Limiting active connections per client using rate limiting and conntrack

I have a strange issue on my network where wireless clients will periodically flood my router with DHCP renew requests (thousands per minute) until OpenWrt hits its connection limit and drops all of its current connections. I tried to rate limit Allow-DHCP-Renew and Allow-DHCPv6 requests to 10 requests per second and I raised my net.nf_conntrack_max to 64,000 to try and mitigate the issue, but the router still gets overwhelmed when the devices flood it with DHCP requests and raising the limit effectively made the problem worse by making the router take longer to drop all connections and return to normal.

Is there a way for me to enforce a connection limit on a per-client basis and drop the problematic client when it hits that number of connections? Or does anyone have any other ideas how I can mitigate this problem?

set static IPs on the problematic clients ... ?

I'll statically assign everything currently connected and see if it fixes the problem, but I'd still like to be able to implement some kind of rule in case people connect a device to the WiFi and I don't immediately notice it and assign it a static IP address.

I also don't know the underlying cause of the devices spamming the router, so it'd be preferable to have a solution that is applicable to more than one form of traffic (in case they're also flooding the router with some kind of traffic besides DHCP renewals).

Wouldn't this just be local traffic so you can't limit it using iptables?
You could maybe deploy ebtables instead.

My mistake. Post deleted.

Is DHCP traffic being monitored by conntrack?

Do the offending devices continue to send so much traffic, after you hit them with a hammer, repeatedly?

I assume it is, but I'm relatively inexperienced in OpenWrt/Linux networking, so I'm not in a good position to give you a definitive answer.

I'm guessing they wouldn't, but they're other people's devices. In this case, the consequences for physically modifying their behavior would probably be more severe than being DOS'd by devices on my own LAN :sweat_smile: