MikroTik

Hi,

on one of our towers nearly everybody uses p2p-programs. There are five ap-bridges with about 30 logged in users each. I set up RouterOS v3.0rc6 on a x86 system with two nic's as a transparent bridge, this looks like this:

router-----x86ros-bridge-----accesspoints.

I tried to limit each users p2p traffic to a maximum of 10 simultaneous connections:
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop p2p=all-p2p protocol=tcp connection-limit=8,32

You can see in the connections list that p2p traffic (bittorrent) is detected and counters of the filter-rule go up but it has no effect on the users even when u limit p2p to 1,32. The performance of normal customers is bad, high packetloss - I think you know what I mean. if the bad guys are blocked "by hand" (RADIUS don't let them login to the ap-bridges) everthing works fine, but this is not what I want.

The firewall on the bridge is enabled, con-tracking is enabled too.

Would Layer7 firewall be better in this case?

it is near to impossible to detect encrypted p2p traffic as it is encrypted, and to detect it 100% you have to decrypt it. Anyway IMHO you will need quite a lot resources to filter encrypted p2p out.

as a workaround at the moment you can try to limit all connections of user, so, he will be able to make only certain number of connections at all.

also, you can try to catch (with sniffer) encrypted torrent traffic (for example) and try to identify it and come back here with results or thoughts about the problem at hand.

ok, I hope I understand you right, the rule was changed to:
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop protocol=tcp connection-limit=16,32

now each user can only establish 15 simultaneous tcp-connections is that right?

would it be useful to prioritize the standard-traffic (http, https, dns, pop3, smtp, ftp, etc) higher and everything else lower?

ok, I hope I understand you right, the rule was changed to:
> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop protocol=tcp connection-limit=16,32

now each user can only establish 15 simultaneous tcp-connections is that right?

Thats right but this adds an additional problem to all your users.
They will be limited to 15 connections. That's is:
- your annoying clients won't be able to surf or doing anything else til they stop their p2p clients (maybe good because they will choose, or maybe bad because they will get angry).
- Your normal users will get lots of connections refused and surely they will get angry.
For example, now, without any p2p client, in my computer I have stablished 19 tcp connections (System console -> "netstat"). And I'm not doing anything a standard user wouldn't do (windows xp, itunes, videochat, and some browsing). My 19 tcp conn wouldn't work in your network. Any multiplayer game needs some connections that easily wouldn't fit in that settings.

Is a really difficult job p2p regulation.
Using sfq or pcq (same as sfq but with bandwith shapping) queue will distribute bandwidth equally among users/IPs will soft your problem a bit.

What you should do, as you points in your last sentence, is working on the other direction, using Layer 7 (in latest rOS release) to priorize standard services (and inserting them in a queue with minium bandwidht guaranteed) and leaving the unknown services fighting for the rests of the bandwidth.
But there's still no magical solution here.

I think the best solution is to monitor bandwidth consumption and at peak times throttle the hogs back. That would be fair to everyone.

Here in the USA someone just got sued for using p2p for copyrighted music and got nailed with a $222,000 judgement. Ouch.

Matt

I tried to use layer 7 firewall, i use those regexp to match bittorrent:
^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=)|d1:ad2:id20:|\x08'7P\)[RP]

then i mangel and queue it:
1 chain=prerouting action=mark-packet new-packet-mark=bittorrent passthrough=yes layer7-protocol=bittorrent

those packets are matched.

i made a pcq-queue for p2p:
6 name="p2p-queue" kind=pcq pcq-rate=0 pcq-limit=30 pcq-classifier="" pcq-total-limit=2000

0 name="bittorrent" parent=global-total packet-mark=bittorrent limit-at=512000 queue=p2p-queue priority=8 max-limit=512000 burst-limit=0 burst-threshold=0
burst-time=0s


I did the same with gnutella, the regexp is taken from http://www.mikrotik.com/download/l7-protos.rsc.
In winbox > firewall > connection table you can see that there are gnutella and bittorrent connections but only the bittorrent connections are matched why is that?