Page 1 of 1
limit connection per IP
Posted: Mon Nov 14, 2005 11:34 am
by conchalnet
Hi all,
I'm trying to limmit the max connections py host on my network but I don't know if I'm doing right.
I got the rule below on the forum (
http://forum.mikrotik.com/viewtopic.php ... tion+limit ):
/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward
This rule has some packets and bytes on the statistcs but if I go to the connections tab on the winbox (IP-FIREWALL-CONNECTIONS TAB) I can count more than 5 TCP connections by host
.
How can I limit the connections on my network??? I want that each client connected on my mikrotik AP can open 10 connection simultaneos.
Thanks in advance.
Fabrício Fadel Kammer
Posted: Mon Nov 14, 2005 12:31 pm
by sergejs
Than you have change 5 to 11 for 10 connections (11,32).
Clear information in connection table.
Do not forget, given rule limits new TCP connections.
Posted: Mon Nov 14, 2005 4:55 pm
by conchalnet
I think that isn't work, because I can see an IP with about 100 connections open on the connection table.
How can I prevent this??? I want tha a same IP has a maximum of 10 connection opened at same time.
Thanks
SYN how to but...
Posted: Mon Jan 16, 2006 7:34 pm
by maxfava
Regarding the maximum number opened by a Client, that can be called syn attack, I'm asking but our Internet service provider how manage this issue or state?
Because I monitoring the number of connection on my ADSL line and it support until 1700 connection /sec.
But on my internal net I must reduce it to 70-80 to have not syn attack detection.
Is there someone that know?
Ciao
Posted: Mon Jan 16, 2006 8:27 pm
by Hugh Hartman
conchalnet
Are all the connections TCP or is there some UDP mixed in?
Posted: Fri Jan 27, 2006 7:53 pm
by sroa
Hello, I was having the same problem, but If you check the user´s manual, when you see CONNECTIONS in firewall it reports connections from hours ago (or days) and specially the TCP connections are kept for days even if the client has been disconnected. Why dont you try to monitor one client ip with torch in the winbox, you will see that connlimit is working.
Posted: Fri Jan 27, 2006 8:00 pm
by djape
Just go to connection tracking and reduce Established TCP connections from 5 days to 1 hour. It works great for me...
Posted: Mon May 08, 2006 11:15 pm
by ns-c0de
But doesn't that just reduce the time Tik tracks the connection? What happends to connections that ARE still established, but are not currently active (for example somebody on p2p queue)?
Re:
Posted: Sun Jan 31, 2021 1:08 am
by hendra
But doesn't that just reduce the time Tik tracks the connection? What happends to connections that ARE still established, but are not currently active (for example somebody on p2p queue)?
can some one answer this question, i have same problem