Asume you want to block torrent & p2p traffic on 192.168.1.0/24
replace ip according to your need



/ip firewall layer7-protocol>
use winbox to copy paste name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$


/ip firewall filter>
add chain=forward src-address=192.168.1.0/24 layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward src-address=192.168.1.0/24 protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward src-address=192.168.1.0/24 content=torrent action=drop comment=keyword_drop
add chain=forward src-address=192.168.1.0/24 content=tracker action=drop comment=trackers_drop
add chain=forward src-address=192.168.1.0/24 content=getpeers action=drop comment=get_peers_drop
add chain=forward src-address=192.168.1.0/24 content=info_hash action=drop comment=info_hash_drop
add chain=forward src-address=192.168.1.0/24 content=announce_peers action=drop comment=announce_peers_drop

& also use default rule to drop p2p traffic which alone is not working for me

add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop


Enjoy

Yup, works fine.. Cheers

/ip firewall filter
add action=drop chain=forward comment="P2P drop " disabled=no p2p=all-p2p
add action=drop chain=forward comment="more connection closed" disabled=no

Go tp IP > Firewall > Layer7 Protocols, add a new one and paste it there

Regards

Thank you for replay.


Can you please teach me How to add new one ?

Best Regards

Battumur

Copy and paste the regexp into IP -> Firewall -> Layer 7 protocols, or use this export:

thanks for this info...It worked perfectly....

Hello and thank you for the information.

I have a question:
If they use it without the source-addresses it will work for the hole board if there are 3 wireless-client-cards with addresses 192.168.1.0, 192.168.2.0 and 192.168.3.0?

Or have I to write all the rules particular for each address?

Saludos

Uli

ulikroessin, that will depend on how you setup your firewall rules that use the layer7 protocol filter. You can specific specific addresses, or not and have everything filtered...

Thank you Zebble, but...well, more exactly my question:

I have a RB 333. Eth --> modem --> www, wlan1=192.168.1.0, wlan2=192.168.2.0, wlan3=192.168.3.0
At the wlans I have clients (hotspot/usermanager).

I want that the block-rules for p2p are working at all the 3 wlans.

I write this

name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$

in "ip firewall layer7-protocols".

In "ip firewall filter" I have to wirte this:

add chain=forward src-address=192.168.1.0/24 layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward src-address=192.168.1.0/24 protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward src-address=192.168.1.0/24 content=torrent action=drop comment=keyword_drop
add chain=forward src-address=192.168.1.0/24 content=tracker action=drop comment=trackers_drop
add chain=forward src-address=192.168.1.0/24 content=getpeers action=drop comment=get_peers_drop
add chain=forward src-address=192.168.1.0/24 content=info_hash action=drop comment=info_hash_drop
add chain=forward src-address=192.168.1.0/24 content=announce_peers action=drop comment=announce_peers_drop
...
add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop

but 3 times (with the 3 src-addresses 192.168.1.0, 192.168.2.0 and 192.168.3.0)

or I can write it so (without the src-addresses) and it will work for all the 3 wlans:

add chain=forward layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward content=torrent action=drop comment=keyword_drop
add chain=forward content=tracker action=drop comment=trackers_drop
add chain=forward content=getpeers action=drop comment=get_peers_drop
add chain=forward content=info_hash action=drop comment=info_hash_drop
add chain=forward content=announce_peers action=drop comment=announce_peers_drop
...
add chain=forward p2p=all-p2p action=drop comment=p2p_drop


The last one (default rule) I´m using so since 1 year, without src-addresses, and hope it works. But I´m not sure...

Saludos

Uli

has someone tried it successfully

Hello again,

I try to test it and seems it works so, without addresses, but how I wrote - I´m not sure.
Here the config: And here the screenshot from the last hours:

ok, but if you want to *limit* p2p traffic?

I think that some one provide internet access can't "inspect" traffic that carry out but... bandwith cost lot of money so limit this type of traffic I'think is a good compromise!

So can you try to modify the solutions you have posted to a version that limit traffic instead of blocking?

Best regards!

Hello and thank you for the information.

I have a question:
If they use it without the source-addresses it will work for the hole board if there are 3 wireless-client-cards with addresses 192.168.1.0, 192.168.2.0 and 192.168.3.0?

