I have to limit one of destination LAN IP address with maximum packets per second. But it have to be limited everything except port 80, 443 and 53. How to write that rule to firewall? Could you help me, please?

dst-limit is used to limit pps, more information at the documentation.
You need to add accept rules for 80, 443, 53, then add rule with dst-limit to limit pps.

dst-limit is used to limit pps, more information at the documentation.
You need to add accept rules for 80, 443, 53, then add rule with dst-limit to limit pps.

OK, thank you. But, should i use accept or drop with dst-limit? I have read documentation, but i don't understand how to use dst-limit at all.
Could you write any example of that rule, please?

if all expressions of firewall rule returns true, then it does action it is said to do, if it is said pps=10 action=accept then 10 packets per second will be accepted and all the rest will be dropped

then 10 packets per second will be accepted and all the rest will be dropped

You don't mean dropped, you mean allowed to go to the next rule in the firewall chain. You have to make sure that you disallow the remaining packets in another rule.

OK, i have accept rules for ports 80,53, and other that i don't want to limit, but last two rules are:

chain=forward dst-limit=100,5,dst-address/1m40s action=accept
chain=forward action=drop

But it seems not to work, not limiting pps to 100 for other ports. Why?
Why there is a problem to give any example for me?

Any idea?

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

So, you mean that it will not work for other protocols and ports than icmp? or will be working but with buggy setting, for instance "if you set ...100 to 10000 = 100" ?

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

So, you mean that it will not work for other protocols and ports than icmp? or will be working but with buggy setting, for instance "if you set ...100 to 10000 = 100" ?

no, it will work fine, but you will have to use that conversion table janisk pasted below. if you want to limit it to 24pps, you have to use the number 33 instead. also this means that you can't set it to anything higher than 100, as it will treat it as 'unlimited'

we are fixing it already

to clear things up - it will work with any protocol

but mainly this feature was intended for ICMP protocol, because using this on tcp is close to nonsense, why - IMO because tcp will retransmit the packet and your infrastructure will be loaded anyway

to clear things up - it will work with any protocol

but mainly this feature was intended for ICMP protocol, because using this on tcp is close to nonsense, why - IMO because tcp will retransmit the packet and your infrastructure will be loaded anyway

But it should work with UDP, usefull with some p2p applications, for instance.

you can't limit it to anything more than 100pps, which is useless for UDP or anything other than ICMP. Please wait until this is fixed, then you will be able to use it

currently do not use pps for anything other but icmp and limiting packets to max value of 10 pps

this is a bug, that values greater than that will not be accurate

if you set 33,0 pps then you will get 24 as a result
34 to 49 pps will give you 33 pps
50 to 99 = 50
100 to 10000 = 100
10001 to .. = no limits

this is a result of a minor settings bug, which is known, and is being fixed. after that you will be able to use specific settings

I have been trying to understand "limit" and "dst-limit", and they were not working normally. After I found this post, now I understand. But I'm using 5.15 and apparently they are not yet fixed? Results below:

you can't limit it to anything more than 100pps, which is useless for UDP or anything other than ICMP. Please wait until this is fixed, then you will be able to use it

When it will be fixed? We are waiting, because we need this feature.

In version 6.43.12 still not resolve.

This would be a good function to able to control the device under DDOS attacks on conntrack table.
(I need to control 900kpps on CCR1036)

In version 6.43.12 still not resolve.

This would be a good function to able to control the device under DDOS attacks on conntrack table.
(I need to control 900kpps on CCR1036)

I have raised a ticket for this - it's Ticket#2019100422002897 in case @janisk is reading this

another ticket has been opened:
support #[SUP-35291]

may you fix it??!?!?!??!!??!?