how block connection of p2p?

trottolino1970 · Fri Jan 18, 2008 5:17 pm

Chupaka · Fri Jan 18, 2008 5:45 pm

ip firewall filter add chain=forward p2p=all-p2p action=drop

rxrxrx · Mon Oct 19, 2009 12:02 am

that is amazing!

NetworkPro · Mon Oct 19, 2009 9:14 am

For some years now good p2p soft can obfuscate, encrypt its connections so routers dont know its a p2p connection.

Instead of dropping p2p like that I suggest you implement traffic prioritization per traffic type or at least the new http://wiki.mikrotik.com/wiki/Connection_Rate easy QoS. You may still need it even if you drop unencrypted p2p connections because the encrypted ones may still take bandwidth and transmission time on ur network.

And keep in mind that the easiest way to achieve QoS is to overprovision the bandwidth

And even with QoS working pretty well - more bandwidth makes it at least double the good feeling of the users and in cases with connections under 2 Mbit/s - more BW is a must.

TKITFrank · Mon Oct 19, 2009 11:21 am

Hi,

I did need to block all P2P and did sort of like Chupaka said. My basic setup i based on http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling But I have made some modifications. My setup tagges also encrypted packages (SSL) on non SSL ports.
This will however not block P2P that uses 443. But there are not many at the moment.

I have done some tests and i have not yet been able to make Bittorrent work. I use a RB1000 to back up my rule set.

Mangel
2 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=DIRECTCONNECT
3 chain=prerouting action=jump jump-target=p2p-service p2p=all-p2p
4 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=BITTORRENT2
5 chain=prerouting action=jump jump-target=tcp-services connection-state=new protocol=tcp dst-port=443
6 chain=prerouting action=jump jump-target=p2p-service connection-state=new protocol=tcp layer7-protocol=HTTPS dst-port=!443
7 chain=prerouting action=jump jump-target=tcp-services tcp-flags=syn connection-state=new protocol=tcp
8 chain=prerouting action=jump jump-target=udp-services connection-state=new protocol=udp
9 chain=prerouting action=jump jump-target=other-services connection-state=new
10 chain=p2p-service action=mark-connection new-connection-mark=p2p passthrough=no
26 chain=tcp-services action=mark-connection new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535 dst-port=443

Filter
5 ;;; Drop and log all P2P
chain=forward action=add-src-to-address-list src-address-list=local-addr address-list=p2p-users address-list-timeout=4w3d connection-mark=p2p
6 chain=forward action=log connection-mark=p2p log-prefix="P2P"
7 chain=forward action=jump jump-target=drop connection-mark=p2p

L7
HTTPS: Regexp
^(.?.?\x16\x03.*\x16\x03|.?.?\x01\x03\x01?.*\x0b)
BITTORRENT2: Regexp
^(\x13bittorrent protocol)
DIRECTCONNECT: Regexp
^(\$mynick |\$lock |\$key )

NetworkPro · Mon Oct 19, 2009 11:59 am

Oh cool. Try uTorrent with Encryption turned on (Enabled) and try to download a torrent file that has many seeders for example a Lniux distro, for example SuSe distrib via BT. Test your setup against that

Mon Oct 19, 2009 12:03 pm

Oh cool. Try uTorrent with Encryption turned on (Enabled) and try to download a torrent file that has many seeders for example a Lniux distro, for example SuSe distrib via BT. Test your setup against that

against that you can try to use a transpartent proxy for port 80 TCP and block everything else

TKITFrank · Mon Oct 19, 2009 12:17 pm

Tried uTorrent (Encrypted and non encrypted) and the PriateBay, Also tired to download RouterOS from mikrotik torrent. No luck

Did a test in June this year. I have not tested if the new client drops as well. But i drop a load of packages so i guess it is still working.

I want to use the Web-Proxy but my setup protects a shitload of students. At the moment they can not fingerprint my setup. But the regulary check agains if we use a proxy and there they can see what type of system i am using

Mon Oct 19, 2009 12:18 pm

That's good, but if you will force encryption, these patterns will not work so nice.

TKITFrank · Mon Oct 19, 2009 12:23 pm

If I am not mistaken I did just that. Can you have encrypted otherwise? :S
I will try it in an hour or two to confirm this.

NetworkPro · Mon Oct 19, 2009 12:34 pm

When testing, wait longer for example 5 or even 10 mins after starting the torrent, to be sure. Finding a seeder that has encryption could take time, depending on settings, number of new connections per second etc...

And those students will just use VPN and still get what they need from p2p

TKITFrank · Mon Oct 19, 2009 12:38 pm

Nope no joy, I am currently downloading the complete RouterOS torrent but it is all red... And I have encryption to Forced.
I have waited 7,30min at the moment.

Any ideas how to bypass?
Or a link to a torrent that will work perhaps?

Most VPN will not work with my current setup. SSL-VPN will work however...

xezen · Mon Oct 19, 2009 1:29 pm

i dont get this are you asking for ways to test to bypass firewall or testing how good your firewall rules are?

as there are many ways to bypass firewall with p2p?

are you using utorrent to download?

as i have some tricks you can try out

NetworkPro · Mon Oct 19, 2009 1:43 pm

Well let it get a list of seeders! Can it reach the announcer?

TKITFrank · Mon Oct 19, 2009 2:28 pm

It can list how many seeders there is. But non get connected.
I can't open it to try to get some connections becourse it's in production environment.

So I think it still works.

Feel free to test the rules if it works for you.

NetworkPro · Mon Oct 19, 2009 3:25 pm

Try to Uninstall and ReInstall (clean) uTorrent with the latest version, also try from another host. Sometimes uTorrent messes its configs. Thanks.

TKITFrank · Mon Oct 19, 2009 3:35 pm

I just did on the test machine (Netbook) It was a clean install from the factory and a new install of uTorrent.
My previous setup was an old test laptop but the results seem to be the same

NetworkPro · Mon Oct 19, 2009 3:53 pm

Your customers can still use websites and Skype etc etc right? Even after they try and download torrents ?

xezen · Mon Oct 19, 2009 3:54 pm

and what if you set utorrents port to port 80?

and not randoum on startup?

TKITFrank · Mon Oct 19, 2009 4:56 pm

Yes they can still use "Internet" my "address-list" is for my monitoring only.
Is that port not only for incoming connections?

NetworkPro · Tue Apr 20, 2010 2:57 am

Hey why the p2p filter of MT does not catch uTP ?

Someone pleazzzzze share the uTP Layer 7 matcher. Thanks.

TKITFrank · Tue Apr 20, 2010 1:00 pm

Hi,

I found out the other day that the new utorrent can bypass my rules. My new approach is to block the "announce" and normal Bittorrent traffic by L7 and disable DHT/peer sharing via DNS and filter rules. This results in the impossibility to connect and by that matter removes the ability to initialize the encrypted traffic.

I can say that it works like a charm.
The same goes for magnetic links.

I have tried to download under 48hours 3different torrents with no success with 4 different torrent clients.
uTorrent, Azures(vuze), bitlord, and Bitcomet.

This is an ongoing war but for now it works.
It's probably not 100% but I have not yet found out how to bypass my protection.

I can post config later this day or tomorrow.

timreichhart · Tue Apr 20, 2010 7:42 pm

is there away to filter or block p2p on internal IP address? lets say customer is natted from public real word ip to internal IP is there anyway to filter/block the internal IP for the p2p.

TKITFrank · Wed Apr 21, 2010 7:57 am

Here is the config
DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

I use the L7 in the mangel rules combined with the normal Mikrotik p2p detection and add mark them as p2p and then I have a filter that blocks it.

This disables the normal tracker and the DHT and peer exchange.

Please try it and if you can find any way to get around it please let me know

p.s
You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik.
d.s

timreichhart · Mon Apr 26, 2010 9:58 pm

is there anyway that you can block a internal IP from p2p protocols?

TKITFrank · Tue Apr 27, 2010 7:50 am

The above post is about protecting a school network (internal) from using P2P.

timreichhart · Tue Apr 27, 2010 7:14 pm

so your saying you have to use static dns in order to make that work If I am understanding your post correctly.

TKITFrank · Wed Apr 28, 2010 7:55 am

Correct that is the only way I have found to filter out / block DHT or magnetic links.

Muqatil · Wed Apr 28, 2010 9:40 am

You say it's a school, so i may assume the users need only HTTP traffic, POP and SMTP, skype maybe and msn?
Why don't you block everything except the mentioned protocols? wouldn't be it easier than a WorldWar against P2P?

dssmiktik · Wed Apr 28, 2010 11:04 am

I also wanted to point out that your DNS could be simplified by using regex matching for the name.

Ex. To redirect any traffic for domain utorrent.com and *.utorrent.com

/ip dns static add name=".*\\(^\\|\\.\\)utorrent\\.com" address=127.0.0.1

This matches utorrent.com, a.utorrent.com, a.b.c.utorrent.com, but not abcutorrent.com

Ex. To redirect any traffic for domain vuze.com and *.vuze.com

/ip dns static add name=".*\\(^\\|\\.\\)vuze\\.com" address=127.0.0.1

This way, you can protect against the sub-domains changing, the main domain still get's blocked. Also, you'd only have one rule per domain.

Just a helpful hint.

ADD: So your new rule-set would be:

/ip dns static
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)bitcomet\\.net" ttl=1d

Hope this helps.

TKITFrank · Wed Apr 28, 2010 12:09 pm

Hi,

This schools policy is to allow all ports outbound except P2P and SMTP/NETBIOS(Due to virus and spam) I have also blocked DNS outbound due to P2P so they can only access DNS from the RB1000.
My current setup for this network is a different firewall from the government firewall so they are alone on this RB1000. So I don't have to worry about restricting ports for the Government offices.

dssmiktik, Thank you! That was a nice thing with the regexp. I will try it later this week or next

Wed Apr 28, 2010 12:17 pm

Hi,

This schools policy is to allow all ports outbound except P2P and SMTP/NETBIOS(Due to virus and spam) I have also blocked DNS outbound due to P2P so they can only access DNS from the RB1000.
My current setup for this network is a different firewall from the government firewall so they are alone on this RB1000. So I don't have to worry about restricting ports for the Government offices.

dssmiktik, Thank you! That was a nice thing with the regexp. I will try it later this week or next

give him some karma

TKITFrank · Wed Apr 28, 2010 12:21 pm

Hehehe he is on the way to become Buddah!
Done

kameelperdza · Sat May 08, 2010 7:49 pm

Hi TKITFrank can you maybe post your complete config thati can use on my mikrotik to block p2p please. thank you

Reefbum · Sat May 08, 2010 11:22 pm

I use the following to help block p2p, I found this a while back searching Google for help on p2p so I can't remember where I found it.

Add Layer7

ip firewall layer7-protocol add comment="" name=p2p_www regexp="^.*(get|GET).+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

ip firewall layer7-protocol add comment="" name=p2p_dns regexp="^.+\
(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|\
zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

Add Firewall rules

ip firewall filter add action=drop chain=forward comment="block p2p_www" disabled=no \
layer7-protocol=p2p_www

ip firewall filter add action=drop chain=forward comment="block p2p_dns" disabled=no \
dst-port=53 layer7-protocol=p2p_dns protocol=udp

This block quite a lot of things so you may need to change to suit your needs.

robertfranz · Wed May 19, 2010 4:21 am

I took a slightly different approach:

Add source ip of nodes with traffic detected as p2p to BadBoy list for 30 minutes.

Mark subsequent traffic to/from nodes on BadBoy list as 'badboys'

Queue 'badboys' traffic pri 8 limited to 10kbps.

This method relies on the assumption that everything leaks to one extent or another.

Even with a brand new utorrent install and no torrents, starting the client results in at least one packet detected as BT.

If I wanted to be kinder, I could allow certain traffic at normal speed, but this an open ap, and my intent is to encourage the abusers to move along, and prevent their traffic from bogging down other traffic.

I'm thinking about stashing a stack of linux distros behind the counter for the first clown who complains that he can't download the latest Ubuntu iso over the wifi that we provide as a courtesy.

NetworkPro · Wed May 19, 2010 2:23 pm

You are very funny with your distros behind the counter

What if a businessman simply has forgotten to shutdown hist p2p application? And he needs to do some important business online? He will have to wait 30 minutes? He will probably do "business" with you

robertfranz · Wed May 19, 2010 2:50 pm

You are very funny with your distros behind the counter

What if a businessman simply has forgotten to shutdown hist p2p application?

Then I will kindly shut it down for him.

And he needs to do some important business online? He will have to wait 30 minutes? He will probably do "business" with you

BT use is prohibited on our public wifi.
Part of the T&C they all click through.

di9383 · Tue Jun 01, 2010 6:29 pm

I have troubles with blocking Utorrent client (version 2.0.2 if it's important). I use the rule shown above and when I look at my connections it seems so, that not all of bit-torrent connections are being recognized.
It seems so, that connection having status U (means Unreplied) are not being recognized. Also, all upload traffic comming from port 18012 in my case is also not recognized and as a result isn't being blocked. You can see it on the screenshot below. So, what is the reason and how to block p2p (specifically bit-torrent and Utorrent client)?

TKITFrank · Thu Jun 03, 2010 1:02 pm

Hi,

Sorry for my late reply I am involved in a large project right now.

Here is a little how to. You have to have defined your L7 before.

Go to the Firewall Mangle.
Create a new rule
Set it as a prerouting chain and set L7 accordingly.
Set Action Jump and Jump to target lets say p2p-traffic
Do this for all the defined L7 filters and also for the default p2p-all

Create a new rule below
Set it as a p2p-traffic chain (you will have to enter it).
Set action to mark connection and set it to lets say p2p

Go to the firewall filter
I have put it on top but this is depending on your own setup.
Create new rule
Set chain to forward and connection mark to p2p, Then action to drop or if you use jump rules set it to jump and then point to the drop rule.

Try this

martini · Thu Jun 03, 2010 1:10 pm

utorrent now use udp with its own protocol, and many p2p filters dont work - dont forget this.

TKITFrank · Thu Jun 03, 2010 1:52 pm

Hi,

Just tired the new version and it is still blocked phuuuu

di9383 · Fri Jun 04, 2010 10:08 am

Hi,

Sorry for my late reply I am involved in a large project right now.

Here is a little how to. You have to have defined your L7 before.

Go to the Firewall Mangle.
Create a new rule
Set it as a prerouting chain and set L7 accordingly.
Set Action Jump and Jump to target lets say p2p-traffic
Do this for all the defined L7 filters and also for the default p2p-all

Create a new rule below
Set it as a p2p-traffic chain (you will have to enter it).
Set action to mark connection and set it to lets say p2p

Go to the firewall filter
I have put it on top but this is depending on your own setup.
Create new rule
Set chain to forward and connection mark to p2p, Then action to drop or if you use jump rules set it to jump and then point to the drop rule.

Try this

So, according to this post all is needed to define l7 filter for bit-torrent in my case, set jump rule for this filter and default p2p filter, mangle this traffic and drop it. Am I right? If yes, I don't understand if we still need dns rules listed in your post earlier?
Also, according to this article, L7 rules have to be defined for both directions of traffaic (so we should use chain forward). In you case, you have defined L7 rule only in prerouting chain not in the postrouting. Are you shure, your config is OK? May be you just post a part of your config blocking p2p here?

TKITFrank · Fri Jun 04, 2010 10:57 am

Hi,

You still need DNS due to encryption and magnetic links.
Do the rules in the order I posted.

Make sure they are on top so no other rule bypasses the control filter.

di9383 · Fri Jun 04, 2010 3:50 pm

Well, i made as you wrote. As a result, I have all p2p connections marked and get them all into a p2p mangeled connection. But in my block filter statistic I've got only approximetly half of them blocked. And I don't actually understand why.
Also, there is another problem. Some of the p2p connections in connection statistic shown as p2p in connection field. And it is what I need. But some of them have different connection mark (I use some other mangles). p2p rules comes on the top...
Can you show you mangles for p2p and firewall rule (or rules) for blocking them. I suppose, there is a mistake for me. Thanks in advance.

PS May be I have a problem in this part. After mangle your p2p traffic you've got such rule:

chain=forward action=jump jump-target=drop connection-mark=p2p

I don't understand, what is jump-target=drop mean in this case. When I try to make such rule I have only default chains defined. So if I type myself drop in chain section, of course, it's not working. So I just drop this mangled tfaffic like this

chain=forward action=drop connection-mark=p2p

May be this is my problem (i've wrote it earlier, it seems that mangled traffic isn't blocked, or not blocked all of it)? Could you please explain this rule?

Stunherald · Wed Jun 09, 2010 7:45 am

2 TKITFrank: First of all, thanks A LOT for your "howto" (karma++ for you :p ). Second, i have a little question here.

I set all things up, but i need exclude one PC behind RB from this bittorrent blocking because it is our company bt server/client for distributing updates of our products for customers. So, i'll be happy if you can help me in this. (We have RB in our company just few days, so i learning things for now

). I tried add a "NOT Interface" rule in that drop firewall rule, but it does not help.

Here is my rules exports:

/ip firewall layer7-protocol
add comment="BitTorrent catch" name=torrent regexp=\
    "^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=torrent_announce regexp=^get.+announce.

/ip firewall mangle
add action=jump chain=prerouting comment=BitTorrent disabled=no jump-target=torrent_traffic layer7-protocol=torrent
add action=jump chain=prerouting comment="" disabled=no jump-target=torrent_traffic layer7-protocol=torrent_announce
add action=jump chain=prerouting comment="" disabled=no jump-target=torrent_traffic p2p=all-p2p
add action=mark-connection chain=torrent_traffic comment="" disabled=no new-connection-mark=torrent passthrough=yes

/ip firewall filter
add action=log chain=forward comment="" connection-mark=torrent disabled=no log-prefix=test_bt_drop out-interface=!Ghost
add action=drop chain=forward comment="" connection-mark=torrent disabled=no out-interface=!Ghost

Interface name: Ghost (name of the server

)
Local IP is: 192.168.4.1

BTW: One more thing ... what about that static DNS entry? I have not set that up because this static settings are for all local users so for our server too.

Thanks for answer

TKITFrank · Fri Jun 11, 2010 8:33 am

Hi,

Try to put a prerouting rule first in the mangel chain that specifics your server and then jump to a rule below these rules.
Then it should bypass but I never intended to have a bypass when I did the initial setup.

The DNS settings are required to make the full function of my blocking. If you don't use it the block will be ineffective. I don't know if there is a workaround for this.

di9383 · Fri Jun 11, 2010 2:46 pm

So what about this article? Are you shure, we don't need to put mangle rules in forward chain or use postrouting together with prerouting for correct L7 application? Will in this case those rules check the same packets twice?

One more question. How do the mangles work? The same as firewall rules or not?

TKITFrank · Fri Jun 18, 2010 1:02 pm

Correct me if I am wrong but in this case there is no need for postrouting since we only want to block it. So we need to use prerouting to catch it before all else.

The setup is to catch it not to throttle or something like that. I use mangel to mark them and to combined many rules to one. That you later can filter out in forward chain.

heviejob · Thu Sep 02, 2010 12:08 am

Trying to block p2p is really a waste of time. Best thing it prioritize traffic this way you can throttle any traffic you don't want through.

adrianatkins · Thu Sep 02, 2010 1:23 am

There is no 'answer' to P2P.

You might as well say "i want to block Internet".

The *only* solution is to control the user's bandwidth.

If they use it all up with their P2P, maybe their Skype calls will be flaky.
They learn quick.

When people buy "Internet", they expect it *all* to work.

If you sell an Email, Website (no videos) and maybe Skype service, it is very important that you sell it like that: Don't just call it "Internet", because that includes things like P2P and Streaming TV.

TKITFrank · Thu Sep 02, 2010 3:39 pm

Hi,

Trying to block p2p is really a waste of time. Best thing it prioritize traffic this way you can throttle any traffic you don't want through.

There is no 'answer' to P2P.

You might as well say "i want to block Internet".

The *only* solution is to control the user's bandwidth.

If they use it all up with their P2P, maybe their Skype calls will be flaky.
They learn quick.

When people buy "Internet", they expect it *all* to work.

If you sell an Email, Website (no videos) and maybe Skype service, it is very important that you sell it like that: Don't just call it "Internet", because that includes things like P2P and Streaming TV.

I would say that depends on what company you are working for. If it is a ISP that is true and I agree completely but if you deploy this in a company network or government where there is a policy to block it, it's a whole other matter.

To this date I don't know any way to trafficshape encrypted p2p in ROS only to block it. If you need to trafficshape it there are other products that you can buy that can fit in you Mikrotik network environment

To MikroTik Staff, If you can implement or figure out a way to let ROS detect encrypted p2p traffic in the future this would be great!
I know others have done this and I have no doubts that you can do this as well. Keep up the good work!

heviejob · Fri Sep 03, 2010 10:14 pm

I came to learn that customers will always complain even when its their fault. I have some who keep seeding torrents through out exhausting their uplink and they complain the connection is bad. If I block it they complain now am thinking of setting up a torrent server for my users where they queue torrents and fetch them from it (at a small fee) am not sure if it is wise.

fewi · Fri Sep 03, 2010 10:23 pm

That is decidedly unwise unless you plan on going through every torrent queued and research whether or not it involves a copyright violation.

heviejob · Fri Sep 03, 2010 11:08 pm

Well from this part of the world am in copyright laws are non existent so not a big worry for me. By the way can squid block torrents o\if i force transparent proxy?

Mon Sep 06, 2010 4:07 pm

It's possible to make a system very strict, but very unusable for customers. You can always redirect port 80 requests to the transparent proxy and block everything else with the firewall, but your customers might find it extreme. It depends on what kind of service you are providing. Maybe this suits you.

adrianatkins · Sat Sep 11, 2010 11:42 pm

Like i said earlier before Normis (blessed be his Name) correctly banned me temporarily :-

You Cannot Block P2P.

MT's 'all p2p' option is based on the ancient and umaintained ipp2p filter. It doesn't block all P2P - it can only match P2P traffic that it knows about.

Layer7 is brilliant. You can match loads.
But still, it cannot match any encrypyted P2P.
If it could, then it would have to crack SSL, and Internet Banking would be stopped.

The only way to control P2P is to control the User's usage effectively.

What's next ? Streaming TV on 6000 channels ?

IMHO there is simply no other way other than to Sell what you can Deliver (basically don't lie), and Control the Bandwidth for each user.

fewi · Sat Sep 11, 2010 11:54 pm

http://www.cse.chalmers.se/~johnwolf/pu ... eaking.pdf
Interesting read on protocol obfuscation and how to match obfuscated and encrypted protocols. Not something you'd do without and ASIC to recognize peer to peer, but still interesting.

adrianatkins · Sun Sep 12, 2010 12:39 am

Page seems to have gone. I guess the CIA or NSA got there quicker.

My real point is that by even *trying* to target P2P protocols, which ipp2p and L7 did, you simply force the P2P people into other Open methods like SSL.

Any New P2P programmer will (i would) say fukit: use SSL, cos then they will find it that much harder to stop it.

(Personally i'd go totally sideways, but then my left leg is shorter than my right.)

To Control stuff, you need to control all the stuff.

greek · Thu Nov 04, 2010 11:53 pm

I am sorry for my bad english.

I have one thing about additional detection bittorrent traffic.

Torrent-programs use one port for incoming connection. Part of this connection is detects by default p2p-rule of Mikrotik. (But big part not detect

)

I suggest to remember the port with connections which were detected by default p2p-rule. And shape or block all connections for this port for a while.

But how to make this script I do not know.

adrianatkins · Fri Nov 05, 2010 10:21 pm

Nothing can really stop all P2P traffic, because we have to allow some traffic, and the P2P guys are really quite clever.

If you really want to kill all P2P, you would have to :-

1. Block All traffic being forwarded thru your router.
2. Proxy DNS on the router
3. Allow port 80 connections and 433 maybe to websites you Allow (e.g. google)
4. Allow port 110
5. allow port 25 (maybe).

Not much would work properly (like clicking on a google link for example) but you would stop P2P altogether.

Probably.

greek · Sat Nov 06, 2010 1:40 am

Admins have 2 targets for p2p traffic:

1. Blocking
2. Shaping

And that targets has principial differents.

Your way is good for blocking traffic.

But it can be considered as a special case of the marking of traffic.

NetworkPro · Sat Nov 06, 2010 1:55 am

Even if you have blocking it would be a good practice to have shaping in case something gets through.

mves · Tue Jan 11, 2011 8:23 pm

Can someone make an update of blocking rules?

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

I guess that this does not work quite well anymore

mves · Tue Jan 11, 2011 9:38 pm

Hi,

Just tired the new version and it is still blocked phuuuu

Well... can you do a little update on this?

TKITFrank · Fri Jan 14, 2011 8:18 am

I will check on Monday.
Have you seen traffic not being blocked?

mves · Sat Jan 15, 2011 1:26 am

I will check on Monday.
Have you seen traffic not being blocked?

Yes... so I combined a rules with port blocking. Catch is that I had to modify a bit of that since torrent sites must not be blocked and torrent usage is time limited to night and I really have no idea wth have I changed

Plus, I had to strip |d1:ad2:id20:|\\x08'7P\\)[RP] part because it blocked internet completely for some reason.
So generally, it's working to a point and I'm still in a learning mode.

TKITFrank · Mon Jan 17, 2011 9:35 am

Hi,

I have tried with utorrent 2.2 using the 2 first top100 torrent on thepiratebay.org but it is still blocked.
Have you done all the dns blocking and L7 blocking?

mves · Mon Jan 17, 2011 4:54 pm

Hi,

I have tried with utorrent 2.2 using the 2 first top100 torrent on thepiratebay.org but it is still blocked.
Have you done all the dns blocking and L7 blocking?

No, DNS is a problem since it is allowed for customers to use other DNS and torrent sites must not be blocked at all so... no DNS value added since /ip dns static add name=".*\$^\\|\\.\$utorrent\\.com" address=127.0.0.1 blocking all traffic from utorrent site, right? So I need more flexible rules that will allow torrent sites since torrents can be used from midnight.

Problem is probably with a magnetic links because there is no hits on BITTORENT and/or BITTORENT_ANNOUNCE rule on some users (only bad boys got special treatment). In most cases blocking single ports works but some bad boys have gone step further and started to rotate ports every 30 minutes.

So, this is active

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

Torrent traffic goes through from tcp 1000-5000 and tcp/udp 50000-65500. In addition with that rules I simply added blocking:
all-p2p filter,
udp/tcp 6881-6999 dest,
and on some torrent users:
src tcp 1000-5000 dst 10000-65500
src tcp/udp 50000-65500 dst 10000-65500 depends of traffic goes through. On hardcore bad boys there is
src tcp/udp 10000-65500 dst 10000-65500.

Connections lower than 10000 goes through but there are few of them. And really sad part is that I can't test that rules on myself so I just seat back and watch the numbers goes through

Any suggestions?

TKITFrank · Mon Jan 17, 2011 6:38 pm

Hi,

Use the DNS entries below...
IMPORTANT!
If you don't use the dns there is no way to block magnetic links and so on.

Try this and I am sure it will work.
And a tip... skip all form of port blocking since they change port all the time. It just consumes resources and this config is resource demanding as it is i am afraid...

The DNS, L7 and p2p-all function is all you need at the moment at least.

p.s If you want some torrent sites to bypass then check those IP's and create a address list and add as a exclusion in the filter rules under mangle. d.s

Here is the config
DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

I use the L7 in the mangel rules combined with the normal Mikrotik p2p detection and add mark them as p2p and then I have a filter that blocks it.

This disables the normal tracker and the DHT and peer exchange.

Please try it and if you can find any way to get around it please let me know

p.s
You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik.
d.s

mves · Sun Jan 23, 2011 7:43 pm

Hi

I've been a bit busy lately. That's not what I need or can apply... I'm trying to do a little changes so it's in a testing faze and preliminary results are promising. So far, so good

TKITFrank · Sun Jan 23, 2011 8:06 pm

Hi,

No worries I know all about it

Okay why can you not use it? Can you be more specific? And if you have found another way to get the same results?

From what I can tell those DNS entries will not harm o disturb anything else then the creation of new torrent sessions. You will still be able to surf to the normal sites (Torrent sites).

mves · Tue Jan 25, 2011 8:15 am

Hi...
One router was constantly locking while that was active and another had tendencies to block everything while that was on so it's decided to get that entries out and to find another solution. Was that because of that, no one want's to try that again. Plus torrents are allowed to be used from midnight to 9:00 and connections remain active for some time after rules turned on and I came up with this.

So, it goes...
L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

firewall (it's from winbox)
#1 (Log) src 192.168.xx.2-192.168.xx.250 on (L7) BITTORENT, action add src to address list "Torrent" 1:30 timeout and time limited 9:00 - 23:59
(You can place global logging but it will log everything, incoming, outgoing and traffic from other links so log would be almost useless)
#2 Drop dst 192.168.xx.2-192.168.xx.250 (*) on (L7) BITTORENT, time limited 9:00 - 23:59
(*) only because of testing and other links and xx means for example 11... it should be global block
#3 (Log) 192.168.xx.2-192.168.xx.250 on (L7) BITTORENT_ANNOUNCE, action add src to address list "Torrent Announce" 1:30 timeout and time limited 9:00 - 23:59
#4 Drop connections on (L7) BITTORENT_ANNOUNCE, time limited 9:00 - 23:59

And this is modification...
#5 (Log) udp src 192.168.xx.2-192.168.xx.250 dst ports 6881-6999, action add src to address list "Torrent udp" 1:30 timeout, time limited 09:05-23:55
#6 block udp dst ports 6881-6999, time limited 09:00 - 23:59
#7 (Log) tcp src 192.168.xx.2-192.168.xx.250 dst ports 6881-6999, action add src to address list "Torrent tcp" 1:30 timeout, time limited 09:05-23:55
#8 block tcp dst ports 6881-6999, time limited 09:00 - 23:59

And whatever remains active after 9:00, it will go on this. Best part is, only those logged goes through this and it's not block to everyone. Next goes...

#9 drop all-p2p ( I might also add logging on p2p-all and run logged through next 3 rules also)
#10 drop udp src 10000-65500, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce, Torrent udp and Torrent tcp address lists
#11 drop tcp src 10000-65500, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce, Torrent udp and Torrent tcp address lists
#12 drop tcp src 1000-5000, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce and Torrent tcp address lists. No need for torrent udp on this one

Also, it would be a good idea to place before all of this
accept udp/tcp src 27000-27050,28960 dst 27000-27050,28960 for cod and cs

You can also add drop tcp dst 6346-6347 for gnutella.

So, whatever got through is not that big problem. Who ever is smart enough to get around this is hopefully smart enough not to open million connections to get easily detected. With this I can also catch the ones with encrypted tracker because it will eventually trigger one of these rules. If not, there's always good ol' boring port blocking but so far i didn't had to do that where ever is that active. Also, I've got a list of troublemakers this way. And just to mention... I'm a total beginner on this

mwarren77 · Tue Jan 25, 2011 3:48 pm

Be careful in blocking services as the new Net Neutrality bill was released in December which states we are not allowed to block services and have to allow a reasonable speed.. I disagree with it totally but not all torrent and peer-to-peer is illegal.

mves · Tue Jan 25, 2011 6:59 pm

Be careful in blocking services as the new Net Neutrality bill was released in December which states we are not allowed to block services and have to allow a reasonable speed.. I disagree with it totally but not all torrent and peer-to-peer is illegal.

As far as I know, Germany for example banned p2p completely. P2P on my network is blocked over the day because of the quality of the internet and other services of the other users. So torrents Vs online gaming... Who'll kill who? It's not about piracy at all. It's simply technical and nature of P2P clients and we would all like that there is no need for that. And, almost every user have it's own public IP so there are no problems with download from megaupload, rapidshare, fileserve and other file servers. And, to allow that many users suffer because of few irresponsible that simply want to get some porn movie from p2p? For other example, wow uses p2p for update. It's not forbidden to do that or to download anything else from p2p... only do that over the night so it won't affect other users.

Wed Jan 26, 2011 9:14 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.

TKITFrank · Wed Jan 26, 2011 10:27 am

mves,

How about using the setup I said and create a script that enables static dns and so on at the mornings and then deactivates them things at night?

mves · Wed Jan 26, 2011 3:15 pm

Hi...
TKITFrank, well, I might try that on a test zone... Can you give me a winbox guidance how to set that script correctly?

But last time that setup did some trouble however.

@normis... we don't talk here about 2 or 3 users. It's a wide spread network. But, please tell me your idea and how to set that. It might be applied in a future period

Wed Jan 26, 2011 3:16 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf

semihgeek · Wed Jan 26, 2011 4:29 pm

Hey
So the latest configuration is

/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

Am I RIGHT?

mves · Wed Jan 26, 2011 7:02 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf

So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.

prince90s · Wed Jan 26, 2011 7:19 pm

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

semihgeek · Wed Jan 26, 2011 7:21 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf
So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.

yes you're right. some torrent programs are working on port 80.Like Xunlei Thunder.It can not be blocked.
If you can not block limit that.

mves · Wed Jan 26, 2011 8:03 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf
So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.
yes you're right. some torrent programs are working on port 80.Like Xunlei Thunder.It can not be blocked.
If you can not block limit that.

Maybe

Even utorrent with encrypted tracker from some private torrents can bypass many things but it has a weakness. In that case it will make connections on tcp from src 1000-5000 dst 10000-65500 (usually) and it will use a fixed listening port for incoming connections. Also, bittorent clients using dst ports 6881-6999 on tcp/udp so most of it can be traced. And xunlei, dst ports are http or tracker are on port 80?

semihgeek · Wed Jan 26, 2011 8:14 pm

I am not sure and I am begineer at networking but when you started xunlei you can feel the high load on your network.I read some articles on the net about xunlei.It says that program is working on port 80.That's why the fastest torrent client in the world

semihgeek · Wed Jan 26, 2011 8:17 pm

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

Prince90s
Is it for QoS?

erich5470 · Wed Jan 26, 2011 10:07 pm

Blocking P2P.... Is this method for blocking X-Box, Playstation and other online gaming?. I would like to block online gaming of XBox and PS and other oline gaming in those categories due to bandwidth consumption. Although, I would like to leave open the option for my users to be able to connect to my win2003 server to download media files such as my library of movies, tv show, and music.

CCDKP · Sat Jan 29, 2011 1:04 am

I am currently working on implementing a P2P throttling implementation for a school's open Wifi. Reading mves's posts got me thinking and I wanted to bounce the idea off some people while I am getting it working.

I am starting with a blacklist similar to what mves suggested. If I detect p2p traffic, they get added to a list for 30/60 minutes, which then puts them in a very very slow queue. The theory being that any false positive will quickly fall off the list, while repeat offenders will keep themselves on it. I have elected for throttling as opposed to blocking due to tracking issues. It seems that most of the P2P clients that support advanced encryption and filter bypass technologies start off with the old, easy to track, methods, then fall back to more resourceful methodologies as they get blocked. By allowing them through at a greatly reduced rate, I keep the protocols where I can find them and manage them.

This is designed to run on RB450G hardware and layer 7 filtering isn't very practical due to CPU limitations, so I have been looking for alternatives, which lead me to 2 ideas.

The first is to use TKITFrank's DNS filtering for torrent peers. I use DNS redirection to enforce it:

/ip firewall nat
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=tcp action=dst-nat to-addresses=<Router LAN IP>
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=udp action=dst-nat to-addresses=<Router LAN IP>

Instead of redirecting the DNS entries to 127.0.0.1, I set them to a Bogon IP. such as 203.0.113.253, which should never generate any valid traffic on it's own.
I then listen for request to 203.0.113.253, and put the source on the perpetrator list.
In my testing, uTorrent periodically checks the router servers, so even if a user managed to get an encrypted torrent stream past detection, the client will eventually try to check in again and the user will get flagged.

The second idea is a bit more theoretical at this point, or at least until i can figure out connection-limit a little better. The idea is that most p2p clients end up using a large number of UDP connections, usually involving very high port ranges, while legitimate traffic keeps relatively small numbers (less than 8 or so). If a user has something like 40 UDP streams (not including DNS), they are either hosting a game/VoIP server (something they can't really do on a public wifi anyway), or it's P2P. While this looks good on paper, I am not sure how practical it will be. If anyone with experience on connection-limit and udp would like to offer some input, I would appreciate it.

Once I get everything running, I will gladly post the config, since this thread is one of the few solid sources of p2p tracking in Mikrotik routers. It has been an invaluable resource for me while learning this. Thanks.

@CC_DKP

prince90s · Sat Jan 29, 2011 9:04 am

[/quote]

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

[/quote]

Prince90s
Is it for QoS?[/quote]

sure,it is useful.and u look this.

/ip firewall mangle
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 action=mark-connection new-connection-mark=heavy

erich5470 · Sun Jan 30, 2011 8:41 pm

awesome... thanks.

TKITFrank · Tue Feb 01, 2011 12:57 pm

I am currently working on implementing a P2P throttling implementation for a school's open Wifi. Reading mves's posts got me thinking and I wanted to bounce the idea off some people while I am getting it working.

I am starting with a blacklist similar to what mves suggested. If I detect p2p traffic, they get added to a list for 30/60 minutes, which then puts them in a very very slow queue. The theory being that any false positive will quickly fall off the list, while repeat offenders will keep themselves on it. I have elected for throttling as opposed to blocking due to tracking issues. It seems that most of the P2P clients that support advanced encryption and filter bypass technologies start off with the old, easy to track, methods, then fall back to more resourceful methodologies as they get blocked. By allowing them through at a greatly reduced rate, I keep the protocols where I can find them and manage them.

This is designed to run on RB450G hardware and layer 7 filtering isn't very practical due to CPU limitations, so I have been looking for alternatives, which lead me to 2 ideas.

The first is to use TKITFrank's DNS filtering for torrent peers. I use DNS redirection to enforce it:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=tcp action=dst-nat to-addresses=<Router LAN IP>
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=udp action=dst-nat to-addresses=<Router LAN IP>
Instead of redirecting the DNS entries to 127.0.0.1, I set them to a Bogon IP. such as 203.0.113.253, which should never generate any valid traffic on it's own.
I then listen for request to 203.0.113.253, and put the source on the perpetrator list.
In my testing, uTorrent periodically checks the router servers, so even if a user managed to get an encrypted torrent stream past detection, the client will eventually try to check in again and the user will get flagged.

The second idea is a bit more theoretical at this point, or at least until i can figure out connection-limit a little better. The idea is that most p2p clients end up using a large number of UDP connections, usually involving very high port ranges, while legitimate traffic keeps relatively small numbers (less than 8 or so). If a user has something like 40 UDP streams (not including DNS), they are either hosting a game/VoIP server (something they can't really do on a public wifi anyway), or it's P2P. While this looks good on paper, I am not sure how practical it will be. If anyone with experience on connection-limit and udp would like to offer some input, I would appreciate it.

Once I get everything running, I will gladly post the config, since this thread is one of the few solid sources of p2p tracking in Mikrotik routers. It has been an invaluable resource for me while learning this. Thanks.

@CC_DKP

Hi, I thing you are on to something here

Please let us know how this is working.
I would however skip the static ports for torrents and go with the all-p2p and the L7 filter to add them in a address list. To me static ports is to unreliable. The 450G is pretty fast and you can run it @800Mhz? Have you tried it @ that speed and seen how much it uses the CPU?
Anyhow as I said before let us know how it is working.

@Normis
Can you perhaps make some sticky threads? one for blocking p2p and one for throttling p2p?

Benygh · Thu Feb 03, 2011 6:55 pm

lots of command lines and no absolute working command !?

i just want to drop un-encrypted torrent connections so i used the first command in the post which was :
ip firewall filter add chain=forward p2p=all-p2p action=drop

and it just adds a firewall rule that DOESN'T Work either ...

is there any clean, working command so that i could use in order to drop these TORRENT connections ?!

for your information: i'm using this routeros as a VPN Routing server which is enabled for PPTP and L2TP ....

bax · Fri Feb 04, 2011 5:16 pm

lots of command lines and no absolute working command !?

i just want to drop un-encrypted torrent connections so i used the first command in the post which was :
ip firewall filter add chain=forward p2p=all-p2p action=drop

and it just adds a firewall rule that DOESN'T Work either ...

is there any clean, working command so that i could use in order to drop these TORRENT connections ?!

for your information: i'm using this routeros as a VPN Routing server which is enabled for PPTP and L2TP ....

But guys is telling you that is almost imposible to block all torents ... unless you turn off all internet ... beacause torent can use any port like 80 ... why just make good QOS and leave it on ?

Here is my way which is colected here in forum or in wiki , and adapted by me for my situation.
This was usable for everybody and is working OK:
So first is L7 :

/ip firewall layer7-protocol
add comment="eDonkey2000 - P2P filesharing" name=edonkey regexp="^[\\xc5\\xd4\
    \\xe3-\\xe5].\?.\?.\?.\?([\\x01\\x02\\x05\\x14\\x15\\x16\\x18\\x19\\x1a\\x\
    1b\\x1c\\x20\\x21\\x32\\x33\\x34\\x35\\x36\\x38\\x40\\x41\\x42\\x43\\x46\\\
    x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\
    \\x56\\x57\\x58[\\x60\\x81\\x82\\x90\\x91\\x93\\x96\\x97\\x98\\x99\\x9a\\x\
    9b\\x9c\\x9e\\xa0\\xa1\\xa2\\xa3\\xa4]|\\x59................\?[ -~]|\\x96.\
    ...\$)"
add comment="" name=gnutella regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella c\
    onnect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-a\
    gent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|g\
    et /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|q\
    ueue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-\
    9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-ty\
    pe: application/x-gnutella|...................\?lime)"
add comment="CVS - Concurrent Versions System" name=cvs regexp=\
    "^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\\x0a"
add comment="" name=nbns regexp=\
    "\\x01\\x10\\x01|\\)\\x10\\x01\\x01|0\\x10\\x01"
add comment="" name=shoutcast regexp="^get /.*icy-metadata:1|icy [1-5][0-9][0-\
    9] [\\x09-\\x0d -~]*(content-type:audio|icy-)"
add comment="DNS - Domain Name System - RFC 1035" name=dns regexp="^.\?.\?.\?.\
    \?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z0-9][\\x01-\?a-z]*[\\x02-\\x\
    06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\\x01-\\x10\\x1c][\\x01\\x03\\\
    x04\\xFF]"
add comment="" name=quake-halflife regexp=\
    "^\\xff\\xff\\xff\\xffget(info|challenge)"
add comment="" name=x11 regexp="^[lb].\?\\x0b\r\
    \nuserspace pattern=^[lB].\?\\x0b\r\
    \nuserspace flags=REG_NOSUB"
add comment="" name=rlogin regexp=\
    "^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]\?[0-9]\?[0-9]\?00"
add comment="" name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x\
    09-\\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\\x09\
    -\\x0d -~]* http/[01]\\.[019]"
add comment="" name=sip1 regexp=\
    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
add comment="" name=pop3 regexp="^(\\+ok |-err )"
add comment="" name=smb regexp="\\xffsmb[\\x72\\x25]"
add comment="" name=ssh regexp="^ssh-[12]\\.[0-9]"
add comment="" name=jabber regexp=\
    "<stream:stream[\t-\r ][ -~]*[\t-\r ]xmlns=['\"]jabber"
add comment="Bittorrent - P2P filesharing / publishing tool " name=bittorrent \
    regexp=\
    "^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=)"
add comment="" name=ncp regexp=\
    "^(dmdt.*\\x01.*(\"\"|\\x11\\x11|uu)|tncp.*33)"
add comment="Direct Connect - P2P filesharing" name=directconnect regexp=\
    "^(\\\$mynick |\\\$lock |\\\$key )"
add comment="" name=netbios regexp="\\x81.\?.\?.[A-P][A-P][A-P][A-P][A-P][A-P]\
    [A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P\
    ][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-\
    P][A-P][A-P][A-P][A-P]"
add comment="" name=tftp regexp="^(\\x01|\\x02)[ -~]*(netascii|octet|mail)"
add comment="" name=doom3 regexp="^\\xff\\xffchallenge"
add comment="FTP - File Transfer Protocol - RFC 959" name=ftp regexp=\
    "^220[\\x09-\\x0d -~\\x80-\\xfd]*ftp"
add comment="TSP - Berkely UNIX Time Synchronization Protocol" name=tsp \
    regexp="^[\\x01-\\x13\\x16-\$]\\x01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+"
add comment="" name=ssdp regexp="^notify[\\x09-\\x0d ]\\*[\\x09-\\x0d ]http/1\
    \\.1[\\x09-\\x0d -~]*ssdp:(alive|byebye)|^m-search[\\x09-\\x0d ]\\*[\\x09-\
    \\x0d ]http/1\\.1[\\x09-\\x0d -~]*ssdp:discover"
add comment="" name=imap regexp="^(\\* ok|a[0-9]+ noop)"
add comment="Ares - P2P filesharing " name=ares regexp=\
    "^\\x03[]Z].\?.\?\\x05\$"
add comment=\
    "FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)" \
    name=fasttrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ \
    -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: \
    kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^g\
    ive [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\?[0-9]\?[0-9]\?"
add comment="" name=qq regexp="^.\?.\?\\x02.+\\x03\$"
add comment="" name=msn-filetransfer regexp=\
    "^(ver [ -~]*msnftp\\x0d\\x0aver msnftp\\x0d\\x0ausr|method msnmsgr:)"
add comment="" name=yahoo regexp=\
    "^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\\xc0\\x80"
add comment="" name=ntp regexp="^([\\x13\\x1b\\x23\\xd3\\xdb\\xe3]|[\\x14\\x1c\
    \$].......\?.\?.\?.\?.\?.\?.\?.\?.\?[\\xc6-\\xff])"
add comment="" name=gnucleuslan regexp="gnuclear connect/[\\x09-\\x0d -~]*user\
    -agent: gnucleus [\\x09-\\x0d -~]*lan:"
add comment="" name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\\x0a\$"
add comment="BGP - Border Gateway Protocol - RFC 1771" name=bgp regexp="^\\xff\
    \\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xf\
    f..\?\\x01[\\x03\\x04]"
add comment="" name=openft regexp="x-openftalias: [-)(0-9a-z ~.]"
add comment="" name=h323 regexp=\
    "^\\x03..\?\\x08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\\x05"
add comment="Finger - User information server - RFC 1288" name=finger regexp="\
    ^[a-z][a-z0-9\\-_]+|login: [\\x09-\\x0d -~]* name: [\\x09-\\x0d -~]* Direc\
    tory:"
add comment="" name=ident regexp="^[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?[\\x09-\\x\
    0d]*,[\\x09-\\x0d]*[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?(\\x0d\\x0a|[\\x0d\\x0\
    a])\?\$"
add comment="" name=gkrellm regexp="^gkrellm [23].[0-9].[0-9]\\x0a\$"
add comment="" name=hddtemp regexp=\
    "^\\|/dev/[a-z][a-z][a-z]\\|[0-9a-z]*\\|[0-9][0-9]\\|[cfk]\\|"
add comment="" name=socks regexp="\\x05[\\x01-\\x08]*\\x05[\\x01-\\x08]\?.*\\x\
    05[\\x01-\\x03][\\x01\\x03].*\\x05[\\x01-\\x08]\?[\\x01\\x03]"
add comment="Biff - new mail notification" name=biff regexp=\
    "^[a-z][a-z0-9]+@[1-9][0-9]+\$"
add comment="DHCP - Dynamic Host Configuration Protocol - RFC 1541" name=dhcp \
    regexp="^[\\x01\\x02][\\x01- ]\\x06.*c\\x82sc"
add comment="" name=ipp regexp=ipp://
add comment="" name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\\x09-\\\
    x0d -~]*cvr0\\x0d\\x0a\$|usr 1 [!-~]+ [0-9. ]+\\x0d\\x0a\$|ans 1 [!-~]+ [0\
    -9. ]+\\x0d\\x0a\$"
add comment="" name=irc regexp="^(nick[\\x09-\\x0d -~]*user[\\x09-\\x0d -~]*:|\
    user[\\x09-\\x0d -~]*:[\\x02-\\x0d -~]*nick[\\x09-\\x0d -~]*\\x0d\\x0a)"
add comment="" name=gopher regexp="^[\\x09-\\x0d]*[1-9,+tgi][\\x09-\\x0d -~]*\
    \\x09[\\x09-\\x0d -~]*\\x09[a-z0-9.]*\\.[a-z][a-z].\?.\?\\x09[1-9]"
add comment="" name=telnet regexp=\
    "^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"
add comment="" name=nntp regexp=\
    "^(20[01][\\x09-\\x0d -~]*AUTHINFO USER|20[01][\\x09-\\x0d -~]*news)"
add comment="" name=rtsp regexp="rtsp/1.0 200 ok"
add comment="" name=skypeout regexp="^(\\x01.\?.\?.\?.\?.\?.\?.\?.\?\\x01|\\x0\
    2.\?.\?.\?.\?.\?.\?.\?.\?\\x02|\\x03.\?.\?.\?.\?.\?.\?.\?.\?\\x03|\\x04.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x04|\\x05.\?.\?.\?.\?.\?.\?.\?.\?\\x05|\\x06.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x06|\\x07.\?.\?.\?.\?.\?.\?.\?.\?\\x07|\\x08.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x08|\\x09.\?.\?.\?.\?.\?.\?.\?.\?\\x09|\\x0a.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x0a|\\x0b.\?.\?.\?.\?.\?.\?.\?.\?\\x0b|\\x0c.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x0c|\\x0d.\?.\?.\?.\?.\?.\?.\?.\?\\x0d|\\x0e.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x0e|\\x0f.\?.\?.\?.\?.\?.\?.\?.\?\\x0f|\\x10.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x10|\\x11.\?.\?.\?.\?.\?.\?.\?.\?\\x11|\\x12.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x12|\\x13.\?.\?.\?.\?.\?.\?.\?.\?\\x13|\\x14.\?.\?.\?.\?.\?.\?.\?.\?\\x14|\
    \\x15.\?.\?.\?.\?.\?.\?.\?.\?\\x15|\\x16.\?.\?.\?.\?.\?.\?.\?.\?\\x16|\\x1\
    7.\?.\?.\?.\?.\?.\?.\?.\?\\x17|\\x18.\?.\?.\?.\?.\?.\?.\?.\?\\x18|\\x19.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x19|\\x1a.\?.\?.\?.\?.\?.\?.\?.\?\\x1a|\\x1b.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x1b|\\x1c.\?.\?.\?.\?.\?.\?.\?.\?\\x1c|\\x1d.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x1d|\\x1e.\?.\?.\?.\?.\?.\?.\?.\?\\x1e|\\x1f.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x1f|\\x20.\?.\?.\?.\?.\?.\?.\?.\?\\x20|\\x21.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x21|\\x22.\?.\?.\?.\?.\?.\?.\?.\?\\x22|\\x23.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x23|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|\\x25.\?.\?.\?.\?.\?.\?.\?.\?\
    \\x25|\\x26.\?.\?.\?.\?.\?.\?.\?.\?\\x26|\\x27.\?.\?.\?.\?.\?.\?.\?.\?\\x2\
    7|\\(.\?.\?.\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\
    \?.\?.\?.\?.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|\\x2c.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x2c|\\x2d.\?.\?.\?.\?.\?.\?.\?.\?\\x2d|\\..\?.\?.\?.\?.\?.\?.\?.\
    \?\\.|\\x2f.\?.\?.\?.\?.\?.\?.\?.\?\\x2f|\\x30.\?.\?.\?.\?.\?.\?.\?.\?\\x3\
    0|\\x31.\?.\?.\?.\?.\?.\?.\?.\?\\x31|\\x32.\?.\?.\?.\?.\?.\?.\?.\?\\x32|\\\
    x33.\?.\?.\?.\?.\?.\?.\?.\?\\x33|\\x34.\?.\?.\?.\?.\?.\?.\?.\?\\x34|\\x35.\
    \?.\?.\?.\?.\?.\?.\?.\?\\x35|\\x36.\?.\?.\?.\?.\?.\?.\?.\?\\x36|\\x37.\?.\
    \?.\?.\?.\?.\?.\?.\?\\x37|\\x38.\?.\?.\?.\?.\?.\?.\?.\?\\x38|\\x39.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x39|\\x3a.\?.\?.\?.\?.\?.\?.\?.\?\\x3a|\\x3b.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x3b|\\x3c.\?.\?.\?.\?.\?.\?.\?.\?\\x3c|\\x3d.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x3d|\\x3e.\?.\?.\?.\?.\?.\?.\?.\?\\x3e|\\\?.\?.\?.\?.\?.\?.\?\
    .\?.\?\\\?|\\x40.\?.\?.\?.\?.\?.\?.\?.\?\\x40|\\x41.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x41|\\x42.\?.\?.\?.\?.\?.\?.\?.\?\\x42|\\x43.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x43|\\x44.\?.\?.\?.\?.\?.\?.\?.\?\\x44|\\x45.\?.\?.\?.\?.\?.\?.\?.\?\\x45|\
    \\x46.\?.\?.\?.\?.\?.\?.\?.\?\\x46|\\x47.\?.\?.\?.\?.\?.\?.\?.\?\\x47|\\x4\
    8.\?.\?.\?.\?.\?.\?.\?.\?\\x48|\\x49.\?.\?.\?.\?.\?.\?.\?.\?\\x49|\\x4a.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x4a|\\x4b.\?.\?.\?.\?.\?.\?.\?.\?\\x4b|\\x4c.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x4c|\\x4d.\?.\?.\?.\?.\?.\?.\?.\?\\x4d|\\x4e.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x4e|\\x4f.\?.\?.\?.\?.\?.\?.\?.\?\\x4f|\\x50.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x50|\\x51.\?.\?.\?.\?.\?.\?.\?.\?\\x51|\\x52.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x52|\\x53.\?.\?.\?.\?.\?.\?.\?.\?\\x53|\\x54.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x54|\\x55.\?.\?.\?.\?.\?.\?.\?.\?\\x55|\\x56.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x56|\\x57.\?.\?.\?.\?.\?.\?.\?.\?\\x57|\\x58.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x58|\\x59.\?.\?.\?.\?.\?.\?.\?.\?\\x59|\\x5a.\?.\?.\?.\?.\?.\?.\?.\?\\x5a|\
    \\[.\?.\?.\?.\?.\?.\?.\?.\?\\[|\\\\.\?.\?.\?.\?.\?.\?.\?.\?\\\\|\\].\?.\?.\
    \?.\?.\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|\\x5f.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x5f|\\x60.\?.\?.\?.\?.\?.\?.\?.\?\\x60|\\x61.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x61|\\x62.\?.\?.\?.\?.\?.\?.\?.\?\\x62|\\x63.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x63|\\x64.\?.\?.\?.\?.\?.\?.\?.\?\\x64|\\x65.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x65|\\x66.\?.\?.\?.\?.\?.\?.\?.\?\\x66|\\x67.\?.\?.\?.\?.\?.\?.\?.\?\\x67|\
    \\x68.\?.\?.\?.\?.\?.\?.\?.\?\\x68|\\x69.\?.\?.\?.\?.\?.\?.\?.\?\\x69|\\x6\
    a.\?.\?.\?.\?.\?.\?.\?.\?\\x6a|\\x6b.\?.\?.\?.\?.\?.\?.\?.\?\\x6b|\\x6c.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x6c|\\x6d.\?.\?.\?.\?.\?.\?.\?.\?\\x6d|\\x6e.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x6e|\\x6f.\?.\?.\?.\?.\?.\?.\?.\?\\x6f|\\x70.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x70|\\x71.\?.\?.\?.\?.\?.\?.\?.\?\\x71|\\x72.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x72|\\x73.\?.\?.\?.\?.\?.\?.\?.\?\\x73|\\x74.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x74|\\x75.\?.\?.\?.\?.\?.\?.\?.\?\\x75|\\x76.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x76|\\x77.\?.\?.\?.\?.\?.\?.\?.\?\\x77|\\x78.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x78|\\x79.\?.\?.\?.\?.\?.\?.\?.\?\\x79|\\x7a.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x7a|\\{.\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\
    \?.\?.\?.\?.\?.\?.\?\\}|\\x7e.\?.\?.\?.\?.\?.\?.\?.\?\\x7e|\\x7f.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x7f|\\x80.\?.\?.\?.\?.\?.\?.\?.\?\\x80|\\x81.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x81|\\x82.\?.\?.\?.\?.\?.\?.\?.\?\\x82|\\x83.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x83|\\x84.\?.\?.\?.\?.\?.\?.\?.\?\\x84|\\x85.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x85|\\x86.\?.\?.\?.\?.\?.\?.\?.\?\\x86|\\x87.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x87|\\x88.\?.\?.\?.\?.\?.\?.\?.\?\\x88|\\x89.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x89|\\x8a.\?.\?.\?.\?.\?.\?.\?.\?\\x8a|\\x8b.\?.\?.\?.\?.\?.\?.\?.\?\\x8b|\
    \\x8c.\?.\?.\?.\?.\?.\?.\?.\?\\x8c|\\x8d.\?.\?.\?.\?.\?.\?.\?.\?\\x8d|\\x8\
    e.\?.\?.\?.\?.\?.\?.\?.\?\\x8e|\\x8f.\?.\?.\?.\?.\?.\?.\?.\?\\x8f|\\x90.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x90|\\x91.\?.\?.\?.\?.\?.\?.\?.\?\\x91|\\x92.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x92|\\x93.\?.\?.\?.\?.\?.\?.\?.\?\\x93|\\x94.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x94|\\x95.\?.\?.\?.\?.\?.\?.\?.\?\\x95|\\x96.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x96|\\x97.\?.\?.\?.\?.\?.\?.\?.\?\\x97|\\x98.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x98|\\x99.\?.\?.\?.\?.\?.\?.\?.\?\\x99|\\x9a.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x9a|\\x9b.\?.\?.\?.\?.\?.\?.\?.\?\\x9b|\\x9c.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x9c|\\x9d.\?.\?.\?.\?.\?.\?.\?.\?\\x9d|\\x9e.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x9e|\\x9f.\?.\?.\?.\?.\?.\?.\?.\?\\x9f|\\xa0.\?.\?.\?.\?.\?.\?.\?.\?\\xa0|\
    \\xa1.\?.\?.\?.\?.\?.\?.\?.\?\\xa1|\\xa2.\?.\?.\?.\?.\?.\?.\?.\?\\xa2|\\xa\
    3.\?.\?.\?.\?.\?.\?.\?.\?\\xa3|\\xa4.\?.\?.\?.\?.\?.\?.\?.\?\\xa4|\\xa5.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xa5|\\xa6.\?.\?.\?.\?.\?.\?.\?.\?\\xa6|\\xa7.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xa7|\\xa8.\?.\?.\?.\?.\?.\?.\?.\?\\xa8|\\xa9.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xa9|\\xaa.\?.\?.\?.\?.\?.\?.\?.\?\\xaa|\\xab.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xab|\\xac.\?.\?.\?.\?.\?.\?.\?.\?\\xac|\\xad.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xad|\\xae.\?.\?.\?.\?.\?.\?.\?.\?\\xae|\\xaf.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xaf|\\xb0.\?.\?.\?.\?.\?.\?.\?.\?\\xb0|\\xb1.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xb1|\\xb2.\?.\?.\?.\?.\?.\?.\?.\?\\xb2|\\xb3.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xb3|\\xb4.\?.\?.\?.\?.\?.\?.\?.\?\\xb4|\\xb5.\?.\?.\?.\?.\?.\?.\?.\?\\xb5|\
    \\xb6.\?.\?.\?.\?.\?.\?.\?.\?\\xb6|\\xb7.\?.\?.\?.\?.\?.\?.\?.\?\\xb7|\\xb\
    8.\?.\?.\?.\?.\?.\?.\?.\?\\xb8|\\xb9.\?.\?.\?.\?.\?.\?.\?.\?\\xb9|\\xba.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xba|\\xbb.\?.\?.\?.\?.\?.\?.\?.\?\\xbb|\\xbc.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xbc|\\xbd.\?.\?.\?.\?.\?.\?.\?.\?\\xbd|\\xbe.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xbe|\\xbf.\?.\?.\?.\?.\?.\?.\?.\?\\xbf|\\xc0.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xc0|\\xc1.\?.\?.\?.\?.\?.\?.\?.\?\\xc1|\\xc2.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xc2|\\xc3.\?.\?.\?.\?.\?.\?.\?.\?\\xc3|\\xc4.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xc4|\\xc5.\?.\?.\?.\?.\?.\?.\?.\?\\xc5|\\xc6.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xc6|\\xc7.\?.\?.\?.\?.\?.\?.\?.\?\\xc7|\\xc8.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xc8|\\xc9.\?.\?.\?.\?.\?.\?.\?.\?\\xc9|\\xca.\?.\?.\?.\?.\?.\?.\?.\?\\xca|\
    \\xcb.\?.\?.\?.\?.\?.\?.\?.\?\\xcb|\\xcc.\?.\?.\?.\?.\?.\?.\?.\?\\xcc|\\xc\
    d.\?.\?.\?.\?.\?.\?.\?.\?\\xcd|\\xce.\?.\?.\?.\?.\?.\?.\?.\?\\xce|\\xcf.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xcf|\\xd0.\?.\?.\?.\?.\?.\?.\?.\?\\xd0|\\xd1.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xd1|\\xd2.\?.\?.\?.\?.\?.\?.\?.\?\\xd2|\\xd3.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xd3|\\xd4.\?.\?.\?.\?.\?.\?.\?.\?\\xd4|\\xd5.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xd5|\\xd6.\?.\?.\?.\?.\?.\?.\?.\?\\xd6|\\xd7.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xd7|\\xd8.\?.\?.\?.\?.\?.\?.\?.\?\\xd8|\\xd9.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xd9|\\xda.\?.\?.\?.\?.\?.\?.\?.\?\\xda|\\xdb.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xdb|\\xdc.\?.\?.\?.\?.\?.\?.\?.\?\\xdc|\\xdd.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xdd|\\xde.\?.\?.\?.\?.\?.\?.\?.\?\\xde|\\xdf.\?.\?.\?.\?.\?.\?.\?.\?\\xdf|\
    \\xe0.\?.\?.\?.\?.\?.\?.\?.\?\\xe0|\\xe1.\?.\?.\?.\?.\?.\?.\?.\?\\xe1|\\xe\
    2.\?.\?.\?.\?.\?.\?.\?.\?\\xe2|\\xe3.\?.\?.\?.\?.\?.\?.\?.\?\\xe3|\\xe4.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xe4|\\xe5.\?.\?.\?.\?.\?.\?.\?.\?\\xe5|\\xe6.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xe6|\\xe7.\?.\?.\?.\?.\?.\?.\?.\?\\xe7|\\xe8.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xe8|\\xe9.\?.\?.\?.\?.\?.\?.\?.\?\\xe9|\\xea.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xea|\\xeb.\?.\?.\?.\?.\?.\?.\?.\?\\xeb|\\xec.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xec|\\xed.\?.\?.\?.\?.\?.\?.\?.\?\\xed|\\xee.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xee|\\xef.\?.\?.\?.\?.\?.\?.\?.\?\\xef|\\xf0.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xf0|\\xf1.\?.\?.\?.\?.\?.\?.\?.\?\\xf1|\\xf2.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xf2|\\xf3.\?.\?.\?.\?.\?.\?.\?.\?\\xf3|\\xf4.\?.\?.\?.\?.\?.\?.\?.\?\\xf4|\
    \\xf5.\?.\?.\?.\?.\?.\?.\?.\?\\xf5|\\xf6.\?.\?.\?.\?.\?.\?.\?.\?\\xf6|\\xf\
    7.\?.\?.\?.\?.\?.\?.\?.\?\\xf7|\\xf8.\?.\?.\?.\?.\?.\?.\?.\?\\xf8|\\xf9.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xf9|\\xfa.\?.\?.\?.\?.\?.\?.\?.\?\\xfa|\\xfb.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xfb|\\xfc.\?.\?.\?.\?.\?.\?.\?.\?\\xfc|\\xfd.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xfd|\\xfe.\?.\?.\?.\?.\?.\?.\?.\?\\xfe|\\xff.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xff)"
add comment="" name=skypetoskype regexp="^..\\x02............."
add comment="" name=counterstrike-source regexp=\
    "^\\xff\\xff\\xff\\xff.*cstrikeCounter-Strike"
add comment="" name=halflife2-deathmatch regexp=\
    "^\\xff\\xff\\xff\\xff.*hl2mpDeathmatch"
add comment="" name=soulseek regexp=\
    "^(\\x05..\?|.\\x01.[ -~]+\\x01F..\?.\?.\?.\?.\?.\?.\?)\$"
add comment="" name=ssl regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add comment="" name=whois regexp="^[ !-~]+\\x0d\\x0a\$"
add comment="" name=dayofdefeat-source regexp=\
    "^\\xff\\xff\\xff\\xff.*dodDay of Defeat"
add comment="" name=teamspeak regexp="^\\xf4\\xbe\\x03.*teamspeak"
add comment="" name=ventrilo regexp="^..\?v\\\$\\xcf"
add comment="" name=http-rtsp regexp="^(get[\\x09-\\x0d -~]* Accept: applicati\
    on/x-rtsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \
    -~]*a=control:rtsp://)"
add comment="" name=pcanywhere regexp="^(nq|st)\$"
add comment="" name=subversion regexp="^\\( success \\( 1 2 \\("
add comment=\
    "Computer Interface to Message Distribution, an SMSC protocol by Nokia" \
    name=cimd regexp="\\x02[0-4][0-9]:[0-9]+.*\\x03\$"
add comment="" name=mohaa regexp="^\\xff\\xff\\xff\\xffgetstatus\\x0a"
add comment="" name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"
add comment="Chikka - SMS service which can be used without phones- http://chi\
    kka.com" name=chikka regexp="^CTPv1\\.[123] Kamusta.*\\x0d\\x0a\$"
add comment="" name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\\.\
    9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d -~]*\\x23\\x23\\x23\\x23\\x23R\
    EPLAY_CHUNK_START\\x23\\x23\\x23\\x23\\x23)"
add comment=\
    "Armagetron Advanced - open source Tron/snake based multiplayer game" \
    name=armagetron regexp=YCLC_E|CYEL
add comment="" name=https regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add comment="" name=bittorrent2 regexp="^(\\x13bittorrent protocol|azver\\x01\
    \$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcom\
    et/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\r\
    \n"
add comment="" name=bittorrent_ANNOUNCE regexp=^get.+announce.
add comment="" name=sip regexp="^(invite|register|cancel|message|subscribe|not\
    ify) sip[\\x09-\\x0d -~]*sip/[0-2]\\.[0-9]"
add comment="" name=smtp regexp="^220[\\x09-\\x0d -~]* (e\?smtp|simple mail)\r\
    \nuserspace pattern=^220[\\x09-\\x0d -~]* (E\?SMTP|[Ss]imple [Mm]ail)\r\
    \nuserspace flags=REG_NOSUB REG_EXTENDED"

Now let go to mangle (my wan adapter is PPPoE client named wan1 - change it to your wan or rename your wan to wan1):

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=rapidshare-host new-packet-mark=rapid passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=rapidshare-host-script new-packet-mark=rapid \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=Youtube new-packet-mark=youtube passthrough=no protocol=\
    tcp
add action=mark-packet chain=prerouting comment="WAN1 down QoS_1 DNS" \
    disabled=no in-interface=wan1 new-packet-mark=QoS_1_Down-UDP passthrough=\
    no protocol=udp src-port=53,123
add action=mark-packet chain=prerouting comment="QoS_1 ping" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down-ICMP passthrough=no \
    protocol=icmp
add action=mark-packet chain=prerouting comment="QoS_1 syn 0-200" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down packet-size=0-200 \
    passthrough=no protocol=tcp src-port=80,443 tcp-flags=syn
add action=mark-packet chain=prerouting comment="QoS_1 ack 0-200" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down packet-size=0-200 \
    passthrough=no protocol=tcp src-port=80,443 tcp-flags=ack
add action=mark-packet chain=prerouting comment=\
    "QoS_1- SIP - Layer7 Session Initiation Protocol - Internet telephony " \
    disabled=no in-interface=wan1 layer7-protocol=sip new-packet-mark=\
    QoS_1_Down passthrough=no
add action=mark-packet chain=prerouting comment="QoS_1- SIP - Layer7 Session I\
    nitiation Protocol - Internet telephony  sip1" disabled=no in-interface=\
    wan1 layer7-protocol=sip1 new-packet-mark=QoS_1_Down passthrough=no
add action=mark-packet chain=prerouting comment="QoS_2 syn 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_2_Down packet-size=0-666 \
    passthrough=no protocol=tcp src-port=110,995,143,993,25,20,21 tcp-flags=\
    syn
add action=mark-packet chain=prerouting comment="QoS_2 ack 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_2_Down packet-size=0-666 \
    passthrough=no protocol=tcp src-port=110,995,143,993,25,20,21 tcp-flags=\
    ack
add action=mark-packet chain=prerouting comment="QoS_3 syn 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_3_Down packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting comment="QoS_3 ack 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_3_Down packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting comment=\
    "QoS_4 (small-files)  supose surfing web" connection-bytes=0-1000000 \
    disabled=no in-interface=wan1 new-packet-mark=QoS_4_Down passthrough=no \
    protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment="QoS_5 news" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_5_Down passthrough=no protocol=tcp \
    src-port=119
add action=mark-packet chain=prerouting comment=\
    "QoS_6 (big-files) supose download files" connection-bytes=1000000-0 \
    disabled=no in-interface=wan1 new-packet-mark=QoS_6_Down passthrough=no \
    protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment="QoS_7 p2p" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_7_Down_torrent_in p2p=all-p2p \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 bittorrent" \
    disabled=no in-interface=wan1 layer7-protocol=bittorrent new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment=\
    "QoS_7 p2p via L7 bittorrent2" disabled=no in-interface=wan1 \
    layer7-protocol=bittorrent2 new-packet-mark=QoS_7_Down_torrent_in \
    passthrough=no
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 edonkey" \
    disabled=no in-interface=wan1 layer7-protocol=edonkey new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 fasttrack" \
    disabled=no in-interface=wan1 layer7-protocol=fasttrack new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment=\
    "QoS_7 p2p via L7 directconnect" disabled=no in-interface=wan1 \
    layer7-protocol=directconnect new-packet-mark=QoS_7_Down_torrent_in \
    passthrough=no
add action=mark-packet chain=prerouting comment="QoS_8 other" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_8_Down passthrough=no
add action=mark-packet chain=postrouting comment="QoS UP wan1" disabled=no \
    dst-port=80,443 new-packet-mark=QoS_1_Up out-interface=wan1 packet-size=\
    0-666 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    80,443 new-packet-mark=QoS_1_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="ICMP UP" disabled=no \
    new-packet-mark=QoS_1_Up-ICMP out-interface=wan1 passthrough=no protocol=\
    icmp
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    53,123 new-packet-mark=QoS_1_Up-UDP out-interface=wan1 passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting comment="" connection-bytes=\
    0-1000000 disabled=no dst-port=80,443 new-packet-mark=QoS_2_Up \
    out-interface=wan1 passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_2_Up out-interface=wan1 \
    packet-size=0-666 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_2_Up out-interface=wan1 \
    packet-size=0-666 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=QoS_3_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=QoS_3_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_4_Up out-interface=wan1 \
    passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "QoS_8 p2p via L7 bittorrent2" disabled=no layer7-protocol=bittorrent2 \
    new-packet-mark=QoS_8_Up out-interface=wan1 passthrough=no
add action=mark-packet chain=postrouting comment="QoS_8 p2p via mikrotik" \
    disabled=no new-packet-mark=QoS_8_Up out-interface=wan1 p2p=all-p2p \
    passthrough=no
add action=mark-packet chain=postrouting comment="QoS_7 other" disabled=no \
    new-packet-mark=QoS_7_Up out-interface=wan1 passthrough=no

And now is time to queue tree:

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=200k \
    max-limit=650k name=QoS_wan1_Up parent=global-out priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=4M \
    max-limit=8800k name=QoS_wan1_DOWN parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1 packet-mark=QoS_1_Up parent=QoS_wan1_Up priority=1 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_2 packet-mark=QoS_2_Up parent=QoS_wan1_Up priority=2 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_3 packet-mark=QoS_3_Up parent=QoS_wan1_Up priority=3 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_7 packet-mark=QoS_7_Up parent=QoS_wan1_Up priority=7 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_8 torrent" packet-mark=QoS_8_Up parent=QoS_wan1_Up \
    priority=8 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_4 packet-mark=QoS_4_Up parent=QoS_wan1_Up priority=4 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down packet-mark=QoS_1_Down parent=QoS_wan1_DOWN \
    priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_3_down packet-mark=QoS_3_Down parent=QoS_wan1_DOWN \
    priority=3 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_2_down packet-mark=QoS_2_Down parent=QoS_wan1_DOWN \
    priority=2 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_4_down(small-files)" packet-mark=QoS_4_Down parent=\
    QoS_wan1_DOWN priority=4 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=5M name="QoS_5_down(news)" packet-mark=QoS_5_Down parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_6_down(big-files)" packet-mark=QoS_6_Down parent=\
    QoS_wan1_DOWN priority=6 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_7_down(torrent)" packet-mark=QoS_7_Down_torrent_in \
    parent=QoS_wan1_DOWN priority=7 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_8_down packet-mark=QoS_8_Down parent=QoS_wan1_DOWN \
    priority=8 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_5_down(youtube)" packet-mark=youtube parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_5_down(rapid)" packet-mark=rapid parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down-UDP packet-mark=QoS_1_Down-UDP parent=\
    QoS_wan1_DOWN priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1-UDP packet-mark=QoS_1_Up-UDP parent=QoS_wan1_Up \
    priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down-ICMP packet-mark=QoS_1_Down-ICMP parent=\
    QoS_wan1_DOWN priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1-ICMP packet-mark=QoS_1_Up-ICMP parent=QoS_wan1_Up \
    priority=1 queue=default-small

This is striped litle because i have wan2 wan3 and wan4 adapters so if you have more wan adapters you must repeat this for every wan adapter ... and also I have script which is detecting new rapidshare host and youtube host (this is not reliable) ... bla bla and all it is working good ...
If you realy need to drop all p2p then try with some other software - hardware cisco bla bla ...
or ask Harry Poter to help you

And here is picture of my queue tree:

queue tree.jpg

With winbox you must change Limit At and Max Limit depent to speed your wan conection ... mine wan1 is 9M download speed and upload is 800k
so I was make little smaller Max Limit cca 90% of speed line ... watch it on picture ...

mves · Fri Feb 04, 2011 7:38 pm

@bax
Nice... I'll update my traffic rules for p2p protocols since I see new stuff here. But also, what will happen if someone turn on torrent encryption and use a https tracker? Where would that priority end up?

Also, can you do a little update on that codes? \ on the end of each line is a bit confusing.

bax · Fri Feb 04, 2011 9:41 pm

@bax
Nice... I'll update my traffic rules for p2p protocols since I see new stuff here. But also, what will happen if someone turn on torrent encryption and use a https tracker? Where would that priority end up?

Also, can you do a little update on that codes? \ on the end of each line is a bit confusing.

p2p is working ... it is not the point ... point i to make p2p with lower priority so what is hapening ... example: torrent is working with full speed when not browsing web ... but when start browsing web torent automatic get slower speed ... and browsing is normal ... also all other trafic with higher priority is normal ...
all my users have simple queve generated by hotspot (and have group like 2M for 2Mb speed) and important for knowing is that always higher "order or priority" have queeve tree or first router work with queeve tree then with simple queeve ... so users cant "kill bandwith "
You say encrypted p2p ... so what ? router is dont recognize that traficc and put it with all other trafic which is have priority 8 ... lower ...
Also for knowing is good ... every child queve you can do Max limit and this is working ... watch on picture and you will see that I have chid - QoS_5_down(news) with limit of 5M (this is trafic of my binaries news server on another segment of network).
You can limit every other child let say QoS_8 to Max limit which is let say some p2p which router dont recognize.
You cant stop p2p like every smart guy say ... software developers always make new versions of software which is alvays get better and smarter ... so this is useless fight ... let the torent with new port-protocol wherever ... router view like other trafic and give him lower priority.
If we making more complicated rules then we need much more cpu power ... memory ...
This example is from working router which is RB433 and when is there 10 hotspot users CPU is going somethimes high near 90 - 100% ... so soon is Im transfering these in x86 machine with litle more power - intel atom with 4Gb memory.
Cpu is growning also because i have lot of firewall rules for protection,userman,radius all on this tiny RB433

... but this is another part of story ...
This RB433 is with ROS ver. 4.15 which look me very stable ... some previous ver. give me lot of troubles.
My code is Ok and usable just copy and paste into terminal window of router... and you will see that is working OK.
I think that every other way to fight from p2p is useless including this example with DNS in previous posting.
Sorry for my indian english !

mves · Fri Feb 04, 2011 11:22 pm

@bax
You misunderstood my question... I asked on what queue will end up unregistered traffic like encrypted p2p? This qos you end up is excellent for 5 Ghz wi-fi however. But for 2.4 Ghz, well, even 90% p2p reduction over a day is enough. My version works good enough to block 9 out of 10 p2p users and remaining 1 will have few connections through and that is an excellent score. So while it's work, why to change it? And while torrent blocking is active there's no more complaints that internet is slow and non-responsive and no more high pings for online gamers. Plus, rapidshare, megaupload, fileserve and other file servers are quite functional. Most of the users have it's own public ip so there are no waiting for download and this kind of download don't cause any problems to us or the users even if every user got full throttle at a same time so there was never a problem with a bandwidth. Bandwidth that they payed, they use without speed reduction. So company policy remained the same... no p2p over a day. Beside, new events... Until p2p block was implemented, there were only few people used their internet over a night. Once p2p was blocked over a day, night consumption goes higher than half of the average day bandwidth (all p2p

).

And bax, don't worry about your English... we can easily understood each other neighbor

bax · Sat Feb 05, 2011 12:24 am

@bax
You misunderstood my question... I asked on what queue will end up unregistered traffic like encrypted p2p?
And bax, don't worry about your English... we can easily understood each other neighbor

Unregistered traffic end with all other traficc - which is in this example QoS_8_down with priority 8. ... see it on picture.
And all p2p I give priority 7 ... you can swich this in mangle all to 8 or vice versa , but im satisfy with this ... because this my machine which is "machine for all" is also have multiple job ... it is web server, mail server, ftp server,multiple news proxy server, torent box and I need torent turned all time ... for seeding job.
So point is that I also using and need torent protocol ... torent is very usefull ... not only for pirated material but for legal staff ... linux,even mikrotik im downloading with torent

Other thing with frekvencies and wireless is litle different ... for now I have 1 routerboard also 433 but it is acting like any other AP - just bridge and only 2,4 ... here Im in mangle I was marking traffic with forward chain ... and start to testing with only layer7 mangling ... but this is incomplete ... because no need for that for now ... there is only few users and small trafic... and I have no time for that ... and test is usefull only when you have node with full utilization - which my node isnt.
Well best thing is to test this example in live ... then start different type of download and you will see in winbox how rate is changed ... youtube (which is problematic for me -they have lot of IP adresses),rapidshare , then try to download full linux cd via http of ftp ... and in same time browsing web --- and you will se that is working ... also (Im not gamer but my kids somethimes complain to me ) try some ping test ...
Also I was forget that you need to add addres list for youtube and rapidshare. These list you can find here in forum in some old post. Like I say these "my version" QOS is adaptation from this forum and wiki examples.
And when trafic is not high why do not alow torents that run in full speed ? when somebody start web or other trafic which is more important then torents automaticaly get in slower speed .
Isn this beautifull ?
For now like I say ... only thing is that RB433 going to high cpu ... (this is time then kids complaining) and I will change this RB with x86 .
With 5 ghz I did not testing anything for now ... but Im think that the princip is same all is nianse "like Đorđe Balašević says"
Well now im notice that we are neigbours

but we must act by the rules ... says - alowed languge is english!

mves · Sat Feb 05, 2011 1:56 am

Main routers (RB800, RB433AH, x86) are connected in triangle and input links are from two different ISP's. When one link is down, everything is switched to another. Same with routers. But from that 3, links spread to another routers. Links between are 5 ghz. There are also option for users to use 2.4 or 5 ghz system. So, on 30 active routers testing is a bit limited. Using torrents on 5 ghz, OK, no problem. Qos will solve all problems... but on 2.4 over a day??? Not even a qos could help it

It would be ALL P2P. I've seen a logs. Approx 80% of users tried to start torrent over a day and at least 50% will stubbornly have it running even if their and internet connection of other users would suffer because of it. Kids want to get their porn movie and nothing can stop them for trying. In overcrowded 2.4 Ghz channels that is really a problem. Constant channel change is a regular routine to fix a bad pings. And that's why, p2p is blocked over a day on 2.4 Ghz. So at least that problem is mostly solved. On the other hand, if you want p2p... well... €, $, £ (or what ever you have) and get connected on 5 Ghz. Simple as that. Also, get higher bandwidth on 5 Ghz, no problem, €, $, £ (or what ever you have) and you got it. You want high speed like 10 mbit, personal link, €, $, £ (or what ever you have) and you got it. P2P on 2.4 Ghz over a day time, no, you can't have it

bax · Sat Feb 05, 2011 10:26 am

Thanks mves ... nice advice.
But did you try in wirelles part (2.4 ghz) to change to some fixed slower rate ?
It may be helpfull .
Unfortunately I havenot so loaded node to test by myself.

mves · Sat Feb 05, 2011 12:55 pm

Thanks mves ... nice advice.
But did you try in wirelles part (2.4 ghz) to change to some fixed slower rate ?
It may be helpfull .
Unfortunately I havenot so loaded node to test by myself.

To cut down download speed on torrent usage? That's even worst than just simply block them. It could do for a few days but then users would figure that out and you'd had a bunch of angry mob on your back. Let's take for compare action of some world wide ISP's and their throttling speed on p2p and other downloads... People got furious because they pay for certain download rate (often quite expensive) and they found out that their download rate is useless or you have it at least on a long period contract because they can use it only for browsing web and downloading e-mail

And like i said, bandwidth is not an issue. Customers did call and complaining that their p2p is down but then when they got remained that it's off limit during a day, they simply said ok. But on the other hand, when you cut someones bandwidth due to bad signal or some other malfunction, they are all over you screaming for repair crew asap. So, don't cut bandwidth if it's really not absolutely necessary.
I'll make an update of my ways of p2p blocking. Well, as soon as I figure how to get list of rules out of terminal window so it can be copy/paste

mves · Sat Feb 05, 2011 3:38 pm

Here's my full p2p blocking rules. This ones are striped from RB433 last point router. If it's not last point, you'll have to add interface on blocking segments to cut CPU usage and let the next router in a line take care of it's own set of users. There are 2 interfaces on this one (one set is striped) and CPU is at a moment at 10-15% depends of how many users are online and how many of them are trying to get P2P running. Make note that it's 10-249 IP range... Other IP's are reserved and they are avoided in logging so, set IP range for your needs. Rules are time limited and blocking P2P from 9 AM to 23:59 PM. So, users can use a P2P from midnight to 9 AM when there's much less users online. If by any chance some user got through and he don't get logged, add his IP manually under let's say Torrent all-p2p list in address list and problem solved. In addition to the rules, don't forget to add game ports of a games that are used at your network. Also, this is ONLY for bittorrent. It's not covering other P2P client protocols but since bittorrent are most commonly used, it's mostly enough to block only bittorrent.

/ip firewall layer7-protocol

add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"


/ip firewall filter

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
    layer7-protocol=BITTORENT src-address=192.168.xx.10-192.168.xx.249 time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORENT reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent Announce" \
    address-list-timeout=1h30m chain=forward comment=______Announce____ \
    disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent udp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 protocol=udp src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=udp reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent tcp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 protocol=tcp src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=tcp reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent all-p2p" \
    address-list-timeout=1h30m chain=forward comment=\
    __________All-p2p__________ disabled=no p2p=all-p2p src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
    reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="Torrent cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

Also, I used reject instead of drop. Test to see which option would do better at given situation since i think that reject can raise CPU usage. Routers are also set to reboot at 9 AM to clean up P2P connections.

I'm opened to every suggestion to raise efficiency of this without speed throttling or additional excessive CPU usage.

bax · Sat Feb 05, 2011 5:11 pm

To cut down download speed on torrent usage?

In my example I was just cut out bandwith on my news server.
And in same way you can cot out p2p - which I dont do - I also need p2p ...

I'll make an update of my ways of p2p blocking. Well, as soon as I figure how to get list of rules out of terminal window so it can be copy/paste

happy to fight windmills

mves · Sat Feb 05, 2011 5:34 pm

happy to fight windmills

So far... windmills are loosing. This don Quijote won this battle. Windmills get heavy defeat so I guess it will take some time for them to get recovered. War however is not over, but this battle is

TKITFrank · Sat Feb 05, 2011 9:07 pm

happy to fight windmills

My Windmills have been loosing for more then a year

As I have stated before it's a ongoing battle but right now I am winning it!

bax · Sat Feb 05, 2011 9:35 pm

I'm glad to hear that you are successful!

Sorry obviously you do not have smart users in your network.
If I were your customer, for 5 minutes would bypass your block.
Here's last attempt at persuasion:
My torrent client switch to TCP port 80 strictly tcp ,then buy a USB stick on any GSM provider (which is expensive) redirect DNS queries to the provider's expensive (I do not care what is expensive bandwith because the DNS traffic not using lot of bandwidth), and as the gateway to keep your network and take off over your network torent with full speed.
For us to say "you can put salt on my tail. "
Very quickly your network was dead ... would be no surf.
So point is that you always can win batlle but not the war!
Guys just think ... if you give users some service and block others they will be turn your client to that alowed port , and todays software will find this open port automaticaly and adopt setings on fly.
Aborting any further assurances and be happy to continue to fight!

TKITFrank · Sat Feb 05, 2011 9:58 pm

Hi Bax,

The TCP port 80 will not work in my setup but using a GSM stick and policy redirect DNS traffic to them would work.
I guess a work around would be to block the IP of those DNS entries in the firewall as well. If unless they will use the GSM/3G for the DHT and other UDP traffic.

I will look in to the UDP packets to see if I can write a L7 for them.
I am not cute sure how bittorrent will react if the DHT requests come from one IP and they try to connect to the clients on an other. Have you tried this your selfs?

My users are about 500 students with laptops.
I think this (redirecting DNS traffic to a GSM/3G provider) is above there level.
So for me that is a good thing

Are you a ISP or do you work for a government like I do?

bax · Sat Feb 05, 2011 10:18 pm

Im amater and this job is for me just some kind of hoby (im working another job) ... so Im really some kind of "power user" ... all my knowledge is selfmade with lot of reading in my free time.
Im also have big fight with some kind of "hackers" which are stolen few times username and paswords from my paying hotspot customers ... and I was the winner

succesufully rejected this malicious users from my network ( open network - eyerybody can connect), and protecting my paying customers and just apologize for problems and give hime new password

So these systems which you try to acomplish is realy easy to breaktrough , no mater on which platform ,it may be cisco or any other brand hardware firewall ...
You just wasting time ... my primer is the best ... let user use p2p, but put these traffic in lower priority and everything is fine.

mves · Sat Feb 05, 2011 11:20 pm

I'm not worry about a smart guys... they are smart enough to use a p2p and stay low to avoid detection. But as all of you know, every torrent client leaves behind a nice trace in used ports and constant upload so you'll get caught eventually.
And considering dual ISP, you would had to place that usb stick to be your main internet connection and place non-default connection for incoming traffic. I know about that. With that way, you can download p2p from both internet connections simultaneously. That's not always work as it should be because Kaspersky for some reason activate firewall and kills tracker leaving no traces of that action.

bax · Sat Feb 05, 2011 11:32 pm

It is very easy in every operating system manually set IP address, DNS and gateway or specific route ...
Other people smarter than me have given you the same advice and you do not want to hear.
Friends, I give up give up further discussion ... do as you wish.

mves · Sat Feb 05, 2011 11:57 pm

Of course that it's easy for us... not for average user

So in that case, why does music, software and games manufacturers placing copy protection on their disks when it can be overridden? Quite easily however, but that protection can stop novice and most of the average folks which actually makes majority. It's not meant to stop advanced user because that would be quite expensive. And like I said, 90% of p2p cut is quite enough. And in addition, I'm not the only one supervising that network

I'm not saying that qos is not excellent solution. It actually is but p2p block will be active as long as it works. When it becomes totally useless, qos will be on a menu.

NetworkPro · Mon Feb 07, 2011 2:52 am

I managed to put some rules together and I came up with this:

Basicly these rules should allow only a portion of the packets to inspected with Layer 7 there fore saving CPU on the router.

/ip firewall mangle
add action=mark-connection chain=prerouting layer7-protocol=BITTORRENT new-connection-mark=p2p passthrough=yes protocol=tcp src-address-list=p2p_user

add action=mark-connection chain=prerouting connection-state=new layer7-protocol=BITTORRENT new-connection-mark=p2p passthrough=yes protocol=udp src-address-list=p2p_user

add action=mark-connection chain=prerouting layer7-protocol=BITTORRENT_ANNOUNCE new-connection-mark=p2pa passthrough=yes protocol=tcp src-address-list=HotSpot dst-address-list=!p2p_announcers

add action=add-dst-to-address-list address-list=p2p_announcers chain=prerouting connection-mark=p2pa src-address-list=HotSpot

add action=add-src-to-address-list address-list=p2p_user chain=prerouting connection-state=new dst-address-list=p2p_announcers src-address-list=HotSpot

/ip firewall filter
add action=drop chain=forward comment="Drop p2p" connection-mark=p2p
add action=drop chain=forward dst-address-list=p2p_announcers src-address-list=HotSpot

I also put in the DNS 127.0.0.1 entries by TKITFrank

I am shure these rules have holes.
I am also doing this:

/ip proxy access
add action=deny disabled=no path=*.torrent

What do you guys think?

Can you come up with ways to minimize CPU usage?

Thanks to fewi for his following post.

fewi · Mon Feb 07, 2011 2:59 am

There's no need to limit to the first 0-6666 bytes. L7 inspection is limited to the first 10 packets or 2000 bytes. From the manual:

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Benygh · Mon Feb 07, 2011 2:50 pm

sorry for asking such a stupid question but how to put all of this commands together ? should i type all of this ?! SSH and TELNET does not support PASTE function as far as i know.

P.S: i want to block P2P for my PPTP Clients, should it be gone the same way we go for PPPOE ?!

NetworkPro · Tue Feb 08, 2011 7:12 am

Why block if they are paying ? Upgrade your network and let them download

Benygh · Tue Feb 08, 2011 8:53 am

Why block if they are paying ? Upgrade your network and let them download

its counted as an abuse for our ip addresses, so we have to prevent that.

NetworkPro · Tue Feb 08, 2011 11:27 am

Who said it's an abuse?

IP addresses serve people, not the other way around

111111 · Tue Feb 08, 2011 1:10 pm

Why block if they are paying ? Upgrade your network and let them download
its counted as an abuse for our ip addresses, so we have to prevent that.

Are you a cop and government in same time?
Don't be please.
Invest in network, not in stupidity to make a client to leave your service.

But for admins of office networks ... aren't they give port by exception and anything else blocked

Possibly is more important Mikrotik team to add a option connections limit

TKITFrank · Tue Feb 08, 2011 2:47 pm

Why block if they are paying ? Upgrade your network and let them download
its counted as an abuse for our ip addresses, so we have to prevent that.
Are you a cop and government in same time?
Don't be please.
Invest in network, not in stupidity to make a client to leave your service.

But for admins of office networks ... aren't they give port by exception and anything else blocked

Possibly is more important Mikrotik team to add a option connections limit

In out government we have one firewall for the "normal" users and one for the students and schools. And they want all ports open (except 25,135-139TCP/UDP 445).. No way in hell am I going to open that in our main firewall. Thats why my RB1000 came to be

It's a whole other matter for an ISP... sometimes it is good to work for a government

mves · Thu Feb 10, 2011 3:55 am

sorry for asking such a stupid question but how to put all of this commands together ? should i type all of this ?! SSH and TELNET does not support PASTE function as far as i know.

Not? I used once a command promt and telnet from windows xp to connect to the router where I accidentally killed winbox access for myself. Copy/paste worked... I mean cmd promt way (edit => mark => (select) Enter, edit => paste) if you were referring to this.

Why block if they are paying ? Upgrade your network and let them download

Oh... well, they have to be more generous to have p2p allowed 24/7. You see, many of them want to have a cheap equipment, cheap internet and all benefits of the internet. To have p2p over a day on 2.4 Ghz... no way

Like I said before... €, $, £ (or what ever you have) and get connected on 5 Ghz and you'll have allowed p2p all the time

Benygh · Fri Feb 11, 2011 8:04 am

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !

i dont have any problem with the traffic because i have 1Gbps port connected to the server but i cant enforce their law which encludes not downloading the torrent !!!!

got it ?!

i think there is no absolute answer for p2p ...

i wonder if it can identify the connections why it can not drop or reject them ?!

CCDKP · Fri Feb 11, 2011 7:31 pm

Hi, I thing you are on to something here Please let us know how this is working.
I would however skip the static ports for torrents and go with the all-p2p and the L7 filter to add them in a address list. To me static ports is to unreliable. The 450G is pretty fast and you can run it @800Mhz? Have you tried it @ that speed and seen how much it uses the CPU?
Anyhow as I said before let us know how it is working.

I have the first revision up and running and in-place, and it is working fantastically. The only false positive I have found is simply having uTorrent/bittorrent/Vuze open and not actively downloading something will still trip the filter, due to the active participation in uTP/DHT even when idle. The forthcoming hotspot page will explain this to the users. Keep in mind that this is targeted at a wireless hotspot & student internet access at a local community college, so we can be a bit more aggressive than, say, an ISP.

The stock RB450G is performing surprisingly well under heavy load. We can successfully push 30 Mbit of traffic through the filters without capping the processor, although, since we implemented this, the average utilization during peak fell from 30 Mbit to maybe 7 Mbit. For what it's worth, I did notice a fairly significant drop in CPU utilization when I upgraded from 4.16 to 5.0rc7.

Address lists:
I use three address lists for the setup:
Whitelist - bypasses P2P filtering & bandwidth limiting. Manually added. I add all router interface IP's to this just to be safe.
Blacklist - Dynamically created list of offenders.
Greylist - blocks known P2P traffic, but bypasses bandwidth limitations. Designed for a group behind a NAT router so that a single user couldn't ruin the bandwidth for everyone.

DNS:
Capture all DNS traffic & redirect P2P uTP/DHT connections to a bogon IP address.
I noticed router.bittorrent.com is used now, but was not included on previous lists posted here.

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp src-address-list=!whitelist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp src-address-list=!whitelist to-ports=53


/ip dns static
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=1d
add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=jp.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=1d
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=1d

Firewall Rules:
Offenders are added to the blacklist for 45 minutes (since periods are ~50 minutes), the DNS tracking seems to flag uTorrent every 30 min, keeping offenders on, while limiting the damage to any potential false positives (although I have yet to see any).

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall filter
add action=jump chain=forward comment="P2P-All detection" disabled=no jump-target=p2p_chain p2p=all-p2p
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain
add action=jump chain=forward comment=Bittorrent disabled=no jump-target=p2p_chain layer7-protocol=BITTORRENT
add action=log chain=p2p_chain comment="P2P Debug" disabled=yes log-prefix=P2P-Debug
add action=accept chain=p2p_chain comment="Whitelist Bypass" disabled=no src-address-list=whitelist
add action=accept chain=p2p_chain comment="Whitelist Bypass" disabled=no dst-address-list=whitelist
add action=jump chain=p2p_chain comment="Greylist Src: bypass log, just drop" disabled=no jump-target=p2p_block src-address-list=greylist
add action=jump chain=p2p_chain comment="Greylist Dst: bypass log, just drop" disabled=no dst-address-list=greylist jump-target=p2p_block
add action=log chain=p2p_chain disabled=no dst-address-list=!blacklist log-prefix=P2P-Detection-New src-address-list=!blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=45m chain=p2p_chain comment="Blacklist P2P upload" disabled=no src-address=<LAN SUBNET>
add action=add-dst-to-address-list address-list=blacklist address-list-timeout=45m chain=p2p_chain comment="Blacklist P2P download" disabled=no dst-address=<LAN SUBNET>
add action=jump chain=p2p_chain comment="Jump Block" disabled=no jump-target=p2p_block
add action=drop chain=p2p_block comment="Drop P2P" disabled=no

QoS:
Total line is 30Mb/2Mb
whitelist IP's are unrestricted
Individual students are limited to 8Mb/256kb, as a whole the student group consumes no more than 25Mb/1.5Mb
Blacklisted IP's are limited to 29k/14k. Just enough to make web browsing possible, but painful.

For the mangle, I opted to just directly mark packets. I have not found a cleaner way since the connection marking method flags both upload and download, and I have very few entries in whitelist/blacklist (well, hopefully). If anyone knows of a more efficient method for doing this, I would love to hear about it.

/queue type
add kind=pcq name=whitelist_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=whitelist_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=blacklist_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=14k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=blacklist_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=29k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=student_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=256k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=student_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=8M pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name=upload_root parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=30M name=download_root parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=download_whitelist_leaf packet-mark=whitelist_download_packet parent=download_root priority=4 queue=whitelist_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=upload_whitelist_leaf packet-mark=whitelist_upload_packet parent=upload_root priority=4 queue=whitelist_queue_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=25M name=download_student_leaf packet-mark=student_download_packet parent=download_root priority=5 queue=student_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1500k name=upload_student_leaf packet-mark=student_upload_packet parent=upload_root priority=5 queue=student_queue_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1M name=download_blacklist_leaf packet-mark=blacklist_download_packet parent=download_root priority=8 queue=blacklist_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=128k name=upload_blacklist_leaf packet-mark=blacklist_upload_packet parent=upload_root priority=8 queue=blacklist_queue_upload

/ip firewall mangle
add action=mark-packet chain=postrouting comment="Whitelist Download" disabled=no dst-address-list=whitelist new-packet-mark=whitelist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Whitelist Upload" disabled=no new-packet-mark=whitelist_upload_packet passthrough=no src-address-list=whitelist
add action=mark-packet chain=postrouting comment="Greylist Upload (whitelist queue)" disabled=no new-packet-mark=whitelist_upload_packet passthrough=no src-address-list=greylist
add action=mark-packet chain=postrouting comment="Greylist Download (whitelist queue)" disabled=no dst-address-list=greylist new-packet-mark=whitelist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Blacklist Download" disabled=no dst-address-list=blacklist new-packet-mark=blacklist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Blacklist Upload" disabled=no new-packet-mark=blacklist_upload_packet passthrough=no src-address-list=blacklist
add action=mark-packet chain=postrouting comment="Student Upload" disabled=no new-packet-mark=student_upload_packet out-interface=ether1-WAN passthrough=no
add action=mark-packet chain=postrouting comment="Student Download" disabled=no new-packet-mark=student_download_packet passthrough=no

Future plans:
My first project going forward is to get a captive portal with Terms of Service working. Beyond that, I would like to look at applying QoS traffic prioritization for content, although I do not know how much this will impact CPU utilization. Given the drop in traffic I am seeing after disabling P2P, this is no longer as necessary as it once might have been.

If anyone has any feedback on this I would love to hear it. I am still learning RouterOS, so I'm sure there are better ways to implement some of this. Otherwise, I hope it helps and will keep you posted as I move forward on it.

CC_DKP

*EDIT: 2011.03.23 - Changed DNS capture code to use "redirect"
*EDIT: 2011.06.17 - Changed to reflect updated Bittorrent L7 filter

Mon Feb 14, 2011 9:47 am

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !

torrent technology is nothing illegal in itself. we offer RouterOS downloads via torrent, and many companies do the same.

mves · Mon Feb 14, 2011 3:49 pm

Hi...

@CCDKP

Can you use a p2p block on a QoS stage and get traffic get dropped by PCQ setting on let's say source port classification? So let's say, everything that uses more that 10 connections per source port in a current queue? So, will it work that way?

Also,

/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain

And, how to get dns static on/off through a scheduler? Or I'll have to only get "P2P DNS block hit" time limited to allow p2p over allowed time? Also, IP firewall nat setting, I can simply add interface or tracking IP range instead of "!whitelist", right? And can you explain to me what ip firewall nat code do... I'm a bit lost on that one

CCDKP · Mon Feb 14, 2011 7:26 pm

Can you use a p2p block on a QoS stage and get traffic get dropped by PCQ setting on let's say source port classification? So let's say, everything that uses more that 10 connections per source port in a current queue? So, will it work that way?

The QoS stage can not "drop" traffic directly, it can only slow it down. The problem with tracking by source-port is that in an RFC compliant NAT router, each person behind it typically has all their traffic come out a single port. If someone were running a NAT router on their own, inside your network, you would end up totally blocking individuals.

Also,
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain
And, how to get dns static on/off through a scheduler? Or I'll have to only get "P2P DNS block hit" time limited to allow p2p over allowed time? Also, IP firewall nat setting, I can simply add interface or tracking IP range instead of "!whitelist", right? And can you explain to me what ip firewall nat code do... I'm a bit lost on that one

The NAT code redirects all TCP and UDP traffic destined for port 53 (DNS) to the local router. This prevents users from simply setting a static DNS and bypassing your DNS control.

Scheduling should be simple enough with a couple of scripts. Set the "enable" script to create all the static DNS entries mentioned above, then flush the DNS cache. Then create a "disable" script that deletes the static entries and flushes the cache again. The NAT rules and the "P2P DNS block hit" rules could be left in place.

By default, static DNS entries have a 24hour TTL. To prevent client-side caching from causing trouble, I would suggest setting them for a maybe a 15 minute TTL instead.

Hope that gets you headed in the right direction.
@CC_DKP

mves · Tue Feb 15, 2011 5:08 pm

The NAT code redirects all TCP and UDP traffic destined for port 53 (DNS) to the local router. This prevents users from simply setting a static DNS and bypassing your DNS control.

Hmmm... let's see if I'm getting this right. On my network there are 4 DNS entries used. 2 internal most commonly used and other two are openDNS. Will this affect those users?

Scheduling should be simple enough with a couple of scripts. Set the "enable" script to create all the static DNS entries mentioned above, then flush the DNS cache. Then create a "disable" script that deletes the static entries and flushes the cache again. The NAT rules and the "P2P DNS block hit" rules could be left in place.

Maybe, but my mikrotik scripting stopped on scheduled reboot routers and emergency mass bandwidth change for users so I guess that I have no idea where to start on that one

A little bit help would be most welcome. It would be nice if someone could give me an example on how to set that entries.

By default, static DNS entries have a 24hour TTL. To prevent client-side caching from causing trouble, I would suggest setting them for a maybe a 15 minute TTL instead.

Perhaps this caused internet blackout on some routers on a last attempt for implementing static DNS entries. Well, maybe in this case even 30 seconds or less could do a trick since it needs only to block attempt, right? Beside, all of them would end up on a p2p user list for some time.

CCDKP, thanks for your help

CCDKP · Thu Feb 17, 2011 12:34 am

Hmmm... let's see if I'm getting this right. On my network there are 4 DNS entries used. 2 internal most commonly used and other two are openDNS. Will this affect those users?

Enabling the DNS redirection would prevent customers from directly using OpenDNS. If you just wanted the basic OpenDNS spyware filtering and not any of the advanced content filters, (or if you are running a hotspot like myself and want to use OpenDNS as a method for additional content filtering), then you can simply point the RouterOS's DNS server to the OpenDNS servers and use them.

If your users need to be allowed to freely use any DNS server of their choosing, it should be possible to create a L7 rule matching the DNS querys we are doing the capturing for and redirecting just those packets to our DNS server. That is a little outside my scope (as I am horrible with regex) but someone here should be able to help you. This would introduce a bit more load on the system, however, so you would need some decent hardware to do this on.

As for automating this, I looked into the scheduler and I think I have a workable solution.
Add the DNS entries as before, but change the TTL=1d to TTL=5m, then run /ip dns static print and note down all the # for the DNS entries you want to control. In my example, they are 0-12, since they are the only entries in this test box.
Adjust the time and and DNS entry numbers to fit your deployment:

/system scheduler add name=Enable_P2P_DNS_Filter interval=24h start-time=7:00:00 \
 on-event="/ip dns static enable 0,1,2,3,4,5,6,7,8,9,10,11,12; /ip dns cache flush" 
/system scheduler add name=Disable_P2P_DNS_Filter interval=24h start-time=7:00:00 \
 on-event="/ip dns static disable 0,1,2,3,4,5,6,7,8,9,10,11,12; /ip dns cache flush"

That should just about do it.
@CC_DKP

mves · Thu Feb 17, 2011 2:54 pm

Well, I've been busy on trying to run dns entries like that last time an failed so I came up on this (with a little help however) and another script that flushing cache every hour. I figure it out now how it's work

:foreach i in [/ip dns static find] do={
  /ip dns static disable $i
}

Also, that DNS list are quite outdated. There are also 1337.org, pow7.com, torrentz.com, istole.it and some others. Just look at a common tracker list in a torrent from piratebay for example. But that brings me to a huge problem. I can use a DNS entries combined with nat rule only on 2 main routers routers with ISP links. There are set DNS entries. On other routers that attempt causing internet blackout probably because there are no DNS entries. But I can't just add those rules on every interface because 5 Ghz and business side customers needs to be out of p2p blocking. It would need to redefine settings on entire network in order to use DNS entries if that is the issue. Plus, if I even think to lock usage to most commonly used dns entries (that's 4) it would required upgrade from 3.30 OS that is on few routers and so far, that routers worked fine for a very long time and it's kind of hard to change something that is tested and work

add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=jp.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=15m
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=tracker.publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=ns1.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=ns2.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=genesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=exodus.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=nemesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=tracker.openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.vo.llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=apps.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=10.rarbg.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ens-**bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

I came up with this but last entries seams that doesn't work. Does anyone know how to set this properly? Btw, ttl=15m is ok setting. I tried 15s but it did not do well.

CCDKP · Fri Feb 18, 2011 6:04 pm

Also, that DNS list are quite outdated. There are also 1337.org, pow7.com, torrentz.com, istole.it and some others. Just look at a common tracker list in a torrent from piratebay for example.

I believe you are missing the intention of the DNS blocking. The entries TKITFrank and I have listed are not torrent trackers. There are far too many trackers to block them via DNS (since almost anyone can run a tracker). Blocking of tracker activity is controlled by the L7 filters TKITFrank provided.

The DNS entries are there to block the DHT/uTP protocols from initializing. DHT/uTP are the "trackerless" protocols that bittorrent uses to establish communication when the trackers are unreachable. *Technically* DHT/uTP is not required as long as a tracker is available, since the client is able to seed these lists from peers it has located through a tracker.

HowYesNo · Mon Feb 28, 2011 2:40 am

@TKITFrank:

I done (I think) everything you said, about L7, DNS, mangle and filters... Think there is not so much things I can do wrong, but this just simple wont work! Actually, at Mangle I can see there count packets, at every of them, but when I make filter, there is no any packet caught!

And also about DNS what u were talking, what does this mean: "You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik."?

Thx in advance!
Regards,
Milan.

TKITFrank · Mon Feb 28, 2011 8:21 am

@HowYesNo

Port you config so we can see if there is something wrong.
Beside...
If I understand you correct the mangle rules work fine right?
Some things too look for.
1; Mark the packets in prerouting chain. Using L7 and the builtin p2p rulesets.
2; Set action to jump to p2p-chain
3; create a chain that is called p2p-chain.
4; set action to mark connection to p2p
5; In firewall filter create a rule under forward-chain and set connection mark to p2p. Action drop.
You have to mark all packets in mangle and send them to chain p2p-chain in mangle where you mark a connection as p2p.

Under Firewall filter you have to use the connection mark and drop packets on that chain. Be sure to use forward chain.

The "DNS thing"
You have do disable outbound dns queries or redirect them to use the mikrotik build in dns. I use the DHCP to set my mikrotik as default dns server. Then I block outbound dns queries.
There is no right or wrong do as you please. Perhaps redirect is more polite.
Make sure to add the entries that I posted before. Without this you can not block torrent traffic.

HowYesNo · Mon Feb 28, 2011 5:10 pm

Thx for answer!

Ok, here what I have done:

1) Made 2 L7 protocols that I copied from this thread (called them BITTORRENT and BITTORRENT_ANNOUNCE).

2) In mangle made 4 rules: 3 of them have same configurations... Chain - prerouting, action - jump, jump target - p2p-traffic. The first one has L7 - BITTORRENT, and the second BITTORRENT_ANNOUNCE. The third one has just P2P - all-p2p! (none of them dosent mark packets, should they, or something else? I should mark them and call like what?). I see u said there need to mark all that packets and send them to p2p-traffic chain and then there mark connection like p2p. So, if I am right, I should at those 3 rules set Packet Mark and call it ie p2p-packets.? 4th rule is made for marking connection, chain - p2p-traffic, action - mark connection, new connection mark - p2p (no any other changes made).

3) Filter rule made like this: chain - forward, connection mark - p2p, action - drop. Thats it.

4) Added those static DNS entries... But dunno how to make it work... Where should I set my primary dns disabled (or just make mikrotik be primary one) or what actually I should do, that is little unclear to me! If I disable that, would everyone be able surf the net at all?

Regards,
Milan.

TKITFrank · Mon Feb 28, 2011 8:20 pm

Thx for answer!

Ok, here what I have done:

1) Made 2 L7 protocols that I copied from this thread (called them BITTORRENT and BITTORRENT_ANNOUNCE).
OK

2) In mangle made 4 rules: 3 of them have same configurations... Chain - prerouting, action - jump, jump target - p2p-traffic. The first one has L7 - BITTORRENT, and the second BITTORRENT_ANNOUNCE. The third one has just P2P - all-p2p! (none of them dosent mark packets, should they, or something else? I should mark them and call like what?). I see u said there need to mark all that packets and send them to p2p-traffic chain and then there mark connection like p2p. So, if I am right, I should at those 3 rules set Packet Mark and call it ie p2p-packets.? 4th rule is made for marking connection, chain - p2p-traffic, action - mark connection, new connection mark - p2p (no any other changes made).
Sorry for my bad choice of words, Just make a rule in prerouting-chain where you use your L7 and the default rule for p2p and choose action jump and target p2p-chain. In the new chain called p2p-chain set action to new-connction mark and mark it to p2p.

3) Filter rule made like this: chain - forward, connection mark - p2p, action - drop. Thats it.
OK

4) Added those static DNS entries... But dunno how to make it work... Where should I set my primary dns disabled (or just make mikrotik be primary one) or what actually I should do, that is little unclear to me! If I disable that, would everyone be able surf the net at all?
Create a new rule in forward chain and set UDP/TCP protocol and dest port 53 (depending on server you might want to have source port 53 in a new rule as well) and set action to drop.
In the DNS server set primary and secondary server to you own DNS server or an ISP dns server and activate allow remote requests. Make sure only your own network can access it (The mikrotik). Announce this settings via DHCP or what ever you use
There settings should point to the mikrotik router as DNS server.

Regards,
Milan.

Hope this helps. The DNS settings are vital for this to work.

HowYesNo · Wed Mar 02, 2011 3:22 pm

I just dont know why my filter doesnt work... That doesnt have anything to do with DNS! Counter is 0 and mangle is counting! If it count packets and mark connection why then filter doesnt block those marked "p2p" connection packets? Tried to move the rule up and down, and still no changes!

About things commented above:

So rules in mangle that I made are good actually... 3 rules in prerouting chain and jump to p2p-traffic (two L7 and one default rule for p2p) and one rule in chain p2p-traffic that marks connection!

And about DNS I totaly do not understand how I should do that... Mb if u could tell me what should I do in winbox and where to go to do that. BTW I have configured DHCP on router!

TKITFrank · Wed Mar 02, 2011 3:37 pm

Hi,

Add this to your DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

Then post your config from firewall filter. From what I can understand your mangle rules work so perhaps its just some tiny thing in the firewall filter that is messing things up. I saw that you have tried different orders on the firewall rule.
Well anyhow I think a export of your firewall filter rules might just do the job. Please also include the mangle rules as well just in case.

How is you DNS configured btw? Do you use the DNS in the mikrotik for your clients?

HowYesNo · Fri Mar 04, 2011 9:02 pm

Hello,

Filter:
chain = forward
connection mark = p2p
action = drop

Yes I added those static DNS addresses! Just dont know what else I should do there...
I am kinda noob in mikrotik world, so I dunno where I can see how is DNS configured, actually, DNS which clients are using is not in mikrotik... That's the major thing cose I do not understand what to do...

robertfranz · Fri Mar 04, 2011 11:32 pm

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !
torrent technology is nothing illegal in itself. we offer RouterOS downloads via torrent, and many companies do the same.

He didn't say it was illegal.

He said it was a negative on his network due to conditions imposed upon him.

Most net admins have a requirement to exert due diligence in preventing users from engaging in infringing activities.

No one cares about your irrelevant bittorrent anecdote.

mves · Sat Mar 05, 2011 3:44 pm

Hi HowYesNo...

Don't worry, you'll soon figure the most things out. I've also spent lots of time figuring out what's wrong with dns entries since on some routers that killed internet completely. So, if internet works, it's most likely that you did it right. Also, I had to go without them on most of the routers since it takes lot's of base rules changing for my case and that is not on a working list for some time. TKITFrank and CCDKP have a good set of rules for blocking p2p but at a first it's hard to make them work or figure them out. Sorry guys, but we are noobs

Here's my set of rules... You don't need dns for them, yet, without dns settings dht will still pass and torrents will have access out so few connections will happen from time to time. Just copy them, log over telnet to your mikrotik and paste them.

(PART 1)

/ip firewall layer7-protocol

add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"


/ip firewall filter

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
    layer7-protocol=BITTORENT

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORENT reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent Announce" \
    address-list-timeout=1h30m chain=forward comment=______Announce____ \
    disabled=no layer7-protocol=BITTORRENT_ANNOUNCE

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent udp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 protocol=udp

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=udp reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent tcp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 protocol=tcp

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=tcp reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent all-p2p" \
    address-list-timeout=1h30m chain=forward comment=\
    __________All-p2p__________ disabled=no p2p=all-p2p

add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
    reject-with=icmp-network-unreachable

add action=drop chain=forward comment=_____1337_____ disabled=no dst-port=\
    1337 protocol=udp 

add action=drop chain=forward comment="" disabled=no dst-port=1337 \
    protocol=tcp

add action=reject chain=forward comment="Torrent cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=1000-5000

On this part... TKITFrank and CCDKP would probably said that I missed the subject and reason for DNS entries. Perhaps I did, but this works for me where ever it's active... sorry guys, I'm still a noob

(PART 2)

add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=jp.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=15m
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=tracker.publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=ns1.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=ns2.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=genesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=exodus.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=nemesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=tracker.openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.vo.llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=apps.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=10.rarbg.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ens-**bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

On this one I found myself of needing of flushing DNS from time to time so I've set schedule to run every 15 minutes with
(PART 2A)

/ip dns cache flush

This part you have to edit to fit for your system settings... This peace of work came from CCDKP and it works. Just edit this part in notepad before copy/paste. <ROUTER LAN IP> is for example 192.168.200.1. It's related with those DNS entries and now you'll have hits from DNS entries. Before this, you have to be sure that you have those famous router DNS settings (someone please correct me if I'm expressed myself falsely)... IP => DNS => Static => Settings... Primary and secondary DNS and it's values must be set to your DNS and check Turn On Remote Requests (hopefully that's what everyone's referring to).

(PART 3)

/ip firewall nat

add action=dst-nat chain=dstnat comment="Capture p2p DNS" disabled=no \
    dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp \
    to-addresses=<ROUTER LAN IP>

add action=dst-nat chain=dstnat comment="Capture p2p DNS" disabled=no \
    dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp \
    to-addresses=<ROUTER LAN IP>

/ip firewall filter

add action=add-src-to-address-list address-list="Torrent DNS" \
    address-list-timeout=1h30m chain=forward comment="p2p DNS" disabled=no \
    dst-address=203.0.113.111

add action=drop chain=forward comment="" disabled=no dst-address=\
    203.0.113.111

Point is, this set of rules works and have a nice blocking ratio and yet, they can sometimes be power hungry, especially with a multiple interfaces and rate of p2p usage but mostly that's just initial blow. Https trackers will however pass the blockade but they won't get far. Downfall of my settings is that you have to add ports for some online games but I think that that's much more easier than this. Add everything step by step and make sure that that segment works before adding next part. Now, internet should work and you'll have a hits on every part of the rules if there are p2p usage. But, it doesn't mean that every part needs to have hits. After everything set, check Address List and see who's IP's are logged. Sometimes, false hits can occur on 6881-6999 rules. They are quite rare but don't worry, even if they are not using p2p it won't have much effect on them if you have set passage for their favorite online games. In my case and this rules, it's CS, COD and Steam server. WoW add for specific users only because it's uses p2p for update and WoW users will regularly be found on p2p list. It's up to you will you let them automatic update or refer them to do it manually from blizzard.
Hope that this will help... goodluck

HowYesNo · Sun Mar 06, 2011 5:54 pm

Ok, I'll try those things and say if helped me...
Where u implemented those config? I see u'r from Serbia, so it's skola, igraona, ili nesto slicno?
Hvala!

mves · Sun Mar 06, 2011 10:50 pm

Ok, I'll try those things and say if helped me...
Where u implemented those config? I see u'r from Serbia, so it's skola, igraona, ili nesto slicno?
Hvala!

Wireless internet

TKITFrank · Mon Mar 07, 2011 10:10 am

Hi,

@mves
Well I don't say you missed the point completely but somewhat

Those DNS entries are only for blocking DHT and magnetic links only. You have a different approach but if it works it is good enough. Any way we can do it is fair game as far as I am concerned.

@HowYesNo
1; Activate allow remote requests on you DNS server in the mikrotik.
2; In the DHCP make sure that you have you mikrotik as DNS server.
3; Check your clients so they use the DNS server via ipconfig

semihgeek · Mon Mar 07, 2011 12:54 pm

hey
I found some Layer7 based codes.Is it useful?It seems

/ip firewall layer7-protocol
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"
/ip firewall filter
add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=\
    torrent-wwws
/ip firewall layer7-protocol
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
/ip firewall filter
add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 \
    layer7-protocol=torrent-dns protocol=udp

@TKITFrank
I am using your codes for blocking p2p.I have added both codes(yours and the codes on the top).Your firewall rules are capturing p2p before the code on the top.
I am begineer sorry for if i have a mistake.

mves · Mon Mar 07, 2011 10:36 pm

/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain

CCDKP, I wonder, what if I have a multiple interfaces? Will this work like that or I have to add interface there? Same with that if I want to allow p2p on some interface?

EDIT:
DHT: Waiting to log in
The beast is killed... but I'm not cleared with what... is this DNS kill?

Also, this is overkill for me... it's blocking access to those sites completely

add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

@semihgeek
Maybe you should try something like this instead of those L7 you mentioned. In previous posts there are example like

/ip dns static
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d

Combine and leave what is most suitable for your needs. Don't overburden your router with rules that do the same job at a different way.

TKITFrank · Tue Mar 08, 2011 12:35 pm

@mves

EDIT:
DHT: Waiting to log in
The beast is killed... but I'm not cleared with what... is this DNS kill?

Yes it is DNS that will kill this.

Also, this is overkill for me... it's blocking access to those sites completely

Yes that is why you want to keep it to a minimum. Also L7 DNS rules will consume more CPU.

@semihgeek
I think my rules are enough right now. Those you have tend to block the sites more then the actual traffic.
My approach is to only block the traffic from the client and also torrent file download.
But if you want to block access to torrent sites then they will work excellent

CCDKP · Wed Mar 23, 2011 11:23 pm

Just an update for everyone, I was playing with filters and found a slightly more efficient DNS capturing code. These 3 lines will redirect all DNS traffic to the router, effectively capturing all DNS, no matter what IP it is destined for.

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=\
    53 protocol=tcp src-address-list=!whitelist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=\
    53 protocol=udp src-address-list=!whitelist to-ports=53

CCDKP, I wonder, what if I have a multiple interfaces? Will this work like that or I have to add interface there? Same with that if I want to allow p2p on some interface?

That is easily adjusted by adding in-interface=<filtered interface> or in-interface=!<allowed interface> in the firewall NAT code.
HOWEVER, PC's using the router as their DNS server (if that is what you are handing out with DHCP), will still be affected, so you may want to hand out a public DNS server and only use the internal Mikrotik one for "capturing". Otherwise, you can just add individual IP's to "whitelist" and it will bypass the filter.

Also, this is overkill for me... it's blocking access to those sites completely

That is because you are blocking WAY too much. you are missing the point of the DNS blacklist and the filter itself.
The L7 is designed to detect Torrent Announce packets, not browsing torrent sites. This prevents torrent clients from getting seeds via a tracker.
the DNS is designed to block DHT from starting, which is another method bittorrent uses to find seeds when the tracker is down (ie blocked by the L7 filter)

The filter is NOT intended to block the downloading of the .torrent file, or the browsing of bittorrent-related sites, it is only designed to block the actual protocol itself from functioning.

The only DNS entries you should have are:

/ip dns static
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=1d
add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=jp.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=1d
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=1d

Anything beyond that is breaking web browsing and other activity.

@CC_DKP

NetworkPro · Thu Mar 24, 2011 9:50 am

We are missing code that blocks new udp announcer from working. We can't be slaves to DNS "definitions".

CCDKP · Thu Mar 24, 2011 3:48 pm

We are missing code that blocks new udp announcer from working. We can't be slaves to DNS "definitions".

The problem is that DHT/uTP is an encrypted channel specifically designed to avoid filters and detection by ISP's. Attacking DNS is currently the only weak point we have been able to identify in that system.

There is theoretically a method involving statistical analysis of the number of simultaneous UDP peer endpoints and bandwidth consumed, but that is outside the capabilities of RouterOS.

For my use scenario (hotspot / student network), UDP announce has never been an issue, since the client always attempts a TCP or DHT connection first and gets themselves blacklisted and throttled.

If you could provide a link to a working UDP announce torrent, I would be glad to take a look into it and see what I can come up with.

TKITFrank · Thu Mar 24, 2011 4:39 pm

I have not found a good working UDP L7 for that yet.

If anyone can find it please do post that info

NetworkPro · Fri Mar 25, 2011 1:56 pm

If you could provide a link to a working UDP announce torrent, I would be glad to take a look into it and see what I can come up with.

thepiratebay org has torrents that use udp announcers

if the request or response can be identified each time using a L7 or a content matcher, and the announcer IP blacklisted, we are in business.

mves · Fri Mar 25, 2011 4:22 pm

I have not found a good working UDP L7 for that yet.
If anyone can find it please do post that info

So far, my set of rules still works. Even version without DNS entries.

reinerotto · Tue Apr 26, 2011 12:34 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.

There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.

fewi · Tue Apr 26, 2011 12:49 am

Then your best option still remains to whitelist legitimate traffic and drop everything else. Blacklisting doesn't scale, as discussed in this thread. Particularly if you could face punishment for missing something that you should have blacklisted, or couldn't blacklist something because doing so was technologically unfeasible.

TKITFrank · Tue Apr 26, 2011 7:30 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.

Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank

reinerotto · Tue May 10, 2011 1:16 pm

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.
Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank

Not yet implemented. But definitely I will try.
I am still looking at other solutions to block illigetimate traffic as far as possible. Whitelisting seems to be too restictive for me, a solution of "last resort". The point is, it is a balence I have to do between facing legal risks and giving an honest user as much freedom as possible.
For instance, it will definitely not be possible to block dowloads of single copyrighted songs, for example.

otgooneo · Wed May 25, 2011 11:17 am

P2P matcher (ROS5.2) doesn`t work for uTorrent. For some torrent it works fine. Does anybody know why doesn`t work?

TKITFrank · Wed May 25, 2011 12:02 pm

Do you only use the built in p2p matcher? and if so do you use encrypted p2p in the torrent client?
If so it can not catch it. You will have to try to follow the posts in this thread

mktwifi · Tue Jun 07, 2011 7:11 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no

Thanks in advance

Best regards

CCDKP · Tue Jun 07, 2011 8:12 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

EDIT: These queues will not restrict BitTorrent Traffic, but will still throttle any traffic picked up by the P2P filter. See my post below for a better explanation.
First, when dealing with Queue tress, you always need a "root" bound to Global-in/global-out/interface/whatever, then you bind your leaf to the root. If you don't, the QoS never applies correctly.

Secondly, where you go from here depends on if this router is performing the NAT or not. If you are NOT performing NAT on this router, it is very simple:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=upload_root priority=8 queue=pcq_up_p2p

The reason this works is you are marking all p2p packets with "p2p" and using the parent interface to separate upload from download traffic.

If you are using NAT, then the rules get kind of ugly. Interface queues occur after the NAT, therefore they can't see addresses behind the NAT. This means everything gets marked as a single source IP on the upload and PCQ fails to work. They way around this is to apply the QoS to Global-out. Since Global-out sees both upload and download traffic, you need to mark packets as either upload or download p2p traffic.

For that, consider something like:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p_download parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p_upload parent=upload_root priority=8 queue=pcq_up_p2p

/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p_upload p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p_download p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p_download passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p_download passthrough=no

Also, a bit of consideration for speed, I would add the following as the first rule in mangle:

add action=accept chain=prerouting disabled=no passthrough=no src-address-list=!P2P_LIMIT dst-address-list=!P2P_LIMIT

This way you let all traffic not on your P2P_LIMIT list bypass the CPU-heavy L7 filters.

I hope this is enough to get you started. I posted a config I used here: http://forum.mikrotik.com/viewtopic.php ... &start=120
Otherwise, Janis's MUM talk was really helpful in finally figuring out QoS for me. The video is here: http://www.tiktube.com/index.php?video= ... xClIoEKDH=

Best of luck
--@CC_DKP

TKITFrank · Thu Jun 09, 2011 10:53 am

Hi,

Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no

Thanks in advance

Best regards

CCDKP · Thu Jun 09, 2011 9:32 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.

After reading TKITFrank's note, I realized I made a big blunder. I got a little wrapped up in fixing the Queue's, I didn't think about the end goal of the project. The QoS Example I helped with above will not shape bittorrent traffic.
It will work fine for anything flagged by the p2p filter normally, but not for normal bittorrent traffic.

The reason is simple. The bittorrent data connections through which the major volume of traffic are transferred is encrypted, randomized, and specifically designed to avoid traffic shaping filters. The L7 filters we are working with are designed to flag the announce packets and peer exchanges, which are used to help peers establish the data connections with each other.

A good analogy for BitTorrent would be two teenagers meeting up to covertly talk about something (and about as equally hard to fully stop). When they want to talk, they call each other on their cellphones, agree to meet at someplace like the mall, then they get together and talk. It is very simple to "block" this system by controlling the egress points. Take away the cellphone (the announce packets we filter for), and block online chat/email (DNS filtering). This prevents them from agreeing where and when to meet up, thus stopping the conversation. Throttling is FAR more difficult. While you can limit cellphone minutes and email messages, it only takes one small message one time of getting through for them to successfully meet up. Once they have met up, they can have a full conversation and decide when and where to meet up again from there.

The only somewhat viable method for throttling P2P traffic is to use the L7 and DNS filters to detect the presence of P2P traffic, then throttle the whole connection down for some predetermined amount of time. This has the unfortunate side-effect of slowing down all of that user's "legitimate" traffic as well as P2P. I use this method as a deterrent on a few public hotspots (see my example post on page 3 of this thread). I block all p2p, BitTorrent announce, and BitTorrent DNS I can, but when I detect the traffic, I go the extra mile and throttle their connection down to unusable speeds for the next hour. That way if any p2p traffic makes it through undetected, it is still throttled, and more likely, the user will get fed up with the slow connection for browsing the web that they leave and go use someone else's network.

Sorry for the confusion on this. If nothing else, just applying an even PCQ to all user's traffic can make a connection a lot more usable, especially when a single user is pulling down a lot of data. I apply this to all routers I set up, regardless of any p2p blocking I may be doing.

--@CC_DKP

TKITFrank · Fri Jun 10, 2011 8:15 am

Hi,

I think the only thing to do at the moment in MikroTik is to mark all OK traffic and place them in queues and then have a rest of whats left queue for p2p and well the rest

This approach has been said before in this thread if i am not mistaken. But that is a bit off topic since the thread is about blocking. Perhaps there should be two threads one for blocking like this one and a new for traffic shaping? Both are vital for us users

@Normis is this something you can sort up and arrange? In the same time there is a thread in Routerboard Hardware that is about the same thing perhaps that one should be moved as well?

p.s Anyhow I think this thread has some good ideas both for blocking and traffic shaping from many people so perhaps sticky? d.s

CCDKP · Fri Jun 17, 2011 6:35 am

So after checking into some user complaints, I discovered Yahoo.com has a very high false positive rate on the bittorrent_announce filter. Any site with the words both "get" and "announce" in the source will trigger. Has anyone found a good way to refine this filter to more bittorrent-specific detection?

Edit:
So after doing a bit of research and learning more about the protocol, I discovered a typo in the existing Bittorrent L7 filter. As TKITFrank has listed, (and as the Manual's L7 Wiki page shows):

/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

If you break this out, it is actually a combination of several filters:

\x13bittorrent protocol
azver\x01$
get /scrape\?info_hash=get /announce\?info_hash=
get /client/bitcomet/
GET /data\?fid=
d1:ad2:id20:
\x08'7P\)[RP]

After looking at the source code for the ipp2p project, i realized the 3rd line should be two separate filters, "get /scrape\\\?info_hash=" and "get /announce\\\?info_hash=", the second of which is the target of TKITFrank's Bittorrent_announce filter. After correcting the filter, I noticed a LOT higher detection rate.

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:

/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

Would anyone else mind giving this a try and seeing if it helps their detection rate?

--@CC_DKP

mves · Wed Jul 06, 2011 11:38 pm

Hi guys... I'm back

CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.

add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.

I've also added this rule some time ago because no one considered tracker scrapping.

CCDKP · Wed Jul 06, 2011 11:52 pm

Hi guys... I'm back
CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.
Code: Select all
add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.
I've also added this rule some time ago because no one considered tracker scrapping.

You shouldn't need a separate scrape rule anymore, either. If you look at the original rule that was screwed up:

get /scrape\?info_hash=get /announce\?info_hash=

Both the Scrape and Announce filters were merged into a single rule, rendering both useless. By using the updated rule I provided, both Scrape and Announce will be flagged as originally intended.

get /scrape\?info_hash=
get /announce\?info_hash=

--@CC_DKP

mves · Thu Jul 07, 2011 12:05 am

Yes... thanks for that one

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why

I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "_____________P2P - Upload_______________" disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=udp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=1000-5000
add action=mark-packet chain=prerouting comment="Other - Upload" disabled=no \
    new-packet-mark=Other passthrough=yes src-address=xx.xx.xx.xx


add action=mark-connection chain=prerouting comment=\
    "_____________P2P - Download_____________" disabled=no new-connection-mark=\
    P2P p2p=all-p2p passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no layer7-protocol=\
    BITTORRENT new-connection-mark=P2P passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=1000-5000
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=P2P disabled=no \
    new-packet-mark=P2P passthrough=no
add action=mark-connection chain=prerouting comment=\
    "____________Other - Download____________" disabled=no \
    new-connection-mark=Other passthrough=no src-address=xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=Other disabled=no \
    new-packet-mark=Other passthrough=no

CCDKP · Thu Jul 07, 2011 12:35 am

Yes... thanks for that one

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why
I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.

A couple things to note:
First, you need to be careful about your use of "Passthrough".
Passthrough means that once the rule is applied continue down the chain.

As it stands now, anything that matches rule 1 would have the "p2p" mark added, then would continue down the chain, trip rule 4, have the packet mark changed to "other", then continue down through all the Download rules. Conversely, anything that trips one of your connection mark rules would have the connection marked, then skip the rest of the rules (including the actual marking of the packet). The general rule of thumb is:
action=mark-connection passthrough=yes
action=mark-packet passthrough=no

Secondly, you want to be doing the L7 bittorrent filter on both upload and download traffic, since the majority of the times it will flag is the client making a Get request of the server (upload traffic).

On that note, remember the bittorrent L7 filter primarily detects the tracker information, which is very a small HTTP query. It can not track the actual P2P data exchange if it is using encryption.

Finally, what are you using for a queue type, and are you performing NAT on this router? If you are using PCQ and are performing NAT, you have to mark upload and download packets separately, then use Global-out as the root, so that PCQ occurs prior to SNAT.

With all that high-number port marking, how does it handle traffic like skype? I would be very leery to run something like this, as I would be frightened at the number of false positives.

--@CC_DKP

mves · Thu Jul 07, 2011 1:19 am

Oh... I've striped everything else and left entries only for P2P catcher... I thought it can be useful for someone. I'm using PCQ on queue tree and I'm using that only on myself so it's working fine on my home computers. I'm connected to the link through ubiquti Airgrid M5-HP in a router mode with directly assigned public IP. Basically, I have bandwidth separately reserved only for http, P2P, local file server and unlimited for winbox, ssh, snmp... Skype works fine however

Like I said... it works on me and my home network. I never said it's a good or right solution but it works on my needs. If you put before this rules http, game ports or what ever else you need, you probably won't have any problems because everything else that is not a stuff that you are using will end up on P2P and the Other filter. Previously, in my rules set of p2p blocking, I've also implemented port blocking of this same ports (not related with this). In this case however, I did not block p2p to me but simply put a cap on allowed bandwidth to my home network. If you put 1 kb down/up on those ports on queue tree, you could probably made a mess on your network because this was not planed for killing p2p but only for easing on available bandwidth. I was planed this for implementing on 5Ghz network for QOS but I never manage it to work as it should be. However, it suited perfectly for my home network.

Edit...
And for false positives, yes, you are right, matching ports like that can easily lead to false positive if applied on a global plan. You could log P2P users IP from firewall filter and place it to src address list on those ports in a mangle so you'll have only detected users goes through this. In this case you'll cut a false positives to a regular detection. If it helps, great. Next, it's up to you will you find any working usage of this for implementing in a p2p blocking or working QOS.

phuc061290 · Wed Oct 05, 2011 10:17 pm

great post. thanks.
. ..
. . .

CCDKP · Tue Oct 11, 2011 9:03 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.

add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp

This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves

mves · Tue Oct 11, 2011 10:04 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
Code: Select all
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=tcp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Did you make a typo? It's should be protocol=udp, right?

mves · Wed Oct 12, 2011 2:17 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.

/ip firewall layer7-protocol
add name=Skype regexp="^..\\x02............."

/ip firewall filter
add action=accept chain=forward disabled=no layer7-protocol=Skype

add action=accept chain=forward disabled=no dst-port=53 protocol=udp

add action=drop chain=forward connection-limit=16,32 disabled=no protocol=udp

Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?

CCDKP · Wed Oct 12, 2011 8:36 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.
...
Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?

I just set the UDP to something reasonable. I haven't seen skype hold open more than 8-9 simultaneous udp streams on a group call. I don't like relying on L7 filters for whitelisting, because if skype changes the signature then everything starts getting blocked. I prefer to "fail open" and let p2p traffic through, since I will see a spike in bandwidth and know to go fix it.

And yes, it does appear to be a bug in winbox.

engineertote · Tue Oct 18, 2011 10:20 pm

I'm fighting with this bit torrent for the past week but this bad torrent is win

i have follow all ways to limit it with no success , , i just tried

add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp

and did small test with bit torrent and its getting much more them limit

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
Code: Select all
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves

CCDKP · Tue Oct 18, 2011 11:09 pm

and did small test with bit torrent and its getting much more them limit

Bittorrent can use both TCP and UDP connections. Connection limiting on TCP is a bit touchier since so many things rely on it. The point of restricting the number of UDP connections isn't to completely kill Bittorrent, nothing can. The point of it is to move more connections over into TCP where they can be managed a little easier.

UDP poses a problem because it doesn't respond well to upstream Quality of Service. TCP uses window sizing to dynamically throttle connections, while UDP just keeps sending more packets. By limiting the UDP streams, more connections are forced over into TCP, where Quality of Service can work its magic and limit the data better.

If you go into the connection tracking on your router, you will see it is correctly limiting the number of UDP connections, there are just a lot more TCP connections to go along with it.

mves · Wed Oct 26, 2011 6:04 pm

@engineertote
Try my approach. So far, it's still working with a quite good blocking ratio. No mangle rules and no DNS filtering. Downside is, you'll have to allow online game ports.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall filter
add action=accept chain=forward comment=Skype disabled=no dst-port=12350 \
    protocol=tcp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    11050-11070,18181-18186,19567-19587 protocol=udp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    13505,18390,18395 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=__________All-p2p__________ disabled=no \
    in-interface=XXXXXXXXXX p2p=all-p2p src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX p2p=\
    all-p2p reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorrent_____" disabled=no \
    in-interface=XXXXXXXXXX layer7-protocol=BITTORRENT src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX \
    layer7-protocol=BITTORRENT reject-with=icmp-network-unreachable \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=udp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=udp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=tcp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=tcp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="House cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

xx.xx.xx.xx-xx.xx.xx.xx
IP range for filtering on interface (customer ONLY, without gateway, example, 192.168.200.10-192.168.200.240)

in-interface=XXXXXXXXXX
name of your target interface

The above system is for blocking bittorent protocols with allowed running time from midnight to 9:00 (AM). Make note that it's port based blocking so you'll have to add ports for online games that are used on your network and are affected with port blocking. You can get false readings on 6881-6999 ports but that's small percentage. It blocks up to 90-95% of bittorent traffic. It's also version without DNS filtering. You can add DNS filtering but then it can't be used for filters below.

To get them under control (not blocking, just reducing number of connections), use logging parts from above filters to get p2p users IP and turn off blocking parts and logged addresses redirect to the filters below.

/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list="Torrent 6881"
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list="Torrent 6881"

Of course, you have to edit all to match your system. Hope that it'll help.

di9383 · Fri Dec 09, 2011 4:53 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.

TKITFrank · Fri Dec 09, 2011 5:53 pm

Hi,

No I did not, Will see if I can get a test during next week at work.
Have a nice weekend!

di9383 · Sun Dec 11, 2011 1:14 pm

TKITFrank, as I can see, DHT really doesn't work with your DNS filter rules, but peer exchange (through tracker I suppose) is working fine, receiving peers and downloads torrent files:( May be you have an advice for me..
PS If it's matters, I use Utorrent 3 (last release) with russian torrent tracker rutracker.org. Can sent you link for torrent file for testing, if you want (because, tracker seems to be in russian only, and it will be hard for you to use it for test, I suppose).

otgooneo · Wed Dec 14, 2011 5:37 am

Hi every one.
I use following on my office router RB433UAH. We have about 170 hosts and 70 of them is IPPhones. Also some users use SIPclient software on their workstation. It detects torrent trackers of both local network and external network. Then it will drop all high port and peer to peer connections related this hosts. I use logging for this drop rule and sometimes I see some of SIP RTP connections dropped by this rule. But there is no voice interruption and this issue can be only on office staff, who tries to use torrent. At last, it pretty good works for me. I tested it using many kind of torrent clients.

[otgonkhuu@MOBINET] /ip firewall mangle export
#RouterOS P2P matcher and L7-filters can`t block torrent client, which supports encryption. 
#But it can catch even 1 connection. So source addresses of those connections are the TORRENTUSERS.
#The advantage is it can list my office torrent trackers also it can list peers of external network.
#TorrentExc is my address list of allowed torrent trackers. It is exclusion list.
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrent announcer to TorrentUsers" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrenter to TorrentUsers" disabled=no layer7-protocol=BITTORENT \
    src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add all torrenter to TorrentUsers" disabled=no p2p=all-p2p \
    src-address-list=!TorrentExc
#This is the all connections, which are might be torrent traffics.
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=tcp \
    src-port=10000-65000
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=udp \
    src-port=10000-65000
add action=mark-connection chain=prerouting comment=P2P disabled=no \
    new-connection-mark=Torr p2p=all-p2p passthrough=yes src-address-list=\
    !TorrentExc

[otgonkhuu@MOBINET] > ip firewall filter export
#Filter rule drops all high port peer to peer connections sourced from address list "TorrentUsers"
add action=drop chain=forward comment="Block P2P-Manual" connection-mark=Torr \
    disabled=no dst-address-list=!TorrentExc src-address-list=TorrentUsers

My L7 is same as others. Like posted on http://l7-filter.sourceforge.net/

mves · Wed Dec 14, 2011 1:42 pm

@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

Also, if you are using port blocking, why bother with mangle rules?

otgooneo · Thu Dec 15, 2011 9:20 am

Thank you mves for updated L7. Yes you right. If blocking by ports, there no need to mangle rule. I just few months ago tried to block P2P using many examples in that forum. So I just forgot to move rule from mangle to filter rule.
By the way, today I have tested again my torrent blocker, unfortunately my rules already outdated. uTorrent can under this rules. They can work 10 minutes later when started torrent client.

It uses ports lower than TCP, UDP 10000. Can`t block ports lower than 10000. It is bad for other network applications. So I need to work again on this.

mves · Thu Dec 15, 2011 12:40 pm

Try my set of rules. It's pure firewall port blocking without any other needed setting. Downside is, you have to add allowed set of ports for certain applications. Add my set of rules on disable and turn them on one by one. Use torch to find out what ports are used for applications they are using and add exception in a firewall before P2P blocking part. It's just like a game ports I had to add in exception. But once you set it right, you'll cut P2P to an acceptable level and hopefully other applications won't be affected if you set it right.

CCDKP · Wed Jan 11, 2012 6:39 pm

I posted this in another thread, but figured it would be useful here for anyone searching, since this seems to be the default thread to send people to:

With the current state of encrypted bittorrent, there is no tracking it specifically. The traffic is explicitly designed to avoid being filtered and throttled.

Here are some hard facts on shaping p2p traffic:

Older p2p like kazaa and eDonkey respond well to the p2p l7 filter
The L7 bittorrent filter in the wiki and forums only flags Tracker activity
Even if the tracker is blocked, DHT/UTP allows bittorrent peers to exchange host info
The L7 filter does not flag DHT/UTP, use DNS to block if needed.
The L7 filter does not flag bittorrent peer transfers (the actual bulk data)
Bittorrent peer transfers are usually encrypted and designed to not be tracked
Even when encrypted well, bittorrent still "leaks" detectable packets periodically
Peer transfers are primarily UDP connections, but will fail over to TCP
UDP transfers do not respond to standard QoS (UDP lacks flow-control, it is left up to the application)

From this, the best non-blocking approach I have come up with for handling p2p traffic is as follows:
Whitelist - Detect what you can (http/https, DNS, SSH, skype, games, whatever seems important) and increase its priority.

Flag p2p users - Look for the presence of p2p/bittorrent traffic from a user and add them to a dynamic address list for a preset amount of time (5-20 minutes). You will not be able to catch all the traffic, but by identifying the "leaks", you know the traffic is coming from the user somewhere. Every time a packet flags, it should renew the address list timer.

Take secondary measures - As long as a user stays flagged, impose additional limits on them. Some examples:

Add a heavy non-DNS UDP connection limit - This forces udp bittorrent traffic over to TCP, where traditional QoS and packet shaping can regulate it properly (since TCP flow-control is handled by the TCP/IP stack, not the application). This may have adverse effects on video games and skype quality, but after the user closes down the p2p applications, their address list entry will time out and they will go back to normal. UDP conn limit was added in 5.7 for console, and 5.8 for WinBox.

Limit non-whitelist traffic - Add a reduced bandwidth cap for non-whitelisted traffic. Not always the best plan for ISP's, but useful for hotspots.

Reduce non-whitelist priorty - Reduce the priority of all non-whitelisted traffic while the user is flagged.

Flag the user's traffic - If these rules are implemented on CPE / tower equipment, add DSCP marks to non-whitelisted traffic to let your core know it has a high potential of being p2p traffic (and to reduce it's priority if needed)

tyronzn · Thu Jan 12, 2012 5:33 pm

[quote="mves"]@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it

CCDKP · Thu Jan 12, 2012 5:51 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it

Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.

tyronzn · Thu Jan 12, 2012 5:56 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it
Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.

no problemo amigo,i will build up a list tonight and post in the morning

tyronzn · Fri Jan 13, 2012 7:18 am

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed

CCDKP · Fri Jan 13, 2012 4:45 pm

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed

It's good to hear you aren't seeing any false positives. If something comes up, please let me know.

With Bittorrent, explicitly, if it gets any sort of foothold, it will quickly steamroll to full capacity. That L7 rule just stops standard tracker exchanges. DHT/UTP peer exchanges are another way to exchange hosts without access to the tracker. Blocking these requires filtering DNS, as mentioned elsewhere in this thread. If you don't do both, you will have almost no impact on the torrent's ability to send data.

Another emerging issue is encrypted UDP trackers, which up to this point, nobody has found a way to identify and block. If you read about 5 posts up I talk about a method for flagging the presence of torrent traffic, then using that to clamp down secondary measures on all of the user's data. This seems like the best general purpose route for an ISP, as it doesn't explicitly block torrent traffic, it just punishes the user and helps to make the traffic more manageable. In the case of a public hotspot that you want to block torrents for liability reasons, I have a few posts across page 2 & 3 talking about flagging a user for p2p and dropping them to horrible dial-up speeds to get them to go elsewhere.

Blocking p2p traffic entirely is a bit like trying to carry water with a colander. Unless you have every last hole plugged, all the water will get out.

tyronzn · Fri Jan 13, 2012 7:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway

n21roadie · Fri Jan 13, 2012 8:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway

Does the throttle effect all connections or just the p2p connections?

Benygh · Sat Jan 14, 2012 12:17 am

Hi,
i use this and it works good, it drops all the p2p connections and so far we didn't get any abuse reports from DC.

:local temp;
:local temp2;
:local temp3;
:foreach i in=[/ip firewall connection find p2p!="none"] do={
:set temp3 [/ip firewall connection get $i src-address];
:set temp2 [:find $temp3 ":" -1];
:set temp3 [:pick $temp3 0 $temp2];
:foreach j in=[/ppp active find address=$temp3] do={
/ppp active remove $j;
}
}

TKITFrank · Fri Jan 20, 2012 2:25 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.

Hi,
This week I have been doing the last handoff on the new RB1100AHx2 that will replay my old RB1000 as main firewall for out schools.
I did as you said and checked this and I use utorrent 3.1 and it still works. Do you use the DNS blocking? They are vital...

If you have a working torrent file that will bypass my filter please let me know so I can do a test.

edit...
Did find something interesting...
It seems Peer Exchange uses Multicast.
This is from wireshark...
BT-SEARCH * HTTP/1.1
Host: 239.192.0.0:6771
Port: 40133
Infohash: C355C153B20BECF719121DE149C8DDCF57B32870

Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.

di9383 · Sat Jan 21, 2012 11:36 am

Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.

May be you can tell me, where to do it?

About DNS filtering..yes, I use it too. But it doesn't work for me.
May be you can advise what is wrong or missed in my config? Thanks in advance.

TKITFrank · Sat Jan 21, 2012 12:07 pm

Hi,

Not knowing how your network is built I would guess you have to to it at the client switches or CPE's. Do you use Multicast? if not block it.
I can post my DNS entries on Monday when I am at work. But to mee yours looks fine. They should kill DHT.

CCDKP · Sun Jan 22, 2012 12:09 am

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).

Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.

di9383 · Sun Jan 22, 2012 10:03 pm

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).

You are right. Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.

Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.

All clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).

CCDKP · Sun Jan 22, 2012 10:48 pm

Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.

The two biggest flags for bittorrent are the scrape and announce commands sent to the trackers. For a long while, the Bittorrent rule on the wiki that everyone used had a typo in it that disabled it's ability to detect scrapes and announces. This lead to someone (TKITFrank?) making the bittorrent_announce rule to capture them.

The problem comes from the bittorrent_announce rule being rather vague, and able to pick up false positives. The corrected part of the rule that grabs announces also looks for the info_hash parameter, which is a dead giveaway for bittorrent:

get /announce\?info_hash=

Compare this with the filter rule in bittorrent_announce:

add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

This rule basically looks for anything with the word "get" and "announce". On Yahoo's homepage, there is an object called "Announcebar" at top. When you load the page, at some point a request is generated for "get /announcebar/announcebar_1.0.22.css", which will trip the bittorrent_announce rule, but won't be troubled by the proper rule due to the lack of the info_hash parameter.

If you want to look more into the problem, I detailed the issue with the bittorrent filter here: http://forum.mikrotik.com/viewtopic.php ... 50#p268237

ll clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).

First, remember that DNS can use TCP in addition to UDP. Any response over 512 bytes requires TCP to be used. With DNS Sec, DNS over TCP is becoming more common.

Rather than just drop the DNS traffic, you can just as easy redirect it to the internal DNS server:

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp to-ports=53

di9383 · Mon Jan 23, 2012 11:02 am

Thanks for your help and explanations. After disabling bittorrent_announce rule it started to block torrent traffic in some way:) I also corrected my DNS drop filter - use dstnat instead - seems to work as it should.
One more question. Do encrypted torrent connections should be blocked too? Because, mine don't...

Update: Ups.., seems so, that with encryption enabled in my torrent client, filters are still blocking download...misunderstood a little, because at first when I turned encryption on the torrent file began to download. And now I'm testing with different files - nothing.

TKITFrank · Mon Jan 23, 2012 6:39 pm

Hi,

This is a draft will add more info later this week.

Did some testing today and found out that you can bypass my filter by starting the connection on one site and then resume them behind my firewall. To block them you have to use a series of things. This is what I have found.
By marking udp packet size from 62-500 and tagging them as p2p traffic you can successfully identify the dest host that the client connects to. And block the start of the DHT and the encrypted transfer. In my case I marked the packets and added them to a connection-mark just like with the L7 filters.

Step 1;
Complement the current mangle rule set with a udp rule that marks all packets with size 62-500 except dst port 53. And direct them to the P2P chain.

Step 2;
I also created a new L7 filter for the DHT. That I added to the other L7 filters. I hope I remember the regex correctly.
/ip firewall layer7-protocol
add name=BITTORRENT_DHT regexp="^d1\:.d2\:id20\:"

Step 3;
Finally I added a rule in the filter table that uses connection-mark p2p to add destination ip to list p2p-users-ext.
I did then use that list to block all connections in forward chain. I did two lists both src and dst based on those address-lists.

Note that this is only a draft of what I have done. I will add the correct syntax later this week. And I have not done any false positive tests yet. Will do them in 2days when I try them on the main firewall.
So use with care!

NetworkPro · Sat Jan 28, 2012 12:53 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
Code: Select all
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP

Not Working. Can't catch announce.

CCDKP · Sat Jan 28, 2012 1:10 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
Code: Select all
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP
Not Working. Can't catch announce.

Could you please provide a link to the torrent file & what tracker was used, or a packet capture of the announces not getting flagged so I can work on getting the filter updated? My understanding is there is a new wave of encrypted UDP and HTTPS encrypted trackers, which this rule will not be able to catch, but if this is the case I would still like to look at the traffic and see if we can find *something*.

Also, is the rule catching anything for you? If you are bench testing this, is DHT/UTP disabled? Clients can still exchange peers over DHT/UTP without announcing to the tracker.