Or have I to write all the rules particular for each address?

Saludos

Uli

I believe if you Layer 7 filter everything it will severely impact your routers CPU. So you want to make sure you have plenty of processing capacity before you do it. So with the smaller 400 series boards, I typically just filter selected users via IP address lists.

Eric

Yea this method is also working for me.

but in hotspot how can its possible for me to allow few clients to use torrent,p2p trafic. and block for remaining all others.

it is possible so?

This regxp in layer7 protocol works for me, but I set up round way through socks5 server for torrenting, and it's excluded from that rule, I cannot do it to myself to block torrents to my people Server used for socks5 is Dante

Please do not use this rule in bad manner

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]

It seems that these rules don't work anymore.

/ip firewall filter
add action=drop chain=forward comment="P2P drop " disabled=no p2p=all-p2p
add action=drop chain=forward comment="more connection closed" disabled=no

this rule

add action=drop chain=forward comment="more connection closed" disabled=no


block all traffic my network ( rb433ah , bridge mode)

is correct?

the others works properly

/ip firewall filter
add action=drop chain=forward comment="P2P drop " disabled=no p2p=all-p2p
add action=drop chain=forward comment="more connection closed" disabled=no

this rule : add action=drop chain=forward comment="more connection closed" disabled=no

block all traffic my network (rb433ah, bridge wlan1-eth1)

is correct?

all others rules works perfect

Hey guys! I have done this, and it works pretty great for what I needed, but I have one question. Is there a way to make it redirect to a website instead of just dropping? I want to tell all customers that it is against ToS to use torrents through a web page. Thanks

The only problem I really see with this, is that it blocks things for keywords. Like me making this post, since it has the keywords in it, I have to use a different gateway to post.. Any idea for a way around that?

Hey guys! I have done this, and it works pretty great for what I needed, but I have one question. Is there a way to make it redirect to a website instead of just dropping? I want to tell all customers that it is against ToS to use torrents through a web page. Thanks

great! This would be very useful!

Maybe I am wrong, but the proposed solution blocks the downloads of the .torrent files (GET) from known torrent repositories. This is of course important but not effective.
But it won't block the torrent protocol (file sharing) itself. Which is what I'd like to block, as torrent files can be exchanged via email or even through removable media.
Any idea?

this even blocks news sites if there is something mentioned about torrents.

this does not work if you use https

Asume you want to block torrent & p2p traffic on 192.168.1.0/24
replace ip according to your need



/ip firewall layer7-protocol>
use winbox to copy paste name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$


/ip firewall filter>
add chain=forward src-address=192.168.1.0/24 layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward src-address=192.168.1.0/24 protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward src-address=192.168.1.0/24 content=torrent action=drop comment=keyword_drop
add chain=forward src-address=192.168.1.0/24 content=tracker action=drop comment=trackers_drop
add chain=forward src-address=192.168.1.0/24 content=getpeers action=drop comment=get_peers_drop
add chain=forward src-address=192.168.1.0/24 content=info_hash action=drop comment=info_hash_drop
add chain=forward src-address=192.168.1.0/24 content=announce_peers action=drop comment=announce_peers_drop

& also use default rule to drop p2p traffic which alone is not working for me

add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop


Enjoy

I just copied this from somewhere in the forum, I want to integrate it with blocking downloading of .mp3, *.mp4 etc, how will I add this to the l7-layer, is this one correct cus i dont see it catching any traffic

1./ip firewall layer7-protocol
add name=streaming2 regexp="\"^.*get.+\\\\.(3gp|mov|mpe|mpeg|mpeg2|mpeg3|mpeg4|mkv|avi|flv|f4v|f4p|f4a\
|f4b|x-flv|msi|wmv|mp2|mp3|mp4|swf|rm|rmvb|vcd|pdf|dat|iso|nrg|bin|cab|vcd|ogg|wma|divx|d2v|qt|0[0-9][0-9])

2. /ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark Packet Streaming" disabled=no \
layer7-protocol=streaming new-packet-mark=streaming2 passthrough=no

You can adjust the max-limit to anything higher like 128k
3. /queue tree add name="streaming2" parent=global packet-mark=streaming2 limit-at=0 queue=default \
priority=8 max-limit=48k burst-limit=0 \
burst-threshold=0 burst-time=0s

today there is so many ways of using torrent, because that blocking it is a never ending work

the main reason to block torrent is because use too much bandwidth

i think there is no need to block torrent i think is better to properly identify torrent and p2p traffic to give it a lower priority and control the congestion it generates and guarantee the good performance on the other applications

I agree with chechito. The only "small problem"™ is to correctly identifying the torrent traffic.
Blocking the download of the torrent file itself is useless as torrents can be added manually from other sources.
I think that only Deep Packet Inspection can help.
Any ideas?

I agree with chechito. The only "small problem"™ is to correctly identifying the torrent traffic.
Blocking the download of the torrent file itself is useless as torrents can be added manually from other sources.
I think that only Deep Packet Inspection can help.
Any ideas?

in my case i have identified torrent traffic by discard, detecting another protocols and services usually leave me with torrent on the "unclassified" part of the traffic leaving it with low priority

in my case i have identified torrent traffic by discard

Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent?
If so, which protocols are you considering?
If not, please elaborate.
As I cannot really block P2P in general, I am trying to throttle "everything else".
The problem is that outgoing P2P can also go to TCP:80, TCP:443, TCP:53 and UDP:53 and so on...
In these cases throttling wouldn't apply. And this is why I am talking about DPI.

in my case i have identified torrent traffic by discard

Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent?
If so, which protocols are you considering?
If not, please elaborate.
As I cannot really block P2P in general, I am trying to throttle "everything else".
The problem is that outgoing P2P can also go to TCP:80, TCP:443, TCP:53 and UDP:53 and so on...
In these cases throttling wouldn't apply. And this is why I am talking about DPI.

people are using 80 and 443 and 53 or another well known ports because of the blocking, because that is better to throttle than blocking

and with throttle im referencing to give the torrent the possibility of using all the spare bandwidth not throttling it to a ridiculous speeds

Is not perfect but it works in many cases and its free

if some one need better detection of P2P is better to go with an expensive fortigate or another UTM and pay the expensive annual license fee

for example

fortigate 80d recommended for 65mbps of wan channel cost ~750US without services, and ~1.740US with 3 year service subscription that is ~330 US per year of subscription

fortigate 200d recommended for 150mbps of wan channel cost ~2.300US without services, and ~5.200US with 3 year service subscription that is ~960 US per year of subscription

fortigate 600d recommended for 1.100mbps of wan channel cost ~8.000US without services, and ~17.840US with 3 year service subscription that is ~3.280 US per year of subscription

fortigate 1500d recommended for 2.300mbps of wan channel cost ~30.000US without services, and ~66.900US with 3 year service subscription that is ~12.300 US per year of subscription

fortigate 3000d recommended for 6.000mbps of wan channel cost ~60.000US without services, and ~133.800US with 3 year service subscription that is ~24.600 US per year of subscription

in my case i have identified torrent traffic by discard

Do you mean "everything else" (everything but HTTP, HTTPS, SSH, SMTPS, IMAP4S POP3S..) is considered torrent?
If so, which protocols are you considering?
If not, please elaborate.
As I cannot really block P2P in general, I am trying to throttle "everything else".
The problem is that outgoing P2P can also go to TCP:80, TCP:443, TCP:53 and UDP:53 and so on...
In these cases throttling wouldn't apply. And this is why I am talking about DPI.

people are using 80 and 443 and 53 or another well known ports because of the blocking, because that is better to throttle than blocking

and with throttle im referencing to give the torrent the possibility of using all the spare bandwidth not throttling it to a ridiculous speeds

Is not perfect but it works in many cases and its free

if some one need better detection of P2P is better to go with an expensive fortigate or another UTM and pay the expensive annual license fee

for example

fortigate 80d recommended for 65mbps of wan channel cost ~750US without services, and ~1.740US with 3 year service subscription that is ~330 US per year of subscription

fortigate 200d recommended for 150mbps of wan channel cost ~2.300US without services, and ~5.200US with 3 year service subscription that is ~960 US per year of subscription

fortigate 600d recommended for 1.100mbps of wan channel cost ~8.000US without services, and ~17.840US with 3 year service subscription that is ~3.280 US per year of subscription

fortigate 1500d recommended for 2.300mbps of wan channel cost ~30.000US without services, and ~66.900US with 3 year service subscription that is ~12.300 US per year of subscription

fortigate 3000d recommended for 6.000mbps of wan channel cost ~60.000US without services, and ~133.800US with 3 year service subscription that is ~24.600 US per year of subscription

So, was I right?
I mean, do you simply throttle "everything else" but a bunch of "well known useful protocols"?

