my scenary:


have a little Wisp, with normal user (home user, one PC), and SOHO, cyber or office with 10 or more PC

now, if apply this rule

/ip firewall filter add action=drop connection-limit=5,32 protocol=tcp tcp-flags=syn, chain=forward
this rule limits to 6 conections for each user


i will have problem for my SOHO customer, but work for home user.

now i have two segment the normal user segment is 192.168.150.x/24,
and for SOHO is 192.168.200.x/24


if apply this rule

add chain=forward src-address=192.168.150.0/24 protocol=tcp tcp-flags=syn \
connection-limit=5,32 action=drop comment="limit one pc \
internet for home" disabled=no

work??? my question is because i put in src-address the /24, and connection-limit the mask is 32 bits ????


or the correct rule is

add chain=forward src-address=192.168.150.0 protocol=tcp tcp-flags=syn \
connection-limit=5,24 action=drop comment="limit one pc \
internet for home" disabled=no

look i change in src-address put only the segment no put /24, and in connection-limit put the mask 24 bits

i want control the normal user, i want the normal user no can share the internet, but the SOHO customer, can share the internet


Best Regards
Daniel White

if you want limit coonections for one host than you enter /32 if you wnt limit whole network then use /24 but remember if you limit whole network, that one user of netowrk can use all available conenctions and other ppl on that network would not be able to use network at all.

and no you cannot detect if home user is using router with properly configured NAT (masquarade)

I have many dubt on limiti connection per user.
Is this rule limit new connection opened at the same time? or total?
I tried to open a p2p on a client and his statistic shows 400 connection while on the mk the limit was set to 50.

The manual is not very clear.

connections to router or through?

I have added a rule like this
add chain=forward src-address=192.168.150.0 protocol=tcp tcp-flags=syn connection-limit=5,24 action=drop

well , i always sayingwe need a MANUAL to read MT MANUAL

as we can read in manual

To only allow not more than 5 simultaneous connections from each of the clients, do the following:

Code:Select all

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

Note, limit is for TCP connections.
如果你想set limit for each network client, usejanisk
provided command.

Thank you.

OK but simultaneous, what does it means:
total connection opened?
connection opened per sec?

in some case client router hang up because the number of connection opened is too high.

What do you sugest?

if you want limit coonections for one host than you enter /32 if you wnt limit whole network then use /24 but remember if you limit whole network, that one user of netowrk can use all available conenctions and other ppl on that network would not be able to use network at all.

and no you cannot detect if home user is using router with properly configured NAT (masquarade)

Thanks for you anwser , what is for you ppl?

ppl is short for "people"

as we can read in manual

To only allow not more than 5 simultaneous connections from each of the clients, do the following:

Code:Select all

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop

好的。很好。但是如果我想限制用户IP192.168.1.1/32 to 300 connections and all others to 5...

How to do that?

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=300,32 action=drop src-address=192.168.1.1

But I do not knwo if it goes in conflict with the previous rule.
differite the rules by src-address.

Is it enough to add first rule in the chain with IP address and after that rule for all others?

1. rule in the chain - for user 192.168.1.1 limit at 300 connections:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=300,32 action=drop src-address=192.168.1.1

2.rule in the chain - for all others 6:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop