how block connection of p2p?

NetworkPro · Sat Jan 28, 2012 1:41 am

I used this to catch the announce

^get.+announce\?info

di9383 · Sun Jan 29, 2012 10:58 am

CCDKP, do I understand right, these rules above work with encrypted option in torrent client enforced too? I suppose, their blocking effect comes at announce blocking level (where we use dns block) and doesn't depend on all other options?

TKITFrank · Tue Jan 31, 2012 10:02 am

Hi,

This is my new config, I have been testing to some time and I have had issues with false positive. The config below seems to eliminate those false positive I have found. However there might be more... I you find it please let me know. And also how so I can replicate it and correct it.

I will try to implement it in an live environment today or tomorrow. I did some live testing last week but I found out that the UDP block blacklisted common sites for reasons unknown. This seems to be corrected now.

Anyhow any input regarding this is appreciated. And also USE WITH CARE....

EDIT,
Seems like SteamPowerd gets caught by the TCP tracker rule. I will look in to this...
Did a workaround for this, (TCP-Tracker blocking, UDP-Bittorrent blocking) rules now make a new connection-mark that is called "suspicious" this traffic only gets used when a client has been using P2P from the "safe" rules. Have a look at the code in Mangle and Filter to see where I use it. The summery of it is that normal clients will trigger the suspicious traffic rule but it will not get applied since they don't use P2P. Only P2P users will get punished.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT_DHT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA
add action=mark-connection chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 new-connection-mark=suspicious packet-size=62-500 passthrough=no protocol=udp src-port=!53
add action=mark-connection chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=10000-65535 new-connection-mark=suspicious packet-size=100-500 passthrough=no protocol=tcp src-port=1024-65535 tcp-flags=psh,ack

add action=jump chain=prerouting connection-state=new disabled=no dst-port=443 jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no dst-address-list=!dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=p2p-service disabled=no new-connection-mark=p2p passthrough=no

/ip firewall filter
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=10m chain=forward comment="Drop and log all P2P" connection-mark=p2p disabled=no src-address-list=local-addr
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=forward connection-mark=suspicious disabled=no src-address-list=local-addr
add action=log chain=forward connection-mark=p2p disabled=no log-prefix=P2P src-address-list=local-addr
add action=jump chain=forward connection-mark=p2p disabled=no jump-target=drop src-address-list=local-addr
add action=jump chain=forward disabled=no dst-address-list=p2p-users-ext jump-target=drop src-address-list=p2p-users
add action=jump chain=forward disabled=no dst-address-list=p2p-users jump-target=drop src-address-list=p2p-users-ext

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

gnuttisch · Tue Jan 31, 2012 3:54 pm

Hi

Trying out your (TKITFrank) p2p traffic shaper/blocker but I cant get it to work successfully, mayby i have missed something? The queue limiting the data but some off it seams to getting bye.

Iam testing like this. OfficeLAN --> RB750G In BridgeMode --> RB433 Hotspot --> Client.

# jan/02/1970 00:02:47 by RouterOS 5.12
# software id = 8952-JWTY
#
/interface bridge
add l2mtu=1520 name=bridge1
/interface ethernet
set 0 name=Eth1_WAN
set 1 name=Eth2_LAN
set 2 name=Eth3
set 3 name=Eth4
set 4 name=Eth5
/ip firewall layer7-protocol
add name=HTTPS regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\
    \\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnu\
    tella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-ty\
    pe: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-\
    9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[\
    0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnut\
    ella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\
    \\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\
    \?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"
/queue tree
add max-limit=1M name=IN parent=global-in
add max-limit=1M name=OUT parent=global-out
add max-limit=10k name=p2p_in packet-mark=P2P_PacketMark parent=IN
add max-limit=10k name=p2p_out packet-mark=P2P_PacketMark parent=OUT
/interface bridge port
add bridge=bridge1 interface=Eth1_WAN
add bridge=bridge1 interface=Eth2_LAN
/interface bridge settings
set use-ip-firewall=yes
/ip dhcp-client
add disabled=no interface=bridge1
/ip dns
set max-udp-packet-size=512 servers=192.168.19.1,195.67.199.24
/ip firewall filter
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=\
    10m chain=forward comment="Drop and log all P2P" connection-mark=p2p \
    src-address-list=local-addr
add action=add-dst-to-address-list address-list=p2p-users-ext \
    address-list-timeout=10m chain=forward connection-mark=suspicious \
    src-address-list=local-addr
add action=log chain=forward connection-mark=p2p log-prefix=P2P \
    src-address-list=local-addr
add action=jump chain=forward connection-mark=p2p jump-target=drop \
    src-address-list=local-addr
add action=jump chain=forward dst-address-list=p2p-users-ext jump-target=drop \
    src-address-list=p2p-users
add action=jump chain=forward dst-address-list=p2p-users jump-target=drop \
    src-address-list=p2p-users-ext
/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" \
    dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=BITTORRENT_DHT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=GNUTELLA
add action=mark-connection chain=prerouting comment="UDP-Bittorrent blocking" \
    dst-address-list=!dns-externt dst-port=1024-65535 new-connection-mark=\
    suspicious packet-size=62-500 passthrough=no protocol=udp src-port=!53
add action=mark-connection chain=prerouting comment="TCP-Tracker blocking" \
    connection-type=!ftp dst-address-list=!dns-externt dst-port=10000-65535 \
    new-connection-mark=suspicious packet-size=100-500 passthrough=no protocol=\
    tcp src-port=1024-65535
add action=jump chain=prerouting connection-state=new dst-port=443 jump-target=\
    tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new dst-address-list=\
    !dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS \
    protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=tcp-services \
    protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=udp-services \
    protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=\
    other-services
add action=mark-connection chain=p2p-service new-connection-mark=p2p \
    passthrough=no
add action=mark-packet chain=postrouting connection-mark=p2p new-packet-mark=\
    P2P_PacketMark
/ip smb shares
set [ find default=yes ] directory=/pub
/queue interface
set Eth1_WAN queue=ethernet-default
set Eth2_LAN queue=ethernet-default
set Eth3 queue=ethernet-default
set Eth4 queue=ethernet-default
set Eth5 queue=ethernet-default

CCDKP · Tue Jan 31, 2012 4:03 pm

CCDKP, do I understand right, these rules above work with encrypted option in torrent client enforced too? I suppose, their blocking effect comes at announce blocking level (where we use dns block) and doesn't depend on all other options?

That is correct. The "Encrypt" option in a torrent client only covers client to client communications. The L7 filter is designed to prevent tracker communication, while the DNS is designed to prevent DHT/UTP from bootstrapping. With these methods blocked, the clients never learn about other clients, so in theory we don't have to worry about inter-client communication being encrypted.

The downside is that if a client can boot strap in any way (DHT seeded off-site or through external internet connection), or the client uses one of the new encrypted trackers, then peer lists are created, encryption is used, and we are helpless to find it. This is why we suggest using these rules to detect the presence of traffic, then take secondary measures against the clients.

Sun Feb 05, 2012 12:45 am

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

TKITFrank : I think you have a typo in the last 2 line of the L7 rules. E.g. you have:

add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

Should it not be that the "." is an "a" on those two lines?

add name=BITTORRENT_DHT regexp="^d1\\:ad2\\:id20\\:"

Also, what is in your dns-externt address-list?

TKITFrank · Sun Feb 05, 2012 11:33 am

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

TKITFrank : I think you have a typo in the last 2 line of the L7 rules. E.g. you have:

add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

Should it not be that the "." is an "a" on those two lines?

add name=BITTORRENT_DHT regexp="^d1\\:ad2\\:id20\\:"

Also, what is in your dns-externt address-list?

No the line is correct. I have found that the "A" sometimes becomes a "R". So to be sure I have made it a wildcard. I have also made the DHT rule merge in to the BITTORRENT rule. They seem to overlap.
My current addresslist have not changed but it seems to be obsolete with new ruleset. I have improved t more last week but I am currently testing it. I will release new code late this week or next.

NetworkPro · Sun Feb 05, 2012 12:28 pm

After I saw ACTA I officially do not filter anything. I move all the effort to QoS which is now a very well developed topic.

Sun Feb 05, 2012 2:58 pm

TKITFrank : OK, thanks.

NetworkPro : Our intention is similar, to identify the traffic and then we can place the traffic into appropriate priority queues.

TKITFrank · Fri Feb 10, 2012 3:53 pm

Hi,

Here is the new setup... This will perhaps beside blocking allows for traffic-shaping of encrypted torrent traffic.
What will happen is that only users that use P2P programs will be subject to the rules that contain some false positive ("UDP-Bittorrent blocking" and "TCP-Tracker blocking").
They have a 2min timeout before they will be off the hook if the close the P2P programs.
But a rule before the "UDP-Bittorrent blocking" and "TCP-Tracker blocking" can whitelist some gameservers and so on.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA

add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack

add action=add-src-to-address-list address-list=p2p-users address-list-timeout=2m chain=p2p-service comment="" disabled=no src-address-list=local-addr
add action=mark-connection chain=p2p-service comment="" disabled=no new-connection-mark=p2p passthrough=no

/ip firewall filter
add action=jump chain=forward comment="" connection-mark=p2p disabled=no jump-target=drop
add action=jump chain=forward comment="" disabled=no dst-address-list=p2p-users-ext jump-target=drop-no-log src-address-list=p2p-users
add action=jump chain=forward comment="" disabled=no dst-address-list=p2p-users jump-target=drop-no-log src-address-list=p2p-users-ext

CCDKP · Fri Feb 10, 2012 4:26 pm

TKITFrank,

While testing out some of the new rules, I hit a very interesting discovery. uTorrent 3.0 will try to established UTP connections over Teredo IPv6 tunnels, which are on by default on Windows Vista & Windows 7. If you fire up a decent sized torrent on a Windows 7 machine and look under "peers" you may notices some valid IPv6 peers show up.

Due to the Teredo encapsulation, the DHT rules had a difficult time flagging those connections. If you look at logs or packet captures, look for traffic destined for UDP 3544.

TKITFrank · Fri Feb 10, 2012 4:53 pm

TKITFrank,

While testing out some of the new rules, I hit a very interesting discovery. uTorrent 3.0 will try to established UTP connections over Teredo IPv6 tunnels, which are on by default on Windows Vista & Windows 7. If you fire up a decent sized torrent on a Windows 7 machine and look under "peers" you may notices some valid IPv6 peers show up.

Due to the Teredo encapsulation, the DHT rules had a difficult time flagging those connections. If you look at logs or packet captures, look for traffic destined for UDP 3544.

Hi,

Yes I noticed this early on as well. I do not know of any way to inspect that traffic so I have blocked it

I'm sorry I did not include that in my configuration this however is VITAL for the blocking to work.
Thanks for the notice! =)

Belyache · Wed Feb 15, 2012 12:52 am

@TKITFrank

Hi all: I am new to Mikrotik. I have an RB450G that I am planning to use as a router/hotspot in a free wireless environment.

I struggled to get the User-manager to operate correctly, so I eventually when with hotspotsystems.com free system. It works OK, not perfect, but OK.

----
On to the second part of my problem, the one I am posting here about.

We have an issue with Torrents being downloaded illegally. Since MikroTik seemed to have the best solution, I chose this router.

I have read through this stream of posts, which seems to me a work in progress. That is fine. I am having trouble following your posts though, I do understand what you are doing, just not how to put it all together.

I see a post from Jan 31 posting your setup code, then again on Feb 10, posting your new setup code.
1) Are either of these posts complete?
2) Is the second post an addition to the previous post?
3) do we wipe the previous rules and start over?
4) Do you still need the DNS rules?
5) What DNS rules are you using now?

Would you be kind enough to post your code as complete? in otherwords, show all of the code needed to make the rules work.

I appreciate users like you that have taken the time to figure out these extremely complex problems. And I am sure others do as well.

Thanks

Glenn

TKITFrank · Wed Feb 15, 2012 7:53 am

Hi Belyache,

To make a long story short this has been an ongoing battle.. I will try to summery it for you.
I also included CCDKP's note about IPv6. As he stats is it VITAL for the blocking.

1) Are either of these posts complete?
I have made them below.
2) Is the second post an addition to the previous post?
....
3) do we wipe the previous rules and start over?
No and Yes depends on your setup. Mine is quite complex. It uses Dimitry on firewalling as a base and from there i have heavily modified it. But as I have writen it below should be ok to implement on any system.
4) Do you still need the DNS rules?
From what I can see NO. I currently have them disabled to test if i need them anymore. But They don't hurt so anything except torrent.
5) What DNS rules are you using now?

/ip dns static
add address=127.0.0.1 disabled=yes name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=yes name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=yes name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=yes name=router.bitcomet.net ttl=1d

Now for the Complete setup. I hope I have not missed anything

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"

Note you have to enter your external DNS servers here and also the local networks.

/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=DNS-servers disabled=no list=dns-externt
add address=xxx.xxx.xxx.xxx disabled=no list=dns-externt
add address=78.31.0.0/16 comment=Spotify disabled=no list=spotify
add address=xxx.xxx.xxx.xxx disabled=no list=local-addr

Make sure that the rules below is first in the mangle and filter sets. Above anything else.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
add action=jump chain=prerouting connection-state=new disabled=no dst-port=443 jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no dst-address-list=!dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=other-services
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=2m chain=p2p-service disabled=no src-address-list=local-addr
add action=mark-connection chain=p2p-service disabled=no new-connection-mark=p2p passthrough=no
add action=mark-connection chain=tcp-services disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=22 new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=23 new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=53
add action=mark-connection chain=tcp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=80 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=119 new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=137-139 new-connection-mark=netbios passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-address-list=spotify dst-port=443 new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-address-list=!spotify dst-port=443 new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=445 new-connection-mark=ms-ds passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=990 new-connection-mark=ftps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1080 new-connection-mark=socks passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1863 new-connection-mark=msn passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=2379 new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3128 new-connection-mark=squid-proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3389 new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3845 new-connection-mark=smartpass passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=4070 new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=2000-3000 new-connection-mark=bwtest passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=8080 new-connection-mark=http-proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=42041-42052 new-connection-mark=voddler passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=55536-55663 new-connection-mark=ftp-passive passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=67 new-connection-mark=dhcp passthrough=no protocol=udp src-port=67-68
add action=mark-connection chain=udp-services disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=123
add action=mark-connection chain=udp-services disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=137-139 new-connection-mark=netbios passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=514 new-connection-mark=syslog passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=3544 new-connection-mark=ms-ipv6 passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=4665 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=4672 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=2000-3000 new-connection-mark=bwtest passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services disabled=no dst-port=12053 new-connection-mark=overnet passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=20561 new-connection-mark=mac-winbox passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=42041-42052 new-connection-mark=voddler passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services disabled=no new-connection-mark=other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services disabled=no new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services disabled=no new-connection-mark=other passthrough=no

/ip firewall filter
add action=drop chain=forward comment="Block Teredo IPv6-tunnel" disabled=no dst-port=3544 protocol=udp src-port=1024-65535
add action=drop chain=forward comment="Drop all P2P" connection-mark=p2p disabled=no
add action=drop chain=forward comment="" disabled=no dst-address-list=p2p-users-ext src-address-list=p2p-users
add action=drop chain=forward comment="" disabled=no dst-address-list=p2p-users src-address-list=p2p-users-ext

Please note that this also opens up for just not blocking but also for marking packets to allow you to trafficshape encrypted torrent traffic.
I have not tried it but it should with some modifications work.

Hope this will help!

Belyache · Wed Feb 15, 2012 4:15 pm

TKITFrank:

Thank you for the post and sharing your efforts. I think your last post will help many here.

I will get to work on it this morning.

It is obvious that you have put a lot of time into making this work.

It is people like you that make IT easier for the rest of us.

Glenn

CCDKP · Wed Feb 15, 2012 4:35 pm

Hi all: I am new to Mikrotik. I have an RB450G that I am planning to use as a router/hotspot in a free wireless environment.

Since you are operating a free hotspot instead of a fixed ISP with paying customers, you may wish to consider something like I implemented way back on page 3 (http://forum.mikrotik.com/viewtopic.php ... 83#p249583). The problem with trying to block p2p is it is very aggressive at finding any hole it can to get out. If you don't stay on top of new changes, the filter looses effectiveness fairly quickly.

Since I was working with primarily free hotspot users, I took the approach of detecting ANY p2p presence and just flat out punishing the user. Rather than trying to block everything, I block the low-hanging fruit, and use them for detection. One a user is caught, they are temporarily throttled down to dial-up speeds. This makes the hotspot pretty much unusable for them, so they tend to get frustrated and go elsewhere (and assume it is either their PC or an overloaded hotspot rather than content filtering they could try to bypass). With all the revisions TKIT has needed to make on the blocking side to stop Toredo tunnels and updated DHT connections, my original hotspot is still running fine. This is because bittorrent tends to try the obvious methods of connection before getting "sneaky" about getting out.

The advantage this offers is that as long as a few packets manage to get detected every so often, the user is kept on lockdown and it doesn't matter if they actually manage to establish a peer data connection, since they are already at 28k/14k (and it turns out a lot of clients will shun a connection this slow). The downside is that this method is attempting to change behavior by encouraging the p2p user to either stop p2p or go elsewhere. It works great for things like hotspots and college networks, but is not a solution for places like ISPs and corporate networks. If you are managing a network like that, then TKITFrank's method is far more appropriate.

The various methods here are very much mix & match depending on how you want to go about your filtering. We are trying hard to catch a protocol built on the foundation of not being easily detected or throttled. Make you you keep an eye on this thread going forward. What works right now might not after a new generation of clients are released. Good luck!

Belyache · Wed Feb 15, 2012 5:01 pm

CCDKP:

Thanks for your post.

I had seen your posts, but TKIT's efforts seemed to be more up - to - date, not a judgement on your code, it just seemed to be out of date, and with the way bittorrent has been changing, I thought maybe TKIT's rules were right way to go.

I will test both your code and his code and see which way works best. And yes, I am giving the service away for free, so I really don't care if someone gets upset with me over P2P not working.

Have you been able to implement the Hotspot User-manager from Mikrotik? I would prefer to use it, but I can't seem to access it properly unless I am already logged into the router, but that defeats the purpose.

Thanks for your time, and as I said to TKIT, you guys really help the rest of us out. It can be very frustrating trying to recreate what someone else has already figured out. I try to think of the IT community as a bunch of mentors, willing to help out the next guy. To all of the IT guys listening, take it easy on the guys trying to help. (guys being generic for guys and gals, we're all in it together).

Glenn

TKITFrank · Thu Feb 16, 2012 7:36 am

Hi,

CCDKP describers it well.

This is because bittorrent tends to try the obvious methods of connection before getting "sneaky" about getting out.

That is the same technique I use and it was his Idea (Thanks CCDKP), I just took it one step further

I can not punish my users like he can. I have to maintain a working connection for them.

With all the revisions TKIT has needed to make on the blocking side to stop Toredo tunnels and updated DHT connections, my original hotspot is still running fine.

My main problem has been and there by the many revisions... That the UDP and TCP blocking rules that cripple the encrypted traffic where like a broad sword. I needed to find a way to only use the broad sword on people that use P2P and then as soon as the shut down the P2P program open up the connection again. That took a lot of my time and some thinking to make (Love Wireshark...). But I have been running it for a week or two now and I have constant communication with the IT representative at the schools. They have yet not made any remarks on it.

Anyhow I think that we all can contribute to one and another to make the most working filters. This thread shows what good co work can provide in terms of results!
Now everyone can use them and make new revisions on them to suite there own setup. No setup is alike. What works for me will perhaps not work for CCDKP or yourselves and vise versa.

In the end I guess that it might be a loosing battle but for now it seems to be status quo... Lets see how long we can keep it up.

