I have a P2P machine on my network that I am trying to limit the number of active TCP connections for. I put in the IP address and set the TCP limit to 1000, yet when I go into the "View Details" section of QoS and only view the number of TCP connections for that one machine it will be 3000+.
Am I doing something wrong or is this broken? From my understanding there should only be ~1000 listed.
Go to the "advanced" - "conntrack" menu and click "Expire Early" Then review the connections list again. You might want to test with a 25 connection limit instead of 1,000 until you see it working. Reboot router after config changes to be sure they are effected.
Thanks for the quick reply, I did this, set the TCP limit to only 10 for that machine and rebooted. Still not working as I am seeing many more than 10 in the "View Details" section of QoS. Btw I am using "Version 1.28 by shibby"
You clicked the "Expire Early" button and then you still see an excess of connections ? If yes, then put this in your firewall script and test after reboot ;
iptables -I FORWARD -p tcp —syn -m iprange —src-range 192.168.22.10-192.168.22.250 -m connlimit —connlimit-above 10 -j DROP
or this alternate syntax ;
iptables -I FORWARD -p tcp -m iprange —src-range 192.168.22.10-192.168.22.250 -m connlimit —connlimit-above 10 -j DROP
Adjust IP range to match the computes(s) on your LAN that you wish to control.
Hey bud,
I tried both those iptables commands, modified the ip to set it as my machines, pasted them in the firewall script section, rebooted the machine, & rebooted the router. I monitored after and am still seeing way more than 10 tcp connections start up within the first minute in the "View Details" section of QoS.
I don't know what is going wrong, I have double and triple checked that I am using the right IP for this machine yet as soon as I start the p2p application TCP connection numbers fly up way past the threshold I have set in Tomato
Lastly if it helps any, 90%+ of these connections are in the "Time Wait" section when I look on the "Conntrack" page.
My earlier instructions were not quite accurate. The menu location is under "Advanced" - "Conntrack/netfilter" the correct name of the button to click is "Drop Idle" ( not expire early ).
The excessive connections you are seeing are actually terminated connections that are still waiting to time out. The Drop Idle button will terminate them immediately so you will momentarily see only the accurate number of active connections in the QOS Details screen, but the time-wait connections will re-accumulate. The settings in the conntrack/netfilter screen determine how long a terminated connection will wait until dropped from memory. This is the normal way of operation and does not indicate a malfunction.
With p2p service running through the router you need to watch the amount of free memory. As long as you maintian 15% or more you should be fine.
If you notice that the majority of the p2p connections are in the port range above #1024 then you can use this firewall rule to drop only an excess of connections in that range. This will allow the regular internet ( or any service using port numbers below 1025 ) to still function on that computer even when the p2p ports are maxed out and are being dropped ;
iptables -I FORWARD -p tcp —dport 1025:65535 -m connlimit —connlimit-above 10 -j DROP
If you want to also limit the total number of UDP connections you can use this ;
iptables -I FORWARD -m iprange —src-range 192.168.22.10-192.168.22.250 -p ! tcp -m connlimit —connlimit-above 10 -j DROP
From the GUI, some Tomato firmware can limit the number of new UDP connections allowed per second, but you need to use the above rule to limit the total UDP connections.
Edit - The firewall scripts are from a few years back. If they do not seem to work on your version of Tomato them post the exact release you are using and what router it is on. I may be able to help refine them. Remember, you MUST reboot the router for firewall rules to take effect.
I tried the scripts and they still did not work. My firmware is "build5x-105-EN" for the linksys E3200
I was playing with the bandwidth limiter today and set the speed to 10kbps just to test and that DID work on that machine when I tested it, however when I try to limit the TCP connections it does not.
Does QoS need to be enabled for the Bandwidth Limiter or your scripts to work? I assumed not since the Bandwidth Limiter and QoS settings are on two separate pages in the router's setup.
The only other thing I put before the scripts was a "sleep 180" just in case the script failed so I have 3 minutes to get into the router and remove it. i made sure though to wait 5 minutes after the router rebooted to test your scripts with my machine.
I sent you images of my routers settings (minus personal info) that I modified, everything else I left alone other than wireless security settings. This particular machine is wired though and has a static IP (set on the machine) of 192.168.1.148. I made sure the router's auto DHCP range ends at 192.168.1.146 so it does not try to give the IP to another machine.
To test I set the bandwidth limiter to 10 TCP 1/s UDP though after 5 seconds of the machine booting I took a screen shot showing just how many connections were opened past the limit. I set the speed to 999… because I am aiming to limit connections, not speed for this machine. The speed I have set already in the torrent client.
Let me know if you see anything wrong.
I got the screen shots you sent. I'll flash up that version of firmware and see what I can do. Might be tomorrow morning before I get back to you.
I have flashed and tested a lot of firmware and configs. My firewall scripts definitely do not work. I spent a lot of time messing with them and finally gave up.
I was able to replicate the limit problem once. It seemed to happen after upgrading from 101 to 105 and not performing an NVram clear. I had the limiter set for 20 and was able to open several web pages simultanously with over 500 connections, and there was no limiting. After an NVram clear I was not able to break the limiting. It worked fine. It even includes connections to the router in the limiting, so I kept locking myself out of the router and had to wait two minutes for some connections to time out before continuing.
Version 108 did seem to allow about double the count that I had configured, and 101 seemed to regulate more accurately. It is all starting to run together now in my mind so I might have imagined it.
If you reset to defaults and re-configure it should work for you. If not I will flash back to 101 and do a dirty upgrade to verify that this was the cause.
Wow thanks for taking the time to do all this! So you suggest staying on my current firmware, resetting everything and re-configuring the router again? To reset do you suggest the 30/30/30 method?
