how block connection of p2p?

adrianatkins · Thu Sep 02, 2010 1:23 am

There is no 'answer' to P2P.

You might as well say "i want to block Internet".

The *only* solution is to control the user's bandwidth.

If they use it all up with their P2P, maybe their Skype calls will be flaky.
They learn quick.

When people buy "Internet", they expect it *all* to work.

If you sell an Email, Website (no videos) and maybe Skype service, it is very important that you sell it like that: Don't just call it "Internet", because that includes things like P2P and Streaming TV.

TKITFrank · Thu Sep 02, 2010 3:39 pm

Hi,

Trying to block p2p is really a waste of time. Best thing it prioritize traffic this way you can throttle any traffic you don't want through.

There is no 'answer' to P2P.

You might as well say "i want to block Internet".

The *only* solution is to control the user's bandwidth.

If they use it all up with their P2P, maybe their Skype calls will be flaky.
They learn quick.

When people buy "Internet", they expect it *all* to work.

If you sell an Email, Website (no videos) and maybe Skype service, it is very important that you sell it like that: Don't just call it "Internet", because that includes things like P2P and Streaming TV.

I would say that depends on what company you are working for. If it is a ISP that is true and I agree completely but if you deploy this in a company network or government where there is a policy to block it, it's a whole other matter.

To this date I don't know any way to trafficshape encrypted p2p in ROS only to block it. If you need to trafficshape it there are other products that you can buy that can fit in you Mikrotik network environment

To MikroTik Staff, If you can implement or figure out a way to let ROS detect encrypted p2p traffic in the future this would be great!
I know others have done this and I have no doubts that you can do this as well. Keep up the good work!

heviejob · Fri Sep 03, 2010 10:14 pm

I came to learn that customers will always complain even when its their fault. I have some who keep seeding torrents through out exhausting their uplink and they complain the connection is bad. If I block it they complain now am thinking of setting up a torrent server for my users where they queue torrents and fetch them from it (at a small fee) am not sure if it is wise.

fewi · Fri Sep 03, 2010 10:23 pm

That is decidedly unwise unless you plan on going through every torrent queued and research whether or not it involves a copyright violation.

heviejob · Fri Sep 03, 2010 11:08 pm

Well from this part of the world am in copyright laws are non existent so not a big worry for me. By the way can squid block torrents o\if i force transparent proxy?

Mon Sep 06, 2010 4:07 pm

It's possible to make a system very strict, but very unusable for customers. You can always redirect port 80 requests to the transparent proxy and block everything else with the firewall, but your customers might find it extreme. It depends on what kind of service you are providing. Maybe this suits you.

adrianatkins · Sat Sep 11, 2010 11:42 pm

Like i said earlier before Normis (blessed be his Name) correctly banned me temporarily :-

You Cannot Block P2P.

MT's 'all p2p' option is based on the ancient and umaintained ipp2p filter. It doesn't block all P2P - it can only match P2P traffic that it knows about.

Layer7 is brilliant. You can match loads.
But still, it cannot match any encrypyted P2P.
If it could, then it would have to crack SSL, and Internet Banking would be stopped.

The only way to control P2P is to control the User's usage effectively.

What's next ? Streaming TV on 6000 channels ?

IMHO there is simply no other way other than to Sell what you can Deliver (basically don't lie), and Control the Bandwidth for each user.

fewi · Sat Sep 11, 2010 11:54 pm

http://www.cse.chalmers.se/~johnwolf/pu ... eaking.pdf
Interesting read on protocol obfuscation and how to match obfuscated and encrypted protocols. Not something you'd do without and ASIC to recognize peer to peer, but still interesting.

adrianatkins · Sun Sep 12, 2010 12:39 am

Page seems to have gone. I guess the CIA or NSA got there quicker.

My real point is that by even *trying* to target P2P protocols, which ipp2p and L7 did, you simply force the P2P people into other Open methods like SSL.

Any New P2P programmer will (i would) say fukit: use SSL, cos then they will find it that much harder to stop it.

(Personally i'd go totally sideways, but then my left leg is shorter than my right.)

To Control stuff, you need to control all the stuff.

greek · Thu Nov 04, 2010 11:53 pm

I am sorry for my bad english.

I have one thing about additional detection bittorrent traffic.

Torrent-programs use one port for incoming connection. Part of this connection is detects by default p2p-rule of Mikrotik. (But big part not detect

)

I suggest to remember the port with connections which were detected by default p2p-rule. And shape or block all connections for this port for a while.

But how to make this script I do not know.

adrianatkins · Fri Nov 05, 2010 10:21 pm

Nothing can really stop all P2P traffic, because we have to allow some traffic, and the P2P guys are really quite clever.

If you really want to kill all P2P, you would have to :-

1. Block All traffic being forwarded thru your router.
2. Proxy DNS on the router
3. Allow port 80 connections and 433 maybe to websites you Allow (e.g. google)
4. Allow port 110
5. allow port 25 (maybe).

Not much would work properly (like clicking on a google link for example) but you would stop P2P altogether.

Probably.

greek · Sat Nov 06, 2010 1:40 am

Admins have 2 targets for p2p traffic:

1. Blocking
2. Shaping

And that targets has principial differents.

Your way is good for blocking traffic.

But it can be considered as a special case of the marking of traffic.

NetworkPro · Sat Nov 06, 2010 1:55 am

Even if you have blocking it would be a good practice to have shaping in case something gets through.

mves · Tue Jan 11, 2011 8:23 pm

Can someone make an update of blocking rules?

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

I guess that this does not work quite well anymore

mves · Tue Jan 11, 2011 9:38 pm

Hi,

Just tired the new version and it is still blocked phuuuu

Well... can you do a little update on this?

TKITFrank · Fri Jan 14, 2011 8:18 am

I will check on Monday.
Have you seen traffic not being blocked?

mves · Sat Jan 15, 2011 1:26 am

I will check on Monday.
Have you seen traffic not being blocked?

Yes... so I combined a rules with port blocking. Catch is that I had to modify a bit of that since torrent sites must not be blocked and torrent usage is time limited to night and I really have no idea wth have I changed

Plus, I had to strip |d1:ad2:id20:|\\x08'7P\\)[RP] part because it blocked internet completely for some reason.
So generally, it's working to a point and I'm still in a learning mode.

TKITFrank · Mon Jan 17, 2011 9:35 am

Hi,

I have tried with utorrent 2.2 using the 2 first top100 torrent on thepiratebay.org but it is still blocked.
Have you done all the dns blocking and L7 blocking?

mves · Mon Jan 17, 2011 4:54 pm

Hi,

I have tried with utorrent 2.2 using the 2 first top100 torrent on thepiratebay.org but it is still blocked.
Have you done all the dns blocking and L7 blocking?

No, DNS is a problem since it is allowed for customers to use other DNS and torrent sites must not be blocked at all so... no DNS value added since /ip dns static add name=".*\$^\\|\\.\$utorrent\\.com" address=127.0.0.1 blocking all traffic from utorrent site, right? So I need more flexible rules that will allow torrent sites since torrents can be used from midnight.

Problem is probably with a magnetic links because there is no hits on BITTORENT and/or BITTORENT_ANNOUNCE rule on some users (only bad boys got special treatment). In most cases blocking single ports works but some bad boys have gone step further and started to rotate ports every 30 minutes.

So, this is active

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

Torrent traffic goes through from tcp 1000-5000 and tcp/udp 50000-65500. In addition with that rules I simply added blocking:
all-p2p filter,
udp/tcp 6881-6999 dest,
and on some torrent users:
src tcp 1000-5000 dst 10000-65500
src tcp/udp 50000-65500 dst 10000-65500 depends of traffic goes through. On hardcore bad boys there is
src tcp/udp 10000-65500 dst 10000-65500.

Connections lower than 10000 goes through but there are few of them. And really sad part is that I can't test that rules on myself so I just seat back and watch the numbers goes through

Any suggestions?

TKITFrank · Mon Jan 17, 2011 6:38 pm

Hi,

Use the DNS entries below...
IMPORTANT!
If you don't use the dns there is no way to block magnetic links and so on.

Try this and I am sure it will work.
And a tip... skip all form of port blocking since they change port all the time. It just consumes resources and this config is resource demanding as it is i am afraid...

The DNS, L7 and p2p-all function is all you need at the moment at least.

p.s If you want some torrent sites to bypass then check those IP's and create a address list and add as a exclusion in the filter rules under mangle. d.s

Here is the config
DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

I use the L7 in the mangel rules combined with the normal Mikrotik p2p detection and add mark them as p2p and then I have a filter that blocks it.

This disables the normal tracker and the DHT and peer exchange.

Please try it and if you can find any way to get around it please let me know

p.s
You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik.
d.s

mves · Sun Jan 23, 2011 7:43 pm

Hi

I've been a bit busy lately. That's not what I need or can apply... I'm trying to do a little changes so it's in a testing faze and preliminary results are promising. So far, so good

TKITFrank · Sun Jan 23, 2011 8:06 pm

Hi,

No worries I know all about it

Okay why can you not use it? Can you be more specific? And if you have found another way to get the same results?

From what I can tell those DNS entries will not harm o disturb anything else then the creation of new torrent sessions. You will still be able to surf to the normal sites (Torrent sites).

mves · Tue Jan 25, 2011 8:15 am

Hi...
One router was constantly locking while that was active and another had tendencies to block everything while that was on so it's decided to get that entries out and to find another solution. Was that because of that, no one want's to try that again. Plus torrents are allowed to be used from midnight to 9:00 and connections remain active for some time after rules turned on and I came up with this.