So, was I right?
I mean, do you simply throttle "everything else" but a bunch of "well known useful protocols"?

yes i priorize traffic in this order:

tcp ack packets, dns, icmp, udp traffic whit characteristics matching most voip and gaming apps, vpns, rdp, http small traffic connections, http big traffic connections, mail connections, other udp tcp small traffic connections.

the remaining traffic are other tcp and udp connections with big traffic, torrent transfer get on this category

add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop


not working
buz i need to drop "psiphon vpn" from server ,,

how can drop that p2p buz drop vpn?

I have tried all the methods posted above and torrents still download.I am new to Mikrotik. Please help

I started by dropping all incoming TCP and UDP traffic (all of it) but those services that go to DMZ.
So there's no traffic going to LAN, which means "low ID" in the P2P lingo.

Then I started throttling (I'd like to drop, actually) all outgoing traffic from LAN with UDP ports other than 53 (DNS) and 123 (NTP) and TCP ports higher than 1023.

My situation is much better now, while still not completely closing P2 traffic.

This thread is somewhat old but gold.
On theory,wouldnt it any better if we throthle or drop connection exceed certain threshold?
Afterall,nobody but the most determined user would download torrent with low seed/peer per downloaded file?

You can throttle download traffic, but you cant separate download from a web site and download from a p2p site, so you would throttle all download.
When p2p traffic is encrypted, it blends inn to normal traffic.

The torrent file download is not the torrent traffic.
I don't really mind about downloading torrent files: they can be a few megs, even a dozen, and then it's done.
Torrent traffic is about large movies (from a few gigas to a hundred), mostly all pirated contents.
And you can bring torrent files into the network with (s)ftp, email, chat, https and so on, not just HTTP.
The L7 matcher can be defied by E2E cryptography, so only TCP and UDP ports remain to be used.
I still think my approach is the one that can reliably give some results. Even if they won't really block torrent and other p2p traffic.

Its Not Working IN mikrotik modelno. CCR1072-1G-8S+ FIRMWARE :6.41.3

PLEASE HELP

Asume you want to block torrent & p2p traffic on 192.168.1.0/24
replace ip according to your need



/ip firewall layer7-protocol>
use winbox to copy paste name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$


/ip firewall filter>
add chain=forward src-address=192.168.1.0/24 layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward src-address=192.168.1.0/24 protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward src-address=192.168.1.0/24 content=torrent action=drop comment=keyword_drop
add chain=forward src-address=192.168.1.0/24 content=tracker action=drop comment=trackers_drop
add chain=forward src-address=192.168.1.0/24 content=getpeers action=drop comment=get_peers_drop
add chain=forward src-address=192.168.1.0/24 content=info_hash action=drop comment=info_hash_drop
add chain=forward src-address=192.168.1.0/24 content=announce_peers action=drop comment=announce_peers_drop

& also use default rule to drop p2p traffic which alone is not working for me

add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop


Enjoy

Hi!
I followed your tutorial and it's perectly work on my router ! Thank you a lot !
(I work for a small french ISP and we receive letters from Hadopi, so we are searching a solution to limit the illegal download ^^ )

I have a question, maybe it will sounds stupid for you, but this code :

/ip firewall layer7-protocol>
use winbox to copy paste name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$

Can we complete it with another "keyword", another website name ?
Is it this ? A sort of list of torrent sites names ?


Thank you again !
Noémie

PS : sorry for my bad english, I'm french

Hi!
I followed your tutorial and it's perectly work on my router ! Thank you a lot !
(I work for a small french ISP and we receive letters from Hadopi, so we are searching a solution to limit the illegal download ^^ )

I have a question, maybe it will sounds stupid for you, but this code :

/ip firewall layer7-protocol>
use winbox to copy paste name=torrentsites
regexp:
^.*(get|GET).+(torrent|

thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|

torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|

entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|

flixflux|seedpeer|fenopy|gpirate|commonbits).*$

Can we complete it with another "keyword", another website name ?
Is it this ? A sort of list of torrent sites names ?


