Hi all I have a number of Tomato Routers that I use here and there as Gateways to do some basic traffic shapeing
one of the greatest things it can do is create connection limits for any users using a very basic script in the firewall area as shown below

iptables -I FORWARD -p tcp --syn -m iprange --src-range 10.212.1.100-10.212.3.200 -m connlimit --connlimit-above 60 -j DROP
iptables -I FORWARD -p tcp --syn -m iprange --src-range 10.212.3.1-10.212.3.254 -m connlimit --connlimit-above 60 -j DROP
iptables -I FORWARD -m iprange --src-range 10.212.1.100-10.212.3.200 -p ! tcp -m connlimit --connlimit-above 60 -j DROP
iptables -I FORWARD -m iprange --src-range 10.212.3.1-10.212.3.254 -p ! tcp -m connlimit --connlimit-above 60 -j DROP

This limits all users in those ip ranges to no more than 60 sessions and I find it very effective

Does any linux guru out there know of a way to do a similar thing on the ubnt gear


Thanx Much

This limits all users in those ip ranges to no more than 60 sessions and I find it very effective

in theory, you can do this with AirOS, but as I remember correctly, some modules for that, is missing in standard firmware. If you have one customer per device, then similar results can be achieved very easy, and without any extra modules by changing conntrack_max value in /proc/...

This limits all users in those ip ranges to no more than 60 sessions and I find it very effective

yeah, for you, sure. Think like a customer, who can't understand why the connection just sucks without any visible reason (connections get dropped randomly). I have problems there with customers, who literally kills own router with flooding thousands of connections, but 60 is far too few in my opinion.

For my free WiFi HotSpot project, I wrote small script, to parse kernel conntrack table and count connections after every 10 minute or so. If limit is reached, then traffic is locked (with simple iptables rule), until connection count is lower again. At the same time (with another iptables rule), all attempts to use http is forwarded to another instance of the internal web server to show a message about reasons. Everybody is happy, and again, no extra modules needed. This should be possible with standard AirOS also, at least the locking part.

I must admit, if they can tolerate this, and can't choose a new provider, then connection count limiting is easy way to harass own customers and prevent them to use p2p networks.

Hi Netmaster
and without any extra modules by changing conntrack_max value in /proc/...

Could you elabourate more on how to do this please these are not values
I recognise from a simple config file and I am not a linux guru

yeah, for you, sure. Think like a customer, who can't understand why the connection just sucks without any visible reason (connections get dropped randomly).

Ok fair enough but the issue I have is that network usage has gone from a basic information
and communications medium to an entertainment resource

the vast majority of my users are using p2p, Torrentz, youtube or some form of streaming media
almost exclusively this creates real problems on a half duplex wireless network
especially for the poor old man who wants to get his email between 4:00-11:00 pm
Not exactly fair for that guy at all

I have seen first hand many times that a torrent program running
even with no data moving (no peers available)
still causes issues due to the massive amout of simultanious connections its trying to make

So a balance mechanism of some kind must be used
and the options seem to be limited
I dont want to block anytype of usage as this goes against
the fundimental ideal behind net neutrality
which in principal I do agree with

1) port filtering which is ineffective for many of the p2p programs anyway
most use dynamic ports or encrytion techniques now
2) layer seven filtering is rather expensive and has alot of overhead
3) Queing or token buck approaches many of these offenders get throttled shure
but they arent very happy about it either

Session limits to me is an effective and fair method they can all
still do whatever they want with their connection
but no one is getting 1000+ sessions anymore

The way I have it they are permitted up to 60 tcp and 60 upd sessions simultaniously
for a possible total of up to 120 sessions
( I know another wisp that only allows 20 total )
so I thought I was being pretty generous

I have problems there with customers, who literally kills own router with flooding thousands of connections, but 60 is far too few in my opinion.

Obviously you have some experiance with this but using your project script example
If limit is reached, then traffic is locked (with simple iptables rule), until connection count is lower again. At the same time (with another iptables rule), all attempts to use http is forwarded to another instance of the internal web server to show a message about reasons

So any further connections are blocked until the session count goes down
Now if I understand it correctly then that doesnt seem like a fair solution either
Assuming you have implimented that on the AP or hotspot gateway
it means some continuious p2p users could esentially lock
new users from having any access at all..
Is this an accurate assesment of your method

Its easy enough for me to change my limits
so what would you recommend for a more apropriate limit if 120 isnt enough
I am open to any suggestions on finding a fair method
to deal with these issues

Thanx

Could you elabourate more on how to do this please these are not values I recognise from a simple config file and I am not a linux guru


do some testing first.
go to the http://192.168.1.20/admin.cgi, paste 'cat /proc/sys/net/ipv4/ip_conntrack_max' to the "Command Line" and this will tell you, how long conntrack table is by default (usually 4096 in AirOS). Then do 'echo 100 > /proc/sys/net/ipv4/ip_conntrack_max' and check again, is it now 100. To make this change permanent, some startup scripts is needed, but this is another story. Please notice, that connections limiting that way, works only, if device is in the "router" mode.

