RouterOS version 2.9 will make it possible to limit the number of connections from a single IP, protocol or other match parameter. Version 2.8 does make it possible to limit the impact from a customer or protocol by limiting the number of packets coming from that customer or protocol.

In order to accomplish this, we must add 2 rules. The first will be an action of accept and the second will drop the traffic that "overflows" the first.

For this example, we will place the rules in the forward chain. This will limit traffic flowing THROUGH the router.

/ip firewall rule forward
add src-address=10.10.10.1/32 limit-count=75 limit-burst=1 limit-time=1s action=accept
add src-address=10.10.10.1/32 action=drop

The first rule above (in green) limits traffic to 75 packets for each second. On the 76th packet in a single second, the rule will not match and will pass down to the second rule (in blue). The second rule will drop all traffic coming from 10.10.10.1/32. Something to note, is that the "limit-burst" parameter must NOT be "0" in order for this to work.

You can limit peer to peer traffic in a similar manner. Consider the following rules:

/ip firewall rule forward
add p2p=all-p2p limit-count=75 limit-burst=1 limit-time=1s action=accept
add p2p=all-p2p action=drop


The above rules will match based on the p2p protocol instead of by source IP as the first example. The explanation and working is exactly the same, however.



موضوعات مشابه: