MikroTik

Well this is my setup My question is, rule no 7 is for limiting number of connections to the internet, is this rule applies 5 connection limit for all IP addresses or 5 connections limit for each IP address??

As you have given 32 for the netmask the limit will apply per each individual IP address. This is in the manual, by the way...

And you should use tcp-flags=syn with that rule, so that it only applies to TCP session setup.

--Tom

ok so to conclude this, my setup will limit connections to for example 5 connections for each IP so every one will have 5 connections??

And tnx I will add tcp syn

Yes, each IP address will not be able to open more than 5 simultaneous TCP connections. E.g. if user has reached limit and tries to open another web-page, page will not be loaded.

tnx you can place this in a WIKI page, cuz I cant register

The same configuration examples is placed on the top of the firewall documentation,
http://www.mikrotik.com/testdocs/ros/2. ... 6174599693

?? bonding ??

I'm sorry for the incorrect link,
http://www.mikrotik.com/testdocs/ros/2. ... 5049629748

Thanks, mmm Ive added just one thing, dst-address List I out list of local addresses because I have Local web and direct connect server.

So is this rule works with dst address list option enabled

well it seems that connection limiting does not work properly, still some users flood internet link with P2P and surfing the net is not possibile, only thing that helps to drop P2P is that I forward only 1-1024 ports to the internet but then I have problem of using skype and IM software .

It seems that when I make a rule for connection drop it affects all of the users and not just one IP address .

;;; limit konekcija
chain=forward src-address=192.168.8.10 protocol=tcp tcp-flags=syn
connection-limit=15,32 dst-address-list=!bgwnsw action=drop

This is not working where am I doing wrong??

Is it possibile that no one can answer, or Im a spammer, I mean, is it possibile that MT can not detect encrypted P2P connection at all???!!!

Cuz connection limit is not limmiting some P2P software.

Are you only wanting to limit TCP connections and not UDP packets?

is your connection tracking enabled? and yes, why only tcp connections?

yes my conection tracking is on, and I dont need (want) to limit UDP conections

Try chain=forward src-address=192.168.8.10 protocol=tcp tcp-flags=syn connection-limit=15,32 action=drop

It should work as long as you got Connection Tracking on and configured.

well I dont want to limi connections in local area network just internet...

so is limiting connections work for encrypted traffic I mean I know encrypted traffic also makes a connection but I cant manage to limit users with torrent crap to 15 connections, it doesnt work

it had to work, even if encrypted - you see connection.

Try chain=forward src-address=192.168.8.10 protocol=tcp tcp-flags=syn connection-limit=15,32 action=drop

It should work as long as you got Connection Tracking on and configured.

only net limiting:
chain=forward src-address=192.168.8.10 dst-address=!192.168.8.0/24 protocol=tcp tcp-flags=syn connection-limit=15,32 action=drop

and this rule should limit everyones connections to 15??

So torrent users will only have 15 connections and wont choke web surfers??

If you want to do that use the following:

chain=forward src-address=192.168.8.10 dst-address=!192.168.8.0/24 protocol=tcp tcp-flags=syn p2p=all-p2p connection-limit=15,32 action=drop

Otherwise if you don't specify p2p it will do it on all tcp connections.

yes, it is correct


Unfortunately I have a bad experience limiting P2P connections (some program simply can pass my rules )

ok mneumark, but encrypted p2p is not possibile to detect.

And I dont need to detect I want to limit user to 15 tcp connections. thanx all, but still it doesnt work I will system reset MT ROS and try from the begining.

nope it does not work, azureus still kills web surfing, or Firewall rule affects all ip addresses..

Titus,

Not sure what you might be doing but i used the same rule i supplied you and it works. You might want to do a supout.rif and send it to support@mikrotik.com they will be able to see if its a bug or not.

Hi friends,
why do you want limit connections and do not bandwidth limit using the pcq limit?
I have setup both tcp connection limit to 10 and bandwidth on my setup and it works.

encrypted p2p can not be throtled.

And with conn limit you can acomplish that only for example 15 connections are established per IP address and I dont have to worry about slow or imposibile surfing...

titius,
I use the follow metod,

firewall mangle forward with no passtrougth:
a) mark http packet
b) mark dns
.... all other protocol that you want to prioritize, such voip.
c) mark rest packet

queue
http, dns, voip ... rest of packet.

in this way I'm sure that all p2p traffic will be block by rest packet.
if customer ask for such protocol, I will create the rule on the mange.
It is no perfect honest but it's work.
the only issue I have is to shape the p2p traffic and not limit it, and I'm working to understad how since my ctm are connected via ppptp.

best regards
Max

Max,

With firewall mangle forwards you can't shape encrypted p2p. Just not possible nor will mangle not catch encrypted p2p.

Hi All!

I had same problem in the past! Encrypted P2P is very difficult to limit!
I also tried to limit P2P, but it just took over the network. Yes you can limit connections as explained before!

The best result I had is to mark all new packets=2000000 and after this it will turn into old packets with a lower priority (8). Setup your global in and out qeues (PCQ), new packets priority 1 and old packets priority 8 and their you go. No P2P can kill your network.

Their is an example somewhere in the forum (slow downloads or so)!

please can you paste your setup from MT ??

please can you paste your setup from MT ??

Please note that all my clients come in on PPPOE on previous MT's limited at 128k and their connection limits is aready being set at 100!

Main MT configuration is as follow!

Here it is!

First Mangle

16 ;;; mark all new connections
chain=prerouting protocol=tcp action=mark-connection new-connection-mark=new_conn passthrough=yes

17 ;;; mark packets
chain=prerouting protocol=tcp connection-mark=new_conn connection-bytes=0-1000000 action=mark-packet
new-packet-mark=new_packet passthrough=no

18 ;;; marking old packets
chain=prerouting protocol=tcp connection-mark=new_conn action=mark-packet new-packet-mark=old_packets
passthrough=no


Then Queue Tree


0 name="Main_Upload" parent=global-out packet-mark="" limit-at=0 queue=default priority=8 max-limit=384000
burst-limit=0 burst-threshold=0 burst-time=0s

1 name="Up First 192kbit" parent=Main_Upload packet-mark=new_packet limit-at=192000 queue=PCQ_Upload priority=1
max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

2 name="Up Rest kbits" parent=Main_Upload packet-mark=old_packets limit-at=64000 queue=PCQ_Upload priority=8
max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

3 name="Main_Download" parent=global-in packet-mark="" limit-at=0 queue=default priority=8 max-limit=1000000
burst-limit=0 burst-threshold=0 burst-time=0s

4 name="Down First 1Mbit of data" parent=Main_Download packet-mark=new_packet limit-at=800000 queue=PCQ_Download
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

5 name="Down Rest kbits" parent=Main_Download packet-mark=old_packets limit-at=200000 queue=PCQ_Download priority=8
max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

My Up load is 384kbps and Download is 1MB

Theory:

New p2p(or any other connection) connection will come in and will download at priority 1, the moment it reach 1 M bytes of data it will move down to priority 8. Same with upload!

Advantages: All p2p is always larger than 1MB, so always it will move down to priority 8

Disadvantage: You can never reach speeds faster than Global in and out for example a mail server that is connected just after MT!

Hope this helps!

Mr G

P.S. I hope other more advance users will also share their Mangle and Queue tree secrets!!

Max,

With firewall mangle forwards you can't shape encrypted p2p. Just not possible nor will mangle not catch encrypted p2p.

Hi thanks for the advice,
but for my logical point of view,
I put in queue rest of packet that I whink there will be all packets comprensive of P2P and encripted P2P, why this is not correct for you?

thanks
Massimo

gpienaar , you said that you have max of 1Mb download and you are marking packets = 1Mb .. ??

you have 2 types of packets , 1M max packet and >1M packet !!!!
so , if onw packet is 1M it will marked as new_packet and it will got priority of 1 .. and it will stay as new_packet ?? eating all your 1M band !!!

To sam soft08!

Clearly you dont understand!

1Mb/s speed download yes. The mangle rule will mark all packets as new connections, until total download data reach 1MB (8 megabits in 1 megabyte), then packets match rule to mark them as old packets, hence the priority is shifted down to 8!

I hope this is clear!

By the way I am not the only one that use this technique, ask Janisk! It is also known as manual burst technique!

to maxfava: You can mark the packets any way you like! Try to play with new connection =0-2000000 (2MB new packets) and bigger than 2MB old packets. This realy works for me. Fast browsing even for P2P user while downloading.

Is'nt this what you whant?

Regards

Mr G

ok i dont understand the relation between the speed and the total amount of bytes downloaded ..

you mean that we must wait a connection to reach 1Mbyte of total download to lowering its priority ??

it seems that all MT can do about speeding browsing vs big downloading .

thanks
gpienaar, I will try this tomorow and write the results

samsoft08 "ok i dont understand the relation between the speed and the total amount of bytes downloaded .. "

Please note that main download and upload make use of PCQ theirfor you need to specify max data rate otherwise PCQ will not work(MT basic training) Sorry forgot to add this in previous post! Here is the pcq setup that is being used in Queue tree:

5 name="PCQ_Upload" kind=pcq pcq-rate=0 pcq-limit=50
pcq-classifier=src-address pcq-total-limit=2000

6 name="PCQ_Download" kind=pcq pcq-rate=0 pcq-limit=50
pcq-classifier=dst-address pcq-total-limit=2000

samsoft08 "you mean that we must wait a connection to reach 1Mbyte of total download to lowering its priority ?? "

Yes! you got it!

Regards


Mr G

yes i got it , thank god ..
but as i said , thats all MT can do ? waiting for a connection to reach a specific limit then only lowering its priority ?
what if i have 512kbit/s only ?? all the clients must wait for some client connection to reach 1 Mbyts = 8 Mbit , then they must wait for other client to eat the band for specific time and so on .. what if they are 40 user online ?

you must be kidding ...

what I need to change, so I can limit each user bandwidth not PCQ??

to Samsoft!

That was only an example!

Play with the idea and modify accordingly (speeds and total data)!

512kbps/s is about 52 -55KBytes per second download in real life!

Try to implement and run it for 48 hours and see if it works for you!

samsoft - "but as i said , thats all MT can do ? waiting for a connection to reach a specific limit then only lowering its priority ? "

That will be the only way to drop encrypted P2P to lower priority, unless you know the exact ports that it is running on! Every day their is new P2P encrypted software that is comming out! Some is even using port 80, how will you stop that or limit that? According to me this is the only way, better than nothing!



It is very easy to complain and think of 10 000 reasons why it won't work!

TRY IT RUN IT AND LET ME KNOW!

to Titius, did you try it?

Try PPPOE conections for your customers! or Hotspot!

To Normis or Janisk - please jump in!!

Regards

Mr G

hello guys

I wanna ask plz, shall I need to disable my simple queues or shall I leave it?? my simple queues are 16k/56k for each one
so shall I remove all my simple queues to have the speed of 1meg or no??
plz reply

If you remove simple queues evryone wil have 1Mbps so you will o=not have control over your bandwidth.

BTW this is for new thread.

dear gpienaar

shall I remove all the simple queues or no, coz yu write that each file downloaded at 8megabits of size will be downloaded at speed of 1 meg and after the 8 meg it will be at low speed right?

dear gpienaar

shall I remove all the simple queues or no, coz yu write that each file downloaded at 8megabits of size will be downloaded at speed of 1 meg and after the 8 meg it will be at low speed right?

Yes, remove simple queues!

Lets try again!

1 Customer will start download!
2. For the first 1000000 bytes of data he will download at a speed of 1Mbits/s at a priority of 1
3. The moment his file"download" reach 1000000 bytes of data his priority will shift down to 8 and still download at speed of 1Mbits/second provided that their is no other trafic!
4. the moment a new download is started, that new connection have a priority of 1, he will download at 800Kbits/s for first 1000000 bytes of data! (GUARANTEED LIMIT IS SET AT 800KBPS IN QUEUE), also depend on PCQ!
5 Old download will go down to 200Kbps/s (garanteed in queue) priority of 8!
6. The moment both downloads is on Old Packets (> as 1000000 bytes of data) both downloads will be balanced at 500Kbits/second (provided that their is no new packets!)

This is very simple! I need all of you to understand the theory behind it! Then you will be amazed on how many clients you can hook on to your network at say 128kbps/s on PPPOE and almost no one will complain!

Regards

Mr G
P.S. this is the Main purpose that Mikrotik developed ROS! I was told by Arnis Rijkstein!

yes it is greaat!!

But can we somehow achieve for same client, when he reaches 1000000 bytes priority goes to 8, and he makes new connection ( web surfing ) will that new connection open web page quickly or or it will be choked by his download that is active ?

yes it is greaat!!

But can we somehow achieve for same client, when he reaches 1000000 bytes priority goes to 8, and he makes new connection ( web surfing ) will that new connection open web page quickly or or it will be choked by his download that is active ?

This is why it is beautifull, this is for each connection and not IP!
So yes the new connection will open web page quickly provided that his download aready reached that 1000000 (you can change this value) bytes of data which will move it down to priority 8!

Regards

Mr G

thanks man sincerely

Just one more thing, can we still make that every IP has for example

128kbps and yours queue rules so he downloads with speed of 128kkbps

when he reaches 1000000 his old connections go to prio 8 and new ones with

prio 1, and he downloads with 128kbps but when he asks foe a web page it

opens with prio 1 in his 128kbps queue limit. ?

Create PPPOE server, create PPPOE profile with limit of 64k up and 128k down! This should work!

Regards

Mr G

Create PPPOE server, create PPPOE profile with limit of 64k up and 128k down! This should work!

Regards

Mr G

along with setup your queue tree ?

On my systems I have the queue tree setup on main gateway MT and all other clients connect via tower MT's (PPPOE links). whole network is running ospf!

Regards

Mr G

Try it did it work!

Like I said before, I do not currently run PPPOE and Queue tree on same unit!

But I am sure that you can play with the mangle rules to spesify your outgoing interface! therefore your PPPOE (interface on it's own) should work fine!