Thank you again !
Noémie

PS : sorry for my bad english, I'm french

This will only block the download of a torrent file, not the torrent traffic itself.
Try to first download the torrent file, then enable the rules and finally ask your torrent client to load the torrent file to start the p2p exchange.
You will see the p2p traffic bidirectionally flowing unimpeded!

P.S.
I am even more sorry for my english: I am Italian!

This will only block the download of a torrent file, not the torrent traffic itself.
Try to first download the torrent file, then enable the rules and finally ask your torrent client to load the torrent file to start the p2p exchange.
You will see the p2p traffic bidirectionally flowing unimpeded!

Hi!
I don't want to block it (we can't ! Because gaming used p2p, for example, and it's perfectly legal) !
I just want to identify the customers who try to download and then, limits their bandwhidth, send them an email, things like that !

P.S.
I am even more sorry for my english: I am Italian!

Hello from France

This will only block the download of a torrent file, not the torrent traffic itself.
Try to first download the torrent file, then enable the rules and finally ask your torrent client to load the torrent file to start the p2p exchange.
You will see the p2p traffic bidirectionally flowing unimpeded!

Hi!
I don't want to block it (we can't ! Because gaming used p2p, for example, and it's perfectly legal) !
I just want to identify the customers who try to download and then, limits their bandwhidth, send them an email, things like that !

P.S.
I am even more sorry for my english: I am Italian!

Hello from France

Well, the OP titled this thread as "Block Torrents & p2p Traffic 100% working" so I thought the topic was still sticking.
Anyway, blocking the download of torrent files alone from a selected set or URLs sounds to me like a waste of time as you can download them throug POP3, IMAP4, FTP and so on. Those won't be blocked.
Anyway, you are right. P2P (DHT) is being used for a number of purposes that cannot easily be told apart from each other.
I think now this thread title is misleading for two reasons:
1. you cannot block (real) P2P traffic based upon specific usage (lawful vs unlawful)
2. the proposed solution doesn't "Block Torrents & p2p Traffic" at all.

Rule, Europa! Rule the waves!

Anyway, you are right. P2P (DHT) is being used for a number of purposes that cannot easily be told apart from each other.
I think now this thread title is misleading for two reasons:
1. you cannot block (real) P2P traffic based upon specific usage (lawful vs unlawful)
2. the proposed solution doesn't "Block Torrents & p2p Traffic" at all.

Yep ! This is why I used this topic to mark people who have visited torrent website.
I will make a blacklist of torrent website, with a web proxy in MK. (I mean, I will try ! I know that it will not work at 100%)
And, finally, I am searching of how to see who is using the most bandidth, to then limit only him, get his IP address, send him an email... etc !
(And I take the opportunity to ask you if you have any idea of how to manage that )

Hello from the US.

Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy.

The ISP cannot know if a torrent is legal or illegal without confronting the customer to check their license for the content.

Hello from the US.

Why would you want to block torrents? It is often legitimate traffic. Perhaps torrents are sometimes used to copy copyrighted content without appropriate license, but that is on the person making the illegal copy.

The ISP cannot know if a torrent is legal or illegal without confronting the customer to check their license for the content.

Blocking can also be shaping (or queueing in mikrotik lingo).
P2P traffic creates sustained loads in both directions and can be overkilling for most WANs.
I cannot and don't want to tell legitimate from unlegitimate content access: no sane net admin would.
Being able to tell P2P traffic from other things would be interesting. It seems it's impossible at the moment.
What I can do at the moment is to shape high TCP/UDP port traffic, but that's neither enough nor proper.

Blocking can also be shaping (or queueing in mikrotik lingo).
P2P traffic creates sustained loads in both directions and can be overkilling for most WANs.
I cannot and don't want to tell legitimate from unlegitimate content access: no sane net admin would.
Being able to tell P2P traffic from other things would be interesting. It seems it's impossible at the moment.
What I can do at the moment is to shape high TCP/UDP port traffic, but that's neither enough nor proper.