Hope the filters work for you!

farazhamzaa · Sun May 20, 2012 11:18 am

add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"

when i try to ad this in l7 then it gave me error like

coudnt add new l7 protocol, bad regexp unmatched()(6)

mrz · Mon May 21, 2012 2:51 pm

ROS v5.16 no errors for me

[admin@RB1100] /ip firewall layer7-protocol> add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\
?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
[admin@RB1100] /ip firewall layer7-protocol>

dreamrider · Sat Jul 14, 2012 6:45 am

Note you have to enter your external DNS servers here and also the local networks.

/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=DNS-servers disabled=no list=dns-externt
add address=xxx.xxx.xxx.xxx disabled=no list=dns-externt
add address=78.31.0.0/16 comment=Spotify disabled=no list=spotify
add address=xxx.xxx.xxx.xxx disabled=no list=local-addr

Tell me, please, how to configure this section correctly. My external DNS server is 80.233.238.254 and Googles one - 8.8.8.8. My local network is 172.16.10.1/27 and internal DNS server - 172.16.10.1.
What means address 78.31.0.0/16 ?
Those rules is like Chinese alphabet for me

But I want use all of this for blocking p2p...

TKITFrank · Mon Jul 16, 2012 9:43 am

Hi,

Here is your setup

/ip firewall address-list
add address=80.233.238.254 comment=DNS-servers disabled=no list=dns-externt
add address=8.8.8.8 disabled=no list=dns-externt
add address=172.16.10.1/27 disabled=no list=local-addr

The 78 address was included by mistake... I use that for trafficshaping spotify.

dreamrider · Mon Jul 16, 2012 9:49 am

Thanks! I'll try it!
EDITED: Works 50/50. Some minutes speed is zero, some minutes - max. All the time - like a wawe

Interesting.

TKITFrank · Mon Jul 16, 2012 7:47 pm

Hi,

I have a setup that blocks about 700 students on 2 different sites. I have not seen that behavior..

Can you give me your setup? Sounds like something is missing or a rule out of order...

dreamrider · Mon Jul 16, 2012 10:20 pm

http://files.fm/down.php?i=dadfttu&n=Ro ... ck_P2P.rar
In the archive is notepad document, I don't know why I can not post this text here. May be danger code??

Look at this, please and give me a right config for this, OK?
Thanks!

TKITFrank · Tue Jul 17, 2012 7:33 am

Hi,

Add this to the top.
add action=drop chain=forward comment="Drop DNS" connection-mark=dns disabled=no

NOTE that you have to use the dns proxy/server in the RouterOS.

dreamrider · Tue Jul 17, 2012 7:42 am

It is a mangle, i think?
And other simple question - how I can add an exception for 1 IP address?

Oh, no - it is a firewall filter rule, sorry.

TKITFrank · Tue Jul 17, 2012 7:43 am

nopp
/ip firewall filter

dreamrider · Tue Jul 17, 2012 7:47 am

Yea, I see, edited my post before read your answer.

TKITFrank · Tue Jul 17, 2012 7:47 am

It is a mangle, i think?
And other simple question - how I can add an exception for 1 IP address?

That should be possible but a little more difficult since the DNS server as no ACL for records.
If you allow an ip to use DNS forward (opposite to the rule least posted) and also excludes it in the rules that block the traffic in firewall filter it can be done.
Or adds an allow rule above the blocking rules.

dreamrider · Tue Jul 17, 2012 7:54 am

Add an address in "DMZ" is no good idea, right? Or it is not possible for those complicated rules?
EDITED: Your rules works like a charm! Down/Up speed=ZERO!
P.S. But adding one IP to exclusions after two hours headacke - w/o success... Google hide answer for me. (I mean - your firewall rules is very strong

)

TKITFrank · Tue Jul 17, 2012 12:29 pm

Add an address in "DMZ" is no good idea, right? Or it is not possible for those complicated rules?
EDITED: Your rules works like a charm! Down/Up speed=ZERO!
P.S. But adding one IP to exclusions after two hours headacke - w/o success... Google hide answer for me. (I mean - your firewall rules is very strong )

My rules kills all. So the DMZ idea will not work. But if you add this it might work. I have not tested them I am @ work right now. But give it a try...
/ip firewall address-list
add address=xxx.xxx.xxx.xxx disabled=no list=p2p-exclude-addr

Make sure this is first in the chain. Above the block rules.
/ip firewall filter
add action=accept chain=forward comment="Exclude DNS" src-address-list=p2p-exclude-addr connection-mark=dns disabled=no
add action=accept chain=forward comment="Exclude Teredo IPv6-tunnel" src-address-list=p2p-exclude-addr disabled=no dst-port=3544 protocol=udp src-port=1024-65535
add action=accept chain=forward comment="Exclude all P2P" src-address-list=p2p-exclude-addr connection-mark=p2p disabled=no
add action=accept chain=forward comment="" disabled=no dst-address-list=p2p-users-ext src-address-list=p2p-exclude-addr
add action=accept chain=forward comment="" disabled=no dst-address-list=p2p-exclude-addr src-address-list=p2p-users-ext

Now make sure the client uses the google/other dns servers directly and not the DNS server in the Mikrotik. Then it should work.. So if you use a DNS ridirect you have to exclude it as well.

n21roadie · Tue Jul 17, 2012 1:05 pm

@TKITFrank
Will your filter work on a CPE using PPPoE where it gets it's DNS from AP and the AP DNS entries are using a private IP address pointing back to load balancer and this in turn is getting it's DNS from ISP

TKITFrank · Tue Jul 17, 2012 1:22 pm

@TKITFrank
Will your filter work on a CPE using PPPoE where it gets it's DNS from AP and the AP DNS entries are using a private IP address pointing back to load balancer and this in turn is getting it's DNS from ISP

Have not tried. I use it @ my main firewall. But if the AP has the DNS entries it should work. As long as the clients can't use another dns other then the one with the block in it is fine. Also the MS-Teredo block is necessary.
But I am not sure on the load it will cause on the CPE. Give it a try

dreamrider · Tue Jul 17, 2012 3:05 pm

@ TKITFrank
You are a genius! Exclusion is working.
What you talking about DNS:

Now make sure the client uses the google/other dns servers directly and not the DNS server in the Mikrotik. Then it should work.. So if you use a DNS ridirect you have to exclude it as well.

Have I exclude address 172.16.10.1? See-

 /ip dns> print
                servers: 80.233.238.254,8.8.8.8,8.8.4.4
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 512KiB
          cache-max-ttl: 1w
             cache-used: 44KiB

and

/ip dns static> print
Flags: D - dynamic, X - disabled, R - regexp 
 #     NAME         ADDRESS                                        TTL         
 0     RouterOS     172.16.10.1                                    3d

This is DNS redirection about you talking? w/o static DNS my network not works. How correctly exclude this address?
Thank you!

TKITFrank · Tue Jul 17, 2012 3:37 pm

Hi,

With the drop rule you deny all traffic from your clients to DNS servers except the router it selves. Then they can only use the RouterOS dns and that one we have blocked access to the torrent masters. With the bypass you can tell you client to go directly to the Google servers and the also to communicate with external DNS servers the allow for torrents to work.

Normally you block clients to use DNS on external sources via the firewall filter rule. And redirect under NAT all DNS traffic to your Mikrotik doing so causes the client to think it uses external DNS server but it don't.
If you want to bypass the redirect you have to do an exclusion like in firewall filter. Hence the redirect applies before firewall filter.

TKITFrank · Wed Jul 18, 2012 1:41 pm

@dreamrider did it work as intended?

dreamrider · Wed Jul 18, 2012 4:52 pm

Yes, all work as intended yet. Exclusion work, another PC's can not leech torrents.

TKITFrank · Thu Jul 19, 2012 6:42 am

Excellent! If you find out a way to bypass the filter let us know. And we can all work together to write a new rule to block

dreamrider · Mon Jul 30, 2012 1:43 am

@TKITFrank
Sorry for this "small offtopic"

"mark-connection" imho do not works as intended. I do not see connections marked as "winbox", "ping", "skype" for example, etc, etc, etc. (Skype I'd marked with Layer7 Protocol - it is working for now). P2P blocking works fine, but I'd love to see all wonder of Connection Marks

Maybe I forgot something? Here is my ip firewall mangle rules:
http://pastebin.com/FYQR0RSj
For you all of connection marks works correctly?
Regards! And thanks again for help!

TKITFrank · Mon Jul 30, 2012 12:30 pm

Hi,

Well short answer yes. My firewall system is based on http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling but I have modified it to be based on screens like the Juniper Netscreen/SRX models. This allows for faster processing of rules and correct rules on correct security screen. Making my 309 rules here at home only being perhaps 30 that the different traffic hits.
It would take some time to explain how it works but the basics of how I use it is that I make services defined in mangle. The use them I firewall filter.

Do you see any connection marks under firewall connection?

connmark.JPG

If not have you added the connection mark "view"?

connmark2.JPG

dreamrider · Tue Jul 31, 2012 9:30 am

Of course I see connection marks under firewall connection. There you can see - icmp was not marked as ping, for example.

TKITFrank · Tue Jul 31, 2012 10:07 am

Hummm... and you ping from a computer behind the router and not from the router it selves?

dreamrider · Tue Jul 31, 2012 10:16 am

Ping via netwatch to google, external GW, local computers, etc. From router, of course. From my computer I ping google.com and connection not marked too. (Sorry for my bad English...)

TKITFrank · Thu Aug 02, 2012 3:13 pm

Is it only ping / icmp or all other traffic as well?

Regardless I think you should start a new thread about this and we can continue there

Also try the basic to add a new connection mark that is simple at the top in mangle. If it works or not.

dreamrider · Fri Aug 03, 2012 9:28 am

Also try the basic to add a new connection mark that is simple at the top in mangle. If it works or not.

with chain=forward connections marks fine. Not with tcp-services, other-services.
OK, it is not a big problem, not need start a new thread

Thanks for your help!

n21roadie · Sat Aug 11, 2012 4:09 pm

So far no luck with trying to setup this on a CPE using instructions
http://forum.mikrotik.com/viewtopic.php ... 00#p303639
and not sure it's a problem with pppoe that CPE is using

/ip firewall address-list
add address=10.150.0.1 comment=DNS-servers disabled=no list=dns-externt
add address=10.150.0.34 disabled=no list=dns-externt
add address=172.16.10.1/27 disabled=no list=local-addr

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=10.150.0.1,10.150.0.34,172.16.10.1

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 \
    to-addresses=0.0.0.0

karina · Tue Aug 14, 2012 8:47 pm

Forgive me for this rant. this is my opinion on this subject.

if you are an ISP operating a cabled / wired network then let them use it. clients expect it as part of an internet service. Limiting the number of sessions your clients are allowed as well as bandwidth control is all you should need to do to keep your network healthy. If your clients choose to partake in illegal activities then your contract with them should state that this is at their own risk and you take no responsibility. Add an extra note to say that if authorities demand user information from you because of copyright infringement, you will have to comply. If your CPU's are smokin then its time to upgrade.

if you operate a 80211 wireless network then you will need to control its use to protect your network , TDMA protocols can operate safely with simple session and bandwidth controls as above.

For the 80211 wireless networks a little more control is needed. You will never block ptp. as you perfect your filters new methods are invented. Its an ongoing battle you will never win and will consume far to much of your valuable time trying to do so.

Blocking ptp forces the client software to switch to other methods that are hard or impossible to detect.

In my experience its the upload to your AP'S that will cause most damage if its over 128k and more than 20 sessions

Downloads can be much higher up to 2MB as long as sessions are controlled.

I use layer7 filters and the built in filter to mark all ptp traffic. because i do not block it most clients remain in easy detectable unencrypted mode

i then use a PCQ to limit the upload/download to 128k/1mb of ptp traffic and 20 sessions max. these limits seem to satisfy most ptp client software that they have a decent enough connection and dont bother finding encrypted peers etc. Of course the odd client will be forcing encrypted seeds, for these guys you will just have to throttle their entire connection untill you can get them to agree to use unencrypted methods.

Be Honest. explain in your t &c that these methods are deployed to enhance everybodies experience. Add a clause to say that using covert methods to bypass your speed restriction will end up with their entire connection restriced.

note: to low a speed will also cause ptp client software to seek other methods to connect.

delix · Tue Aug 21, 2012 8:13 pm

Hi karina!
Could you pls share your settings in detail for beginners =)

TKITFrank · Fri Aug 24, 2012 7:55 am

@n21roadie
Does any traffic get cough?
Does the prerouting rules work?

Perhaps you can post your complete config and we can look at it

Also please in more detail tell us about you finding where it is not working.

@karina
I think this topic is only about blocking and beyond the whether to block or not to block discussion. We all have our reasons whether it is company/government rules or just plane simple network load.
In my case we block the traffic right now as good as 100% at the moment. But as said this is an ongoing battle so sooner or later we have to adept the filter to the new conditions. If this is what have to be done then I think it's fine, this is the way they want it @my place and that's fine by me. I don't think that we should tell other whether or not they have done the wrong decision.
If you are an ISP then the customers always have the option to choose an other ISP if they are not happy about the current. In my case I'm not an ISP and I have regulations and laws to follow.

If you have an working setup that is not to block but to shape in the way you describe then create another thread so people can use your setup as well. Then we complete the different approaches.

And hopefully others can benefit from it as well.

n21roadie · Fri Aug 24, 2012 4:17 pm

@n21roadie
Does any traffic get cough?
Does the prerouting rules work?

Perhaps you can post your complete config and we can look at it
Also please in more detail tell us about you finding where it is not working.

...........................

The test setup is on a CPE using PPPoE on the wlan and my guess is if i could have the filter on ether interface only it may work so if i could advice on setting up the filter for ether. how do i check that prerouting rules work and as regards "Does any traffic get cough?" in testing I open a torrent which starts to download and reboot the pc and cpe with the filter enabled but the torrents resume downloading.

TKITFrank · Sun Aug 26, 2012 3:19 pm

What happens if you use the rules like I posted them?

powergent · Mon Aug 27, 2012 9:27 pm

@TKITFrank
your setting are perfect for blocking P2p. but i have a problem with chinese program Xunlei. With your firewall it not be able to block it at all.

I am currently setup internet for a guesthouse. Everything work find , but when those chinese guest open up Xunlei the internet are just dead. Our speed is 9mbps down and 1mbps up. even i have set a speed limit for each user for 1mbps/256k up it still kill the internet when Xunlei start. Is there a way to block Xunlei? thank in advance.

TKITFrank · Tue Aug 28, 2012 9:07 am

@TKITFrank
your setting are perfect for blocking P2p. but i have a problem with chinese program Xunlei. With your firewall it not be able to block it at all.

I am currently setup internet for a guesthouse. Everything work find , but when those chinese guest open up Xunlei the internet are just dead. Our speed is 9mbps down and 1mbps up. even i have set a speed limit for each user for 1mbps/256k up it still kill the internet when Xunlei start. Is there a way to block Xunlei? thank in advance.

Hi Powergent,

I have not heard of this program but it might be possible. I'm currently at home so I can not look in to it right now. But can you provide me with more detail? How does the program operate? Random ports? Encryption or not?
An Wireshark dump from when the program starts until the program starts to download would help a lot.
Then we might be able to work out how the program operates and then find a way to block it.

Regards,
Frank

powergent · Tue Aug 28, 2012 1:37 pm

@TKITFrank
Info about the software
Xunlei is a chinese p2p software using http port
The software fake the header and signature of IE and Firefox

There are 2 versions of xunlei.
One is the web xunlei, the web xunlei download the file into the web. Then make the file as an php?attachment, so it allows the file to pass the isa, then lets people download it

The second version is the the xunlei software that used in the computer. This version fake the signature and header of IE and Firefox.

The homepage of this software is xunlei.com.

The port the xunlei is using tcp: 80, 8080, 443, 1080, 3076-3078, 5200, 6200; udp: 3076. The software randomly open ports and fake the header and signature of IE & Firefox

I cannot block these ports, 80, 8080, 443 because these ports need to be openned.

this program really suck it will use port 80 for download if other port are block and yes it have encryption that what i found on the internet information.
I have been trying many router , DDWRT, Dlink, TPlink, Draytek and so on not a single able to stop this program

.

My current setting are 2 line PCC load balance which i have from this link ( http://www.youtube.com/watch?v=ECqntLlhaz8 ) pls note i not here to advertise the link as it not my video or to promote . but it just what i follow as i am also a beginner for MIkrotik. And with your firewall

100% blocking torrent

. But not Xunlei

Thank you.

TKITFrank · Wed Aug 29, 2012 9:43 am

@TKITFrank
Info about the software
Xunlei is a chinese p2p software using http port
The software fake the header and signature of IE and Firefox

There are 2 versions of xunlei.
One is the web xunlei, the web xunlei download the file into the web. Then make the file as an php?attachment, so it allows the file to pass the isa, then lets people download it

The second version is the the xunlei software that used in the computer. This version fake the signature and header of IE and Firefox.

The homepage of this software is xunlei.com.

The port the xunlei is using tcp: 80, 8080, 443, 1080, 3076-3078, 5200, 6200; udp: 3076. The software randomly open ports and fake the header and signature of IE & Firefox

I cannot block these ports, 80, 8080, 443 because these ports need to be openned.

this program really suck it will use port 80 for download if other port are block and yes it have encryption that what i found on the internet information.
I have been trying many router , DDWRT, Dlink, TPlink, Draytek and so on not a single able to stop this program .

My current setting are 2 line PCC load balance which i have from this link ( http://www.youtube.com/watch?v=ECqntLlhaz8 ) pls note i not here to advertise the link as it not my video or to promote . but it just what i follow as i am also a beginner for MIkrotik. And with your firewall 100% blocking torrent . But not Xunlei

Thank you.

Hi Powergent,

Well lets focus on the port 80, If they fake the header there might be something they have missed or something that we can focus on to make a filter. Can you provide us with a wireshark sample of this? Lets say you block the other ports on a test system so it is forced to use port 80.

The port 443 makes it more difficult for us. You might not be able to block it but a workaround is to mark a connection that uses a lot of bytes and then trafficshape it. If i'm not mistaken there is a wiki for this. It's about throtteling large http download.

Some more thoughts is that many p2p programs use is a central server for the list of files or startup. If this is the case and we can block it that would cripple the program.

Can you try this so long and I will see what I can find when I get back to work.

jasgot · Sat Sep 08, 2012 6:10 am

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

I have installed the scripts from this post in this thread: http://forum.mikrotik.com/viewtopic.php ... 00#p303639

Everything seemed to go in smoothly (I did find that "/ip firewall layer7-protocol" was missing from the first bit of code).

I was wondering, How do I know if it is working? Is there some place specifically to look to see the results?

If I look at Firewall Connections, I did see two p2p entries in the list, but other than the mark, they looked just like all of the other entries.

Thanks!

TKITFrank · Mon Sep 10, 2012 2:20 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

I have installed the scripts from this post in this thread: http://forum.mikrotik.com/viewtopic.php ... 00#p303639

Everything seemed to go in smoothly (I did find that "/ip firewall layer7-protocol" was missing from the first bit of code).

I was wondering, How do I know if it is working? Is there some place specifically to look to see the results?

If I look at Firewall Connections, I did see two p2p entries in the list, but other than the mark, they looked just like all of the other entries.

Thanks!

Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.

add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack

Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.

NetworkPro · Mon Sep 10, 2012 2:24 pm

wtf don't let them push you around! Reply with Net Neutrality 'gram' and put their source e-mail in the spam list.

jasgot · Mon Sep 10, 2012 3:27 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

I have installed the scripts from this post in this thread: http://forum.mikrotik.com/viewtopic.php ... 00#p303639

Everything seemed to go in smoothly (I did find that "/ip firewall layer7-protocol" was missing from the first bit of code).

I was wondering, How do I know if it is working? Is there some place specifically to look to see the results?

If I look at Firewall Connections, I did see two p2p entries in the list, but other than the mark, they looked just like all of the other entries.

Thanks!
Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.
Code: Select all
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.

Thanks Frank. Should this code go to the top of the Firefall Filters?
And if I read it correctly, it'll show the P2P user in a list for 10 minutes?

rmichael · Mon Sep 10, 2012 3:34 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

Are you responsible, as an ISP, for users actions? Which country is that?

...perhaps you're using residential internet access and RIAA thinks you're individual...

jasgot · Mon Sep 10, 2012 3:56 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

Are you responsible, as an ISP, for users actions? Which country is that?

...perhaps you're using residential internet access and RIAA thinks you're individual...

RIAA sent the letter to the ISP, who intern forwarded it to the end user who is a business account customer offering free WiFi to guests. The account with the ISP allows the end user to offer free WiFi to the guests. (but not paid access).

TKITFrank · Mon Sep 10, 2012 4:11 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

I have installed the scripts from this post in this thread: http://forum.mikrotik.com/viewtopic.php ... 00#p303639

Everything seemed to go in smoothly (I did find that "/ip firewall layer7-protocol" was missing from the first bit of code).

I was wondering, How do I know if it is working? Is there some place specifically to look to see the results?

If I look at Firewall Connections, I did see two p2p entries in the list, but other than the mark, they looked just like all of the other entries.

Thanks!
Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.
Code: Select all
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.
Thanks Frank. Should this code go to the top of the Firefall Filters?
And if I read it correctly, it'll show the P2P user in a list for 10 minutes?

It should be a part of the mangle. But if you have done according to the post you should already have this

My rules that I have posted should be first in line. Both firewall and Mangle I will update the original post.

rmichael · Mon Sep 10, 2012 4:15 pm

Thank you very much for all of your effort on this code. We got a nasty gram from the Recording Industry Association of America (RIAA) yesterday and are trying to prevent all P2P. (we offer free WiFi to guests)

Are you responsible, as an ISP, for users actions? Which country is that?

...perhaps you're using residential internet access and RIAA thinks you're individual...
RIAA sent the letter to the ISP, who intern forwarded it to the end user who is a business account customer offering free WiFi to guests. The account with the ISP allows the end user to offer free WiFi to the guests. (but not paid access).

Is this some sort of new ISP and RIAA cooperation as discribed in this article:

"Verizon, TWC, and Comcast to Play "Copyright Cop" for the RIAA"
http://www.dailytech.com/Verizon+TWC+an ... e24244.htm

That's probably not it since you said the letter was from RIAA and not the ISP...would you mind sharing what was that they were threatening with (disconnection, damages etc)?

jasgot · Mon Sep 10, 2012 4:30 pm

Is this some sort of new ISP and RIAA cooperation as discribed in this article:

"Verizon, TWC, and Comcast to Play "Copyright Cop" for the RIAA"
http://www.dailytech.com/Verizon+TWC+an ... e24244.htm

That's probably not it since you said the letter was from RIAA and not the ISP...would you mind sharing what was that they were threatening with (disconnection, damages etc)?

I'm happy to share the letter, it doesn't really threaten anything. It's just got that "scary official" feel to it. But I'd prefer to do it in another thread as this thread is more about the filtering.

NetworkPro · Mon Sep 10, 2012 4:40 pm

Its a confidence trick. Don't believe them.

jasgot · Mon Sep 10, 2012 4:45 pm

Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.
Code: Select all
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.

Is it possible to add any offending users to a list (like a log) that includes their IP, MAC and the time and date? Perhaps even the ports they were using?

I'd like to track this for a few days to gain further understanding.

TKITFrank · Mon Sep 10, 2012 4:55 pm

Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.
Code: Select all
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.
Is it possible to add any offending users to a list (like a log) that includes their IP, MAC and the time and date? Perhaps even the ports they were using?

I'd like to track this for a few days to gain further understanding.

Have a look at this address list "p2p-users"
It is however dynamic but it would not be a difficult task to create a new list based on this list. That have a longer timeout.

jasgot · Mon Sep 10, 2012 5:05 pm

Hi jasgot
Sorry to hear about that gram from them. Never nice...
The most simple thing to do is to try to download something your self's. The thing is that you will see the connections but they will be dropped in the filter and then they will die out. The other that have no mark should be killed by this.
Code: Select all
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
Try the pirate bay and download a popular torrent and activate encryption and so on. It should block it after a couple of seconds at max. If it is possible to connect, Normally they will not be able to connect.
Is it possible to add any offending users to a list (like a log) that includes their IP, MAC and the time and date? Perhaps even the ports they were using?

I'd like to track this for a few days to gain further understanding.
Have a look at this address list "p2p-users"
It is however dynamic but it would not be a difficult task to create a new list based on this list. That have a longer timeout.

I guess that's where I'm missing something. I have those "add dst to address list" entries in the Mangle, and I have seen a few connections that appear to be block, but I have not seen any sign of the Address lists. Does the list disappear when it becomes emtpy?

TKITFrank · Tue Sep 11, 2012 8:45 am

Correct it times out in 10min.

kozakii · Sat Sep 15, 2012 9:35 pm

Code: Select all
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
when i try to ad this in l7 then it gave me error like

coudnt add new l7 protocol, bad regexp unmatched()(6)

I was getting the same error on 5.20. Had to remove the last ) before [RP] to get it to work. Anyone know the implications of that?

vpritiskovic · Fri Oct 05, 2012 3:03 pm

@TKITFrank

Hi, can you please export the settings for blocking the p2p traffic and post it here?
- under the required folder 'export compact filename=myrules'

Tnx in advance.

TKITFrank · Mon Oct 08, 2012 12:24 pm

@TKITFrank

Hi, can you please export the settings for blocking the p2p traffic and post it here?
- under the required folder 'export compact filename=myrules'

Tnx in advance.

See post
http://forum.mikrotik.com/viewtopic.php ... 00#p303639

ILLEAGLE · Fri Oct 19, 2012 10:38 pm

@TKITFrank

Hi, can you please export the settings for blocking the p2p traffic and post it here?
- under the required folder 'export compact filename=myrules'

Tnx in advance.
See post
http://forum.mikrotik.com/viewtopic.php ... 00#p303639

First I want to say thanks in advance for your work on this.

I am fairly new to MT, I have an rb750up setup for a wireless network for an apartment building with about 150 users. Trying to block P2P so we don't get any nasty grams.
I can create a script and "run" all of your code, but the one part you talked about adding my dns and other networks.
What exactly do I have to do there?
I use google dns servers so 8.8.8.8 and 8.8.4.4 are my DNS servers I am using. Do I have to add those in?

TKITFrank · Tue Oct 23, 2012 8:04 am

Do you use the build in DNS server to forward requests?

gnuttisch · Tue Oct 23, 2012 4:44 pm

Hi

how do I ad all this to my router? by script? Its alot of code =)

since the code is rewritten and some has been quoted, where can I find the most updated code?

TKITFrank · Wed Oct 24, 2012 7:23 am

Hi

how do I ad all this to my router? by script? Its alot of code =)

since the code is rewritten and some has been quoted, where can I find the most updated code?

Hi, The code in this post is exported an should be okay to import. Read the post and adapt it to your settings.
http://forum.mikrotik.com/viewtopic.php ... 00#p303639

ILLEAGLE · Fri Oct 26, 2012 7:47 am

Do you use the build in DNS server to forward requests?

I use google DNS Servers

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=\
    8.8.8.8,8.8.4.4

TKITFrank · Fri Oct 26, 2012 7:51 am

Do you use the build in DNS server to forward requests?
I use google DNS Servers
Code: Select all
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=\
    8.8.8.8,8.8.4.4

Then add them here.
/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=DNS-servers disabled=no list=dns-externt
add address=xxx.xxx.xxx.xxx disabled=no list=dns-externt

vpritiskovic · Thu Dec 06, 2012 7:50 pm

@TKITFrank

Hi again!
I have imported your settings but I am using a MikroTik hotspotsystem so is this correct?
Or should I apply your rules to hs-input chain?

Another thing:

In my transmission client I see all tracker 'Could not connect to tracker' (OK!) only the
http://tracker.theprateby.org/announce has responded - (error 404)???
Does that mean the connection has been made and got response???

Please help!

TKITFrank · Fri Dec 07, 2012 2:52 pm

@vpritiskovic

Hi,

Looks fine. If i'm not mistaken the tracker at The Piratebay is not used any more so I guess that this is why it will not get tagged by the rules. I think they use magnetic links.

Try some more times but I guess that it is working. Let me know if not

dboillot · Tue Jan 08, 2013 7:47 pm

Hello, I've been testing with this and so far Im really like how its working. my question is, and I've read though most of the posts and Im still unsure on this one thing. How restrictive is this? (the rules by TkitT) I'm only intrested in blocking torrents, as we've been an Wireless ISP for over 2 3/4's years and we just received our first Copyright complaint (from some Girls gone wild lawyer in email form) wanting us to pay 200 in damages ((is that even legal? I mean I thought a real Cease and Desist had to be sent via registered mail/surved or something))

TKITFrank · Wed Jan 09, 2013 7:36 am

Hi dboillot,

I block more than just bittorrent but just adjust the following in mangle rules.

add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=bit-torrent
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT

Remove
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA

dboillot · Wed Jan 09, 2013 4:38 pm

thanks for the reply!
The more I think about it, the more I may want to leave all the p2p blocked, especially software like frostwire, which if I’m not mistaken, uses gnutella. what types of p2p falls under the direct connection?

And is there an easy way to convert this to a transparent filter (not sure that's the right term(s)?) I'd like to test this on a separate router board placed between my clients and my core router, without assigning it any IP addresses if possible, to get a feel for how it’s going to affect my core router performance, as I currently have 1 layer7 filter on my core router and it wreaks havoc on my RB1100x2's CPU(s) (uses 100% of the CPU making everything on the router very slow), and seeing how this one has 4 I'm alittle worried.

mves · Mon Jun 17, 2013 11:42 am

Why to use it on core router? You do not have users attached on core router, right? If you do, match those rules only to go on interfaces with users. Otherwise, use it only on routers with users and only on interfaces with users, not on links and not on global bandwidth. You will cut cpu usage in that case.

sontrava · Tue Jun 18, 2013 8:06 pm

How to Block torrent 100%? Only 2 lines. It is solved.
http://forum.mikrotik.com/viewtopic.php?f=2&t=73462

levak · Thu Apr 03, 2014 11:30 pm

Aren't those 2 lines included in TKITFrank solution as well? At least DHT and announce l7 filters are included.

Where you drop the connection right away, TKITFrank's idea is to put hosts into address list and block that. That way we can see clients trying to download torrents and send them a notice:P

Matej

servaris · Wed Jan 28, 2015 3:47 pm

Actually was looking for a way to limit P2P (torrents et al) via queue but thought a good test would be to see if it can be blocked period.

Chupaka wrote add to firewall rules: 36

 chain=forward action=drop p2p=all-p2p log=no log-prefix=""

Then added http://releases.ubuntu.com/14.04.1/ubun ... so.torrent to Transmission in ubuntu and it downloaded it without any problem.

freemannnn · Sun Mar 29, 2015 4:52 pm

my router ip is 192.168.88.1. is normal appearing in addresslist "p2p-users-ext" ???

freemannnn · Tue May 05, 2015 1:28 pm

can someone help to setup the dns-externt and local-addr
my external dns "ip-dns" is 212.205.212.205
my settings in "dhcp-network tab" is
network 192.168.88.0/24
gateway 192.168.88.1
dns 192.168.88.1

esantiago · Sun Nov 29, 2015 10:06 pm

TKITFrank said:

Please note that this also opens up for just not blocking but also for marking packets to allow you to trafficshape encrypted torrent traffic.
I have not tried it but it should with some modifications work.

Any ideas/pointers on how to do this? I would like not to block completely p2p traffic but to give it the lesser priority and if possible, traffic shape the encrypted traffic.

lapsio · Tue Oct 18, 2016 10:18 pm

I tried to combine rules mentioned here with some others I found around the internet as follows:

add action=jump chain=to-wan comment=fishy jump-target=fishy
add action=drop chain=fishy connection-mark=p2p
add action=drop chain=fishy p2p=all-p2p
add action=drop chain=fishy layer7-protocol=torrentsites
add action=drop chain=fishy dst-port=53 layer7-protocol=torrentsites protocol=udp
add action=drop chain=fishy content=d1:ad2:id20: dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=fishy content="info_hash=" dst-port=2710,80 protocol=tcp
add action=drop chain=fishy content="\r\
    \nContent-Type: application/x-bittorrent" protocol=tcp src-port=80
add action=drop chain=fishy content="\r\
    \nInfohash:" dst-port=6771 protocol=udp
add action=drop chain=fishy content="\r\
    \n\r\
    \nd8:announce" protocol=tcp src-port=80
add action=drop chain=fishy layer7-protocol=torrent
add action=drop chain=fishy layer7-protocol=torrent-announce
add action=drop chain=fishy layer7-protocol=direct
add action=drop chain=fishy layer7-protocol=gnutella
add action=drop chain=fishy dst-port=!443 layer7-protocol=https protocol=tcp
add action=return chain=fishy

but they totally don't work. I downloaded Ubuntu .torrent file, then just launched it and it just downloaded whole torrent. I noticed some packets got dropped in L7=torrent rule and all-p2p but nothing else happened. torrent L7 is equal to BITTORRENT, direct is DIRECT and gnutella is GNUTELLA. torrent-announce is regexp i found somewhere for announces.