port=1900,80 protocol=udp
add action=return chain=UDPConnections dst-limit=5000,20000,dst-address/1m40s
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 1:07 pm

Can you please provide an example?
I am using custom chains ;)
This is what i have in this moment:
Code: Select all
/ip firewall filter
add action=jump chain=forward comment="=> Block Specific UDP" dst-address-list=OwnIPs in-interface=ETH1 jump-target=UDPConnections \
limit=5k,20k:packet protocol=udp src-address-list=!secured
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections protocol=udp src-port=123,11211,3702,389
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections dst-port=1900,80 protocol=udp
add action=return chain=UDPConnections dst-limit=5000,20000,dst-address/1m40s
add action=add-src-to-address-list address-list=Infractor address-list-timeout=15m chain=UDPConnections
Yes, that's exactly what I was talking about.
But I don't think you need limit matcher on the first jump rule.
The logic is like that:
1) all packets non in your "secured" list enter the chain.
2) some of them a filtered by port numbers and added to "infractor" list.
3) all others under the dst-limit are returned to normal processing.
4) everything over the dst-limit is added to "infractor" list.
Top
 
webix
newbie
Topic Author
Posts: 33
Joined: Fri May 04, 2018 3:34 pm

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 2:43 pm

Yes, that's exactly what I was talking about.
But I don't think you need limit matcher on the first jump rule.
The logic is like that:
1) all packets non in your "secured" list enter the chain.
2) some of them a filtered by port numbers and added to "infractor" list.
3) all others under the dst-limit are returned to normal processing.
4) everything over the dst-limit is added to "infractor" list.
Yes, i know. But that will split the total of the packets.
I mean... If IP x.x.x.x send 5000 packets to ip y.y.y.y, and 5000 packets to ip z.z.z.z, and 5000 packets to a.a.a.a, another 5001 packets to ip b.b.b.b, he will match the rule (wrongly)
Top
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Firewall: Limit PPS on per IP basis

Mon Nov 04, 2019 3:19 pm

You can change "Dst limit" "Limit by" to src-address.
Top
Post Reply

Who is online

Users browsing this forum: Techsystem, wispmikrotik and 26 guests
  4. RouterOS
  5. General