It seems to me if an ISP offers a customer bandwidth, say 1M up and 10M down for example, then the ISP is obligated to deliver 1M up and 10M down 99% of the time. After all, that's what the customer was sold.

If an ISP can't deliver promised bandwidth in aggregate due to oversubscription, overutilized gear, or any other cause, then the ISP needs to establish more bandwidth at the point of congestion. Sure, it can be expensive, but lying to the customers about the service an ISP is capable of providing can also be expensive.

I have 100mbps symmetrical.
One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth.
This is why I mind about p2p!

I have 100mbps symmetrical.
One or two clients doing BitTorrent with a few files to be shared are enough to eat 50+% of the available bandwidth.
This is why I mind about p2p!

I've managed networks for a few small ISPs over the years. I admit I don't know your environment at all, so I'm just making uninformed opinions here. It seems to me with 100Mbps symmetric, why not offer the customers something like 1M up and 5M down or something similar? Depending on the number of subscribers, that might be a reasonable balance of bandwidth offering, and oversubscription could be more reasonably managed. The queues could even be set up in such a way that users exceed the max subscribed bandwidth when it's available if you wanted.

I am not an ISP. I manage a company network with BYOD policy.

I am not an ISP. I manage a company network with BYOD policy.

Well that totally changes my opinion. I thought you were an ISP.

In that case, you get to do whatever you want with the bandwidth that you provide to your employees.

It seems to me if an ISP offers a customer bandwidth, say 1M up and 10M down for example, then the ISP is obligated to deliver 1M up and 10M down 99% of the time. After all, that's what the customer was sold.

If an ISP can't deliver promised bandwidth in aggregate due to oversubscription, overutilized gear, or any other cause, then the ISP needs to establish more bandwidth at the point of congestion. Sure, it can be expensive, but lying to the customers about the service an ISP is capable of providing can also be expensive.

You're right! But we receive letters from Hadopi and I think it will be temporary ! Just the time to send an email to the customers, or something like that, we will limit his bandwidth. Basically, my boss want me to directly send an email to the customers, to make him confirm that he might be do something illegal and if it is, he have risk consciousness.
We will not blocking p2p, it's impossible and we know
But this letters...

It seems to me if an ISP offers a customer bandwidth, say 1M up and 10M down for example, then the ISP is obligated to deliver 1M up and 10M down 99% of the time. After all, that's what the customer was sold.

If an ISP can't deliver promised bandwidth in aggregate due to oversubscription, overutilized gear, or any other cause, then the ISP needs to establish more bandwidth at the point of congestion. Sure, it can be expensive, but lying to the customers about the service an ISP is capable of providing can also be expensive.

You're right! But we receive letters from Hadopi and I think it will be temporary ! Just the time to send an email to the customers, or something like that, we will limit his bandwidth. Basically, my boss want me to directly send an email to the customers, to make him confirm that he might be do something illegal and if it is, he have risk consciousness.
We will not blocking p2p, it's impossible and we know
But this letters...

Checking the legitimacy of any traffic falls far beyond the responsibilities and the capabilities of a network manager.
Being her an ISP or not is irrelevant here.
If you limit your customer bandwidth at large, you will end breaking the relationship: you'll be slowing down your customer bandwidth for everything, not just P2P.

This is why I aim at identifying the P2P traffic (BitTorrent, DHT-based protocols and the likes).
If I succeed I can do something: blocking, limiting ...
If I cannot, then I have little to discuss.

Again, downloading a torrent file is NOTHING.

Have you tried to use a recent BitTorrent client with "KAD support"?
It doesn't need any torrent file but just the hash value, a string you can get by email or on the web.
The DHT will make the "rest of the magics", by just requiring some more time to "look" for a list of suitable peers.
So you won't be able to block or shape anything as even the torrent file is not needed any more.

You can only block everything, as they can be using "low ports" and apply a "light disguise" to the traffic as P2P can use any TCP and UDP ports from 1 to 65535!

What I see doable here is to allow "low ports" and a few "high ports" and block or limit the bandwidth to anything else.
It's more like "traffic containment" than "traffic control", but I see no option here.

This is why I aim at identifying the P2P traffic (BitTorrent, DHT-based protocols and the likes).
If I succeed I can do something: blocking, limiting ...
If I cannot, then I have little to discuss.