Try it and let me know!

Regards

Mr G

I will try without pppoe . . .

Im not ISP it is for local wireless community

Thanks

http://forum.mikrotik.com/viewtopic.php?t=12870

is example when download gets old it is slowed down...

it can be easily adjusted to your needs

if no, you have to read QoS manual

QoS manual ok, I link ??

Hi to all

I am buzy trying out gpienaar setup and also janisk
i see one is using forward and the other pre-routing but that would depend
on each setup or what?
ok can one do the same as you setup using tcp and then do another setup
using udp but both marked the same eg

ip firewall mangle
add chain=forward protocol=tcp action=mark-connection \
new-connection-mark=new_conn passthrough=yes comment="mark all new \
connections" disabled=no
add chain=forward protocol=tcp connection-mark=new_conn \
connection-bytes=0-2000000 action=mark-packet new-packet-mark=new_packet \
passthrough=no comment="mark packets" disabled=no
add chain=forward protocol=tcp connection-mark=new_conn action=mark-packet \
new-packet-mark=old_packets passthrough=no comment="marking old packets" \
disabled=no
add chain=forward protocol=udp action=mark-connection \
new-connection-mark=new_conn passthrough=yes comment="mark all new \
connections" disabled=no
add chain=forward protocol=udp connection-mark=new_conn \
connection-bytes=0-2000000 action=mark-packet new-packet-mark=new_packet \
passthrough=no comment="mark packets" disabled=no
add chain=forward protocol=udp connection-mark=new_conn action=mark-packet \
new-packet-mark=old_packets passthrough=no comment="marking old packets" \
disabled=no

then i am doing the same with queue trees and if i keep the simple queues as i had be for would it matter as when i tested it last night at home running as a client my old simple queues still locked me at a limmited speed at +- 500kbps witch is about 55KBs as i was downloading
a SBLive driver cd it keeped me at +- 55KBs as for wireless clients that
is more than enough although the download queue worked the upload queue stayed on zero

My setup is a RB500 with internet going in ether2 and bridged with 3 wlan to clients

Sidney

does this example marking Proxy packets also ??

it doesn't mark the web-proxy packets ....

Hm... it looks like that applying this rules to my MT I limit total traffic not per-user traffic...

I have limited users using single queue to 350/350kbps. Setting up queue tree like above my users drop speed.

What am I doing wrong ?

I have few old 2.8.26 MT, is there a way to do good QoS on them ?

Please note that all my clients come in on PPPOE on previous MT's limited at 128k and their connection limits is aready being set at 100!

Main MT configuration is as follow!

Here it is!

First Mangle

16 ;;; mark all new connections
chain=prerouting protocol=tcp action=mark-connection new-connection-mark=new_conn passthrough=yes

17 ;;; mark packets
chain=prerouting protocol=tcp connection-mark=new_conn connection-bytes=0-1000000 action=mark-packet
new-packet-mark=new_packet passthrough=no

18 ;;; marking old packets
chain=prerouting protocol=tcp connection-mark=new_conn action=mark-packet new-packet-mark=old_packets
passthrough=no


Then Queue Tree


0 name="Main_Upload" parent=global-out packet-mark="" limit-at=0 queue=default priority=8 max-limit=384000
burst-limit=0 burst-threshold=0 burst-time=0s

1 name="Up First 192kbit" parent=Main_Upload packet-mark=new_packet limit-at=192000 queue=PCQ_Upload priority=1
max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

2 name="Up Rest kbits" parent=Main_Upload packet-mark=old_packets limit-at=64000 queue=PCQ_Upload priority=8
max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

3 name="Main_Download" parent=global-in packet-mark="" limit-at=0 queue=default priority=8 max-limit=1000000
burst-limit=0 burst-threshold=0 burst-time=0s

4 name="Down First 1Mbit of data" parent=Main_Download packet-mark=new_packet limit-at=800000 queue=PCQ_Download
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

5 name="Down Rest kbits" parent=Main_Download packet-mark=old_packets limit-at=200000 queue=PCQ_Download priority=8
max-limit=1000000 burst-limit=0 burst-threshold=0 burst-time=0s

My Up load is 384kbps and Download is 1MB

Theory:

New p2p(or any other connection) connection will come in and will download at priority 1, the moment it reach 1 M bytes of data it will move down to priority 8. Same with upload!

Advantages: All p2p is always larger than 1MB, so always it will move down to priority 8

Disadvantage: You can never reach speeds faster than Global in and out for example a mail server that is connected just after MT!

Hope this helps!

Mr G

P.S. I hope other more advance users will also share their Mangle and Queue tree secrets!!

When I try to add this via Winbox it won't let me set the "limit at" higher than the "max limit".
Is this in the Wiki? I haven't been able to find it.