Assuming you have implimented that on the AP or hotspot gateway
it means some continuious p2p users could esentially lock
new users from having any access at all..
Is this an accurate assesment of your method


No. First, script gets a list of active IP's, then get current connection count for every IP (from /proc/net/ip_conntrack), and if limit is reached, checks is this IP already blocked, and if not, then blocks that single IP. Because there is no easy way to remove connections from that table, clients simple must wait, until enough of it's connections is expired. Generally, IP gets banned, if more than 200 connections is found, and unbanned again, if less than 50 connections is remaining.

I am open to any suggestions on finding a fair method
to deal with these issues

as I wrote, I do this only in free wifi hotstpots to prevent abusing them, and in more civilized way. If customer is blocked, then appropriate information will be displayed in the browser, no matter, what URL it is using. For example, instead of www.google.com page, it will get my page, what say's that this MAC and IP is banned for one or another reason.

paste 'cat /proc/sys/net/ipv4/ip_conntrack_max' to the "Command Line" and this will tell you, how long conntrack table is by default (usually 4096 in AirOS). Then do 'echo 100 > /proc/sys/net/ipv4/ip_conntrack_max' and check again, is it now 100.


Yes it shows exactly as you said
this means its now set to 100 right....Nice

To make this change permanent, some startup scripts is needed, but this is another story. Please notice, that connections limiting that way, works only, if device is in the "router" mode.

It would be fantastic to know how to be able to script this
to stay after reboot
too bad it cant be used in bridge mode as most of the problem clients
have indoor wireless routers installed and for them we run our radio in bridge mode

No. First, script gets a list of active IP's, then get current connection count for every IP, and if limit is reached, checks is this IP already blocked, and if not, then blocks that single IP.

Now that is a nice solution netmaster could your script be adapted to say
any ubnt unit running as an AP in router mode then
Would you be willing to share this script
I bet there are a number of people who would be interested in this
what do you recommend for an appropriate connection limit (100 )

Thanx Much this is great info

It would be fantastic to know how to be able to script this
to stay after reboot

the magic "command line" for that would be (in one line):


echo 100 > /proc/sys/net/ipv4/ip_conntrack_max && echo "echo 100 > /proc/sys/net/ipv4/ip_conntrack_max" > /etc/persistent/rc.poststart && cfgmtd -p /etc -w && cat /etc/persistent/rc.poststart


if everything os okay, then it will output "echo 100 > /proc/sys/net/ipv4/ip_conntrack_max
" and after that, it should be permanent.

PS: I also discovered, that NAT must be turned on, to use this. In router mode it usually is on.

Now that is a nice solution netmaster could your script be adapted to say any ubnt unit running as an AP in router mode then Would you be willing to share this script

if UBNT in some day, will release one relatively bugfree version of AirOS and SDK, then I have plans to port all these fancy things in some custom version of AirOS. Maybe then ...

Thanx NetMaster
that is very helpfull
I wonder if there is some method to do the same in bridge mode
that would be a great fix for me until you find that stable version

Hope to see it soon :)

I wonder if there is some method to do the same in bridge mode

no. You see, bridge do not care about whatever IP connections. Bridge do not track layer3 traffic and for that reason connection count's can not be limited or even counted. Bridge deal with layer2 or with MAC addresses.

I think, that in theory, some type of IP connection limiter can be built on top of the bridge, but this is more complicated and for sure, can not be achieved with default firmware.

edit:
actually, because the UBNT using "fake" bridge, in non-wds modes, connections can be counted with 'cat /proc/net/arpnat_cache', but I do not know a way to limit them. With WDS mode, it is true bridge, arpnat is not used anymore, and IP connections not tracked at all.

I have only just recently started and am using kerio winroute as our main routing server software. I plan to move to a linux based system once i have learned more about linux that i can support it.

Basically we have a limit of 300 connections per customer. Kerio has a nice shaping feature where you can define specific services / ports and if a single connection downloads / uploads more than x kilobytes without being idle for more than y seconds then it throttles all connections from that ip address to z speed.

It also has a p2p blocker that blocks p2p traffic and allows specific services / ports to run. So between 5 and 11pm, we have p2p blocked but other stuff like http and email or msn messenger will still run if p2p is detected.
Between 5-11pm we also use the shaping feature to limit http so once a single connection uses more than 60mb without being idle for more than 30 seconds, it limits their connection to 256k. They can get around this with a download manager that downloads files in parts but not many know about this and we have the p2p blocker to stop limewire and bit torrent downloading in parts. They can pay extra for a 'premium' connection that has a flat limit of 512k but they dont get p2p blocked like the normal 2mbit users do.

The 300 connection limit works well for stopping torrent software from overloading the servers and creating useless traffic for failed connections, and I educate the customers on how to customise utorrent or vuse on how to set its options to only use 250 connections max.
A how-to with popular software is included with our sign up / new user pack.

We use softperfect bandwidth manager to limit premium users to the 512k speed. It can also do many of the things that kerio does but i find kerio is easier to manage.

We use softperfect bandwidth manager to limit premium users to the 512k speed.
SoftPerfect has a neat monitor also - NetWorx. http://www.softperfect.com/products/networx/