So, it goes...
L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

firewall (it's from winbox)
#1 (Log) src 192.168.xx.2-192.168.xx.250 on (L7) BITTORENT, action add src to address list "Torrent" 1:30 timeout and time limited 9:00 - 23:59
(You can place global logging but it will log everything, incoming, outgoing and traffic from other links so log would be almost useless)
#2 Drop dst 192.168.xx.2-192.168.xx.250 (*) on (L7) BITTORENT, time limited 9:00 - 23:59
(*) only because of testing and other links and xx means for example 11... it should be global block
#3 (Log) 192.168.xx.2-192.168.xx.250 on (L7) BITTORENT_ANNOUNCE, action add src to address list "Torrent Announce" 1:30 timeout and time limited 9:00 - 23:59
#4 Drop connections on (L7) BITTORENT_ANNOUNCE, time limited 9:00 - 23:59

And this is modification...
#5 (Log) udp src 192.168.xx.2-192.168.xx.250 dst ports 6881-6999, action add src to address list "Torrent udp" 1:30 timeout, time limited 09:05-23:55
#6 block udp dst ports 6881-6999, time limited 09:00 - 23:59
#7 (Log) tcp src 192.168.xx.2-192.168.xx.250 dst ports 6881-6999, action add src to address list "Torrent tcp" 1:30 timeout, time limited 09:05-23:55
#8 block tcp dst ports 6881-6999, time limited 09:00 - 23:59

And whatever remains active after 9:00, it will go on this. Best part is, only those logged goes through this and it's not block to everyone. Next goes...

#9 drop all-p2p ( I might also add logging on p2p-all and run logged through next 3 rules also)
#10 drop udp src 10000-65500, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce, Torrent udp and Torrent tcp address lists
#11 drop tcp src 10000-65500, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce, Torrent udp and Torrent tcp address lists
#12 drop tcp src 1000-5000, dst 10000-65500, address list "Torrent", time limited 09:00-23:59
Same for Torrent Announce and Torrent tcp address lists. No need for torrent udp on this one

Also, it would be a good idea to place before all of this
accept udp/tcp src 27000-27050,28960 dst 27000-27050,28960 for cod and cs

You can also add drop tcp dst 6346-6347 for gnutella.

So, whatever got through is not that big problem. Who ever is smart enough to get around this is hopefully smart enough not to open million connections to get easily detected. With this I can also catch the ones with encrypted tracker because it will eventually trigger one of these rules. If not, there's always good ol' boring port blocking but so far i didn't had to do that where ever is that active. Also, I've got a list of troublemakers this way. And just to mention... I'm a total beginner on this

mwarren77 · Tue Jan 25, 2011 3:48 pm

Be careful in blocking services as the new Net Neutrality bill was released in December which states we are not allowed to block services and have to allow a reasonable speed.. I disagree with it totally but not all torrent and peer-to-peer is illegal.

mves · Tue Jan 25, 2011 6:59 pm

Be careful in blocking services as the new Net Neutrality bill was released in December which states we are not allowed to block services and have to allow a reasonable speed.. I disagree with it totally but not all torrent and peer-to-peer is illegal.

As far as I know, Germany for example banned p2p completely. P2P on my network is blocked over the day because of the quality of the internet and other services of the other users. So torrents Vs online gaming... Who'll kill who? It's not about piracy at all. It's simply technical and nature of P2P clients and we would all like that there is no need for that. And, almost every user have it's own public IP so there are no problems with download from megaupload, rapidshare, fileserve and other file servers. And, to allow that many users suffer because of few irresponsible that simply want to get some porn movie from p2p? For other example, wow uses p2p for update. It's not forbidden to do that or to download anything else from p2p... only do that over the night so it won't affect other users.

Wed Jan 26, 2011 9:14 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.

TKITFrank · Wed Jan 26, 2011 10:27 am

mves,

How about using the setup I said and create a script that enables static dns and so on at the mornings and then deactivates them things at night?

mves · Wed Jan 26, 2011 3:15 pm

Hi...
TKITFrank, well, I might try that on a test zone... Can you give me a winbox guidance how to set that script correctly?

But last time that setup did some trouble however.

@normis... we don't talk here about 2 or 3 users. It's a wide spread network. But, please tell me your idea and how to set that. It might be applied in a future period

Wed Jan 26, 2011 3:16 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf

semihgeek · Wed Jan 26, 2011 4:29 pm

Hey
So the latest configuration is

/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

L7 filter
/ip firewall layer7-protocol
add comment="" name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

Am I RIGHT?

mves · Wed Jan 26, 2011 7:02 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf

So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.

prince90s · Wed Jan 26, 2011 7:19 pm

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

semihgeek · Wed Jan 26, 2011 7:21 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf
So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.

yes you're right. some torrent programs are working on port 80.Like Xunlei Thunder.It can not be blocked.
If you can not block limit that.

mves · Wed Jan 26, 2011 8:03 pm

http://www.tiktube.com/index.php?video=247
http://mum.mikrotik.com/presentations/U ... is_qos.pdf
So, in my case, priority 1 should have online gaming (cod, cs, wow...) and voip, http and https priority 2, download priority 4 and the rest (p2p) priority 8 ?

And, in case that p2p be allowed during a day with qos setting... what will prevