MikroTik

Block Bittorrent and P2P using latest MikroTik RouterOS 6.43.3
Mikrotik new version software stops blocking torrents and p2p with the error P2P matcher is obsolete please use layer7 matcher instead - MikroTik
Here are the new and revise configuration what is still working in year 2020 - steps that will block torrents and p2p traffic from mikrotik router:

In terminal:

/ip firewall layer7-protocol

add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
RP]"

/ip firewall filter

add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\
!allow-bit

/ip firewall filter

add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=Torrent-Conn

/ip firewall filter

add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=Torrent-Conn

This future is not 100% working...

regarding my testing after 5 minutes of inactive torrent it find first seeder and that other and other... it will slow down downloaders but there is still possibility torrent will work.

Block Bittorrent and P2P using latest MikroTik RouterOS 6.43.3
Mikrotik new version software stops blocking torrents and p2p with the error P2P matcher is obsolete please use layer7 matcher instead - MikroTik
Here are the new and revise configuration what is still working in year 2020 - steps that will block torrents and p2p traffic from mikrotik router:

In terminal:

/ip firewall layer7-protocol

add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
RP]"

/ip firewall filter

add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\
!allow-bit

/ip firewall filter

add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=Torrent-Conn

/ip firewall filter

add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=Torrent-Conn

Anyone Else Tried This???

Just try it on your own. It really helps but not for 100%

well, if it does not work 100% then it does not really help, don't you think? I mean - what difference it makes if the download takes bit more? Idea of blocking is, that NOTHING goes through.
If it still starts after a while, it likely means you missed some port or regexp part, which still gets through.

Block Bittorrent and P2P using latest MikroTik RouterOS 6.43.3

This was posted 5 Juli 2020. 6.43.3 is very old and far far from latest Router OS (from 18.10.2018). Latest stable 6.47 and long term 6.45.9
I would not have used this old version due to lots of missing security patches.

Yes it's work in my RB2011

/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bitt\
orrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?inf\
o_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[\
RP]"

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.88.0/24 src-address-list=\
!allow-bit
add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=\
!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
src-address-list=Torrent-Conn

Im uTorrent
Options->Prefences->BitTorrent-Protocol Encryption set it to Enabled, then test if your rule still blocks it.

Im uTorrent
Options->Prefences->BitTorrent-Protocol Encryption set it to Enabled, then test if your rule still blocks it.

I don't know how but it is still blocking torrent after i enabled BitTorrent-Protocol Encryption.

Why would you want to do this?

Why would you want to do this?

Torrent is illegal where i live,,,,,, if i don't block it then our small ISP will be charge by the internet authority

So if the speed limit is 100 kph and I have a car that can run 200 kph, we need to close the road?
Torrent are not illegal, sharing copyright material are.
Closing one service just move user to another :)

Why would you want to do this?

Torrent is illegal where i live,,,,,, if i don't block it then our small ISP will be charge by the internet authority

Where do you live? I don't believe they are illegal.

Try to use it in Germany :)

Eek I just read about Germany.

The Torrent system on it's own is not illegal.
Downloading copyrighted content is illegal.

The Torrent system on it's own is not illegal.
Downloading copyrighted content is illegal.

This is my understanding also, read an article yesterday that in Germany, some law firms are not so ethical (who would have thought) and sending very threatening letters to people to pay up, and the normal Joe does not know better, so he pays. Case of big brother bullying little brother

rules are working for me also. i try to download various torrents with qbittorrent and they dont start. "force encryption" is enabled in qbittorrent options.
just a small remark. in second rule you have to change subnet to match your setup. the photo is after one hour trying to download random torrents.
i am not sure if there are any Concequenses in apps like facetime,viber,whatsapp, tv boxes etc. further testing needed.

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\
!allow-bit

If you go to some PitateBay proxy or other Torrent site they tell you to not download if you do not use a VPN, and with VPN your rules does not work at all.

rules are working for me also. i try to download various torrents with qbittorrent and they dont start. "force encryption" is enabled in qbittorrent options.
just a small remark. in second rule you have to change subnet to match your setup. the photo is after one hour trying to download random torrents.
i am not sure if there are any Concequenses in apps like facetime,viber,whatsapp, tv boxes etc. further testing needed.

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\
!allow-bit

Yes there are consequences, after applying the rules, i have also notice that it affect whatsapp audio reception and speedtest websites is not working at all......i solved whatsapp issue but not speedtest!

rules are working for me also. i try to download various torrents with qbittorrent and they dont start. "force encryption" is enabled in qbittorrent options.
just a small remark. in second rule you have to change subnet to match your setup. the photo is after one hour trying to download random torrents.
i am not sure if there are any Concequenses in apps like facetime,viber,whatsapp, tv boxes etc. further testing needed.

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn \
address-list-timeout=2m chain=forward layer7-protocol=\
layer7-bittorrent-exp src-address=192.168.2.0/24 src-address-list=\
!allow-bit

After disabling the firewall rules then torrent start seeding, i think it is working for now, !!!!!!! will get you updated when it fails.

hi all regarding how to block torrent, I use the below

/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=local layer7-protocol=layer7-bittorrent-exp new-connection-mark=torrent_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=torrent_conn layer7-protocol=layer7-bittorrent-exp new-packet-mark=torrent_packet passthrough=no

/ip firewall filter
add action=drop chain=forward dst-address-type=local packet-mark=torrent_packet
add action=drop chain=forward content=tracker
add action=drop chain=forward content=info_hash
add action=drop chain=forward content=annonce_peers
add action=drop chain=forward content=getpeers
add action=drop chain=forward content=torrent

it'is working 100%

In uTorrent
Options->Prefences->BitTorrent-Protocol Encryption set it to Enabled, then test if your rule still blocks it.

It still blocks encrypted torrent as asked about above?

how can i use these rules to limit speed instead of blocking?

hi all regarding how to block torrent, I use the below

/ip firewall layer7-protocol
add comment="Block Bit Torrent" name=layer7-bittorrent-exp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=local layer7-protocol=layer7-bittorrent-exp new-connection-mark=torrent_conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=torrent_conn layer7-protocol=layer7-bittorrent-exp new-packet-mark=torrent_packet passthrough=no

/ip firewall filter
add action=drop chain=forward dst-address-type=local packet-mark=torrent_packet
add action=drop chain=forward content=tracker
add action=drop chain=forward content=info_hash
add action=drop chain=forward content=annonce_peers
add action=drop chain=forward content=getpeers
add action=drop chain=forward content=torrent

it'is working 100%

don't work for me with utorrent client

As long as the client uses encryption (that can be turned on for utorrent) this does not work.

I find this set of firewall rules and layer 7 works well with encrypted torrents. Tested with Deluge full encryption and Flud on Android full encryption.

/ip firewall layer7-protocol
add comment="Mikrotik Block Torrent" name=layer7-bittorrent-expp regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall filter
add action=jump chain=forward comment="Torrent Blocker" jump-target=forward-torrents-non-allowed-devices out-interface-list=WAN src-address-list=!torrents-allowed-devices
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" layer7-protocol=layer7-bittorrent-expp
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" content=tracker
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" content=info_hash
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" content=annonce_peers
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" content=getpeers
add action=add-src-to-address-list address-list=torrent-connections address-list-timeout=1w chain=forward-torrents-non-allowed-devices comment="Torrent Blocker" content=torrent
add action=return chain=forward-torrents-non-allowed-devices comment="Torrent Blocker"
add action=drop chain=forward comment="Torrent Blocker" dst-port=!53,80,443,110,143,993,995,465,587,8080,8291,3389 protocol=tcp src-address-list=torrent-connections
add action=drop chain=forward comment="Torrent Blocker" dst-port=!53,80,443,110,143,993,995,465,587,8080,8291,3389 protocol=udp src-address-list=torrent-connections

Make sure UPnP is not enabled on the the subnet you wish to block torrents or selectively enabled per IP.
I found that increasing the timeout on src-address-list entries helped alot as some torrent client apps did not trigger/reset the original 2m timeout on the address addition.

You can also add these rules above est-rel connections in addition to the others.

/ip firewall filter
add action=drop chain=forward comment="Torrent Blocker" dst-port=!53,80,443,110,143,993,995,465,587,8080,8291,3389 protocol=tcp src-address-list=torrent-connections
add action=drop chain=forward comment="Torrent Blocker" dst-port=!53,80,443,110,143,993,995,465,587,8080,8291,3389 protocol=udp src-address-list=torrent-connections

Helps to catch already running torrent connections.

Why would you want to do this?

Torrent is illegal where i live,,,,,, if i don't block it then our small ISP will be charge by the internet authority

What's the problem? Pass the court order to the violator, he will pay the fine. Torrents are not illegal. Downloading/uploading copyrighted content is illegal. If you block torrents you will restrict the rights of honest users.
If you are small ISP it's your uplink headache, why bother and why spend resources on it.

You need to set up Mangle bandwidth control properly and then you can successfully block torrents:

https://www.youtube.com/watch?v=ZK582jEdgIM
https://www.youtube.com/watch?v=B_Jig1RNY40
https://www.youtube.com/watch?v=RUGzdxBSmTU

I put p2p mangle connections and packets marks above http and other connection and packet marks so it gets filtered out first.
A lot of traffic used by BitTorrent can pass thru as other connection/packet marks that is not p2p/layer 7/http. It can still bypass your layer 7 filter rules as a utp connection so you have to drop connection of the client that is not http/layer 7/p2p. The block needs to time out after a while so that those other connections can be unblocked on the client.

Torrent is illegal where i live,,,,,, if i don't block it then our small ISP will be charge by the internet authority

What's the problem? Pass the court order to the violator, he will pay the fine. Torrents are not illegal. Downloading/uploading copyrighted content is illegal. If you block torrents you will restrict the rights of honest users.
If you are small ISP it's your uplink headache, why bother and why spend resources on it.

I fail to understand these local ISPs who first of all has zero certified network engineers and second of all has some strange obsession for torrent blocking which makes no sense in the age of encryption. Aren't they capping bandwidth per customer using simple queues or what?

It's a ovebooking problem for some ISP...
Have a 50Mbps and try to sell 10Mbps to 100 users...
When 5 of 100 users use torrents, the uplink is full and all users complain...

Also, using NOT WELL CONFIGURED torrent, can cause more incoming packet on gateway than the client have the right to use
and
the client try to transmit on upload more than what pay for, and the traffic reduce bandwidth available on radio link for other users
because the queue are on Gateway and not on CPE.

Have a 50Mbps and try to sell 10Mbps to 100 users...
When 5 of 100 users use torrents, the uplink is full and all users complain...

Then you need to upgrade, because the customers are using what they're paying for.

Why wait for the update? Better service (for everyone) is good publicity and drives more customers ...

You can also use a VPN which is even harder to block, if you're using SSTP or Wireguard.

It is the usual thing with these rules. It is not difficult to make a rule that blocks all Torrent traffic. What is difficult is making a rule that blocks all Torrent traffic but not anything else.
When I see those L7 rules above I'm sure it blocks all kinds of unrelated traffic and not all Torrent traffic. Which is exactly what the complaints are about.