Again, downloading a torrent file is NOTHING.

Have you tried to use a recent BitTorrent client with "KAD support"?
It doesn't need any torrent file but just the hash value, a string you can get by email or on the web.
The DHT will make the "rest of the magics", by just requiring some more time to "look" for a list of suitable peers.
So you won't be able to block or shape anything as even the torrent file is not needed any more.

You can only block everything, as they can be using "low ports" and apply a "light disguise" to the traffic as P2P can use any TCP and UDP ports from 1 to 65535!

What I see doable here is to allow "low ports" and a few "high ports" and block or limit the bandwidth to anything else.
It's more like "traffic containment" than "traffic control", but I see no option here.

I have thinking about port mirroring and wireshark to check if the customers is downloading something.
What do you think about this solution ?
Anyway it's impossible to identify if the customers is doing something illegal... :/
(And I don't know DHT ! Thanks for this information ! I found on the forum a guy who block this type of traffic by using DNS static and some things like that. )

This is why I aim at identifying the P2P traffic (BitTorrent, DHT-based protocols and the likes).
If I succeed I can do something: blocking, limiting ...
If I cannot, then I have little to discuss.

Again, downloading a torrent file is NOTHING.

Have you tried to use a recent BitTorrent client with "KAD support"?
It doesn't need any torrent file but just the hash value, a string you can get by email or on the web.
The DHT will make the "rest of the magics", by just requiring some more time to "look" for a list of suitable peers.
So you won't be able to block or shape anything as even the torrent file is not needed any more.

You can only block everything, as they can be using "low ports" and apply a "light disguise" to the traffic as P2P can use any TCP and UDP ports from 1 to 65535!

What I see doable here is to allow "low ports" and a few "high ports" and block or limit the bandwidth to anything else.
It's more like "traffic containment" than "traffic control", but I see no option here.

I have thinking about port mirrorring and wireshark to chek if the customers is download something.
What do you think about this solution ?
Anyway it's impossible to identify if the customers is doing something illegal... :/
(And I don't know DHT ! Thanks for this information ! I found on the forum a guy who block this type of trafic by using dns static and some things like that. )

Almost all P2P traffic is encrypted, thus inspecting the content wouldn't help much.
Moreover, even if is wasn't encrypted but just "compressed" with your favorite tool, it would require you to first download all the stuff, uncompress it and then check.
In that case the download wouldn't be blockable as it had already happened.
Wireshark on a mirrored port is a very powerful tool. But only if you know what you are looking for.
I know a large company that stores for a few weeks all traffic (but not the payloads) coming from mirrored ports for late analysis and statistics.
They can look for specific events.
But, yet, you need to know what to search for.
If you do know, than you don't need Wireshark.

It could make some sense to use nTop or a similar tool to analyze the actual traffic in real-time.
While you wouldn't still be able to see the payloads themselves, you could have a rather precise idea of the type of traffic and its endpoints and, with some training, be able to tell a good P2P from a bad one.
You could then decide to block or slow down that type of traffic based upon IPs and TCP/UDP ports.
If you want to have a precise real-time idea about your traffic, then you really need nTop.

Finally whatever solution is based on the DNS, it is trying to block the download of torrent files.
Which isn't required any more with "KAD" enabled: the torrent file di retrieved from the P2P network itself.

I'd like you to test the BT+KAD download with your favorite client.
For example, the official Ubuntu 16.04 server ISO file is also available on BitTorrent.
Its hash (as in DHT=distributed hash tables) is a49cd0d5abc633e1ee2ad1fee8ced66614415ceb.
Try using this string to download the file.
It takes just a few minutes more than a regular download with a torrent file.
Once the download is started it will have very same speed as a regular BitTorrent download.
DHT is really a P2P protocol (actually a technology) where now server is needed.
The regular BitTorrent requires a torrent file to be downloaded from a server and there are dozens of "torrent caches" from which you can download them.
The point is that those caches don't (because they cannot) check for the legitimacy of each single torrent.
With the DNS you block the access to those caches and think you are blocking BitTorrent.
But you are not.

it shows "p2p matcher is obsolete please use layer7 matcher instead"

And layer7 matcher is practically obsolete, because everyone uses tunnels now. You are chasing a dragon here.

This worked perfectly for me. Thanks!