My earlier instructions were not quite accurate. The menu location is under "Advanced" - "Conntrack/netfilter" the correct name of the button to click is "Drop Idle" ( not expire early ).
The excessive connections you are seeing are actually terminated connections that are still waiting to time out. The Drop Idle button will terminate them immediately so you will momentarily see only the accurate number of active connections in the QOS Details screen, but the time-wait connections will re-accumulate. The settings in the conntrack/netfilter screen determine how long a terminated connection will wait until dropped from memory. This is the normal way of operation and does not indicate a malfunction.
With p2p service running through the router you need to watch the amount of free memory. As long as you maintian 15% or more you should be fine.
If you notice that the majority of the p2p connections are in the port range above #1024 then you can use this firewall rule to drop only an excess of connections in that range. This will allow the regular internet ( or any service using port numbers below 1025 ) to still function on that computer even when the p2p ports are maxed out and are being dropped ;
iptables -I FORWARD -p tcp —dport 1025:65535 -m connlimit —connlimit-above 10 -j DROP
If you want to also limit the total number of UDP connections you can use this ;
iptables -I FORWARD -m iprange —src-range 192.168.22.10-192.168.22.250 -p ! tcp -m connlimit —connlimit-above 10 -j DROP
From the GUI, some Tomato firmware can limit the number of new UDP connections allowed per second, but you need to use the above rule to limit the total UDP connections.
Edit - The firewall scripts are from a few years back. If they do not seem to work on your version of Tomato them post the exact release you are using and what router it is on. I may be able to help refine them. Remember, you MUST reboot the router for firewall rules to take effect.