I have a routerOS set up with NAT, and I've been able to do simple blocking by port. I was hoping to be able to detect and block (or ideally, throttle) P2P protocols, and I started with BitTorrent.
I've added a rule
/ip firewall filter
add chain=forward p2p=all-p2p action=drop
I tested this with a default install of Transmission BitTorrent client (running under Ubuntu) on a machine on the subnet, but it still seems to operate normally even with the firewall rule in place. I noticed that the docs said that p2p filtering doesn't work with encrypted BitTorrent, and that Transmission is set to prefer encryption, so I'm presuming this is the cause.
Is there any way around this, or are encrypted BitTorrent packets such that there's no reliable way of identifying them as BitTorrent? Should I be looking at the layer 7 filtering, or is that a waste of time for this?
Re: Is it possible to detect encrypted BitTorrent?
In my opinion trying to detect any P2P traffic is a waste of time. It's an arms race between you (and Mikrotik, though the built in filters) figuring out how to classify traffic and the users figuring out how to use new protocols to get around it. If you're selling bandwidth you're selling bandwidth for whatever the hell they want to use it for. Figuring out how to mark P2P traffic is equivalent to blacklisting (figuring out what is bad), which is nearly always a bad idea.
The much better, cleaner and scalable approach is to whitelist traffic and mark everything you know to be good. HTTP, FTP, email, VoIP etc. all run on predictable ports and are easy to mark. Mark them. Then mark everything else. Then read the wiki on priority queueing and ensure that whitelisted traffic has priority over traffic that you didn't identify, which will include all P2P.
What are your reasons for wanting to drop P2P outright? Of course I'm aware that the vast majority of P2P traffic is used for pirating software and media, but there are very legitimate uses for it (downloading Linux distributions, apparently World of Warcraft uses it to distribute updates, and so on) and as a customer I'd be distinctly unhappy if my provider tried to block it unconditionally. Throttling during peak hours and particularly on my own traffic I'd be happy with.
The much better, cleaner and scalable approach is to whitelist traffic and mark everything you know to be good. HTTP, FTP, email, VoIP etc. all run on predictable ports and are easy to mark. Mark them. Then mark everything else. Then read the wiki on priority queueing and ensure that whitelisted traffic has priority over traffic that you didn't identify, which will include all P2P.
What are your reasons for wanting to drop P2P outright? Of course I'm aware that the vast majority of P2P traffic is used for pirating software and media, but there are very legitimate uses for it (downloading Linux distributions, apparently World of Warcraft uses it to distribute updates, and so on) and as a customer I'd be distinctly unhappy if my provider tried to block it unconditionally. Throttling during peak hours and particularly on my own traffic I'd be happy with.
Re: Is it possible to detect encrypted BitTorrent?
Thanks for the suggestion. I'd just got round to thinking that whitelisting will be a better approach for what I want to do, what you suggest sounds sensible.
Briefly, the reason I'm trying to block / limit / deprioritise P2P is that I work for an ISP for whom external bandwidth costs are substantial (since we're in the developing world and most of our external bandwidth is still by satellite). We're trying to make life easier for SME customers who purchase a connection with limited bandwidth and then get much lower performance than they expect because some of their employees are saturating their connection with P2P. This isn't something we're forcing upon our customers, but very often the person paying for the connection wants to filter P2P to keep their costs down, and since they own the connection we're happy to do so for them.
Briefly, the reason I'm trying to block / limit / deprioritise P2P is that I work for an ISP for whom external bandwidth costs are substantial (since we're in the developing world and most of our external bandwidth is still by satellite). We're trying to make life easier for SME customers who purchase a connection with limited bandwidth and then get much lower performance than they expect because some of their employees are saturating their connection with P2P. This isn't something we're forcing upon our customers, but very often the person paying for the connection wants to filter P2P to keep their costs down, and since they own the connection we're happy to do so for them.
Re: Is it possible to detect encrypted BitTorrent?
If you want to block it have a look at this thread
http://forum.mikrotik.com/viewtopic.php?t=21178
http://forum.mikrotik.com/viewtopic.php?t=21178
Re: Is it possible to detect encrypted BitTorrent?
Filtering / limiting would show MUCH better results at the CPE side of the link..
If the "bad" traffic is comming at the client's end and clogging there pipe, then the limit should occure at the client side.
This has two affects.. it frees up there connection for the "good" data, and it keeps more of the bad data off your parrimiter network, allowing you to better use your available "core" bandwidth..
It is the same principal as getting information TO a user.. the closser the resource is to the user, the better.. the same can be said about limits. the closer to the user that "bad" can be limited or stopped, the better everyone else is, as his /her garbage isnt in there way.
We use a solution from FaceTime (expensive) to limit users (along with MikroTik).. http://www.facetime.com/
There are other less expensive solutions IE Cymphonix http://www.cymphonix.com
These sit inside the client firewall and help manage and report on traffic by user Etc.
Along with CPE / Core firewall / Router rules, this should help maximise your core net bandwidth..
Just my two cents..
If the "bad" traffic is comming at the client's end and clogging there pipe, then the limit should occure at the client side.
This has two affects.. it frees up there connection for the "good" data, and it keeps more of the bad data off your parrimiter network, allowing you to better use your available "core" bandwidth..
It is the same principal as getting information TO a user.. the closser the resource is to the user, the better.. the same can be said about limits. the closer to the user that "bad" can be limited or stopped, the better everyone else is, as his /her garbage isnt in there way.
We use a solution from FaceTime (expensive) to limit users (along with MikroTik).. http://www.facetime.com/
There are other less expensive solutions IE Cymphonix http://www.cymphonix.com
These sit inside the client firewall and help manage and report on traffic by user Etc.
Along with CPE / Core firewall / Router rules, this should help maximise your core net bandwidth..
Just my two cents..
Re: Is it possible to detect encrypted BitTorrent?
search about of "DPI".
regards
regards
Re: Is it possible to detect encrypted BitTorrent?
FWIW, we are intending to do the filtering on the CPE side of the link. The aim is to have a box that we can install on the customer's network that will do the filtering, and is cheap enough that we can afford to provide this as part of the network connection bundle.
Thanks for all the other suggestions as well, I'll investigate further.
Thanks for all the other suggestions as well, I'll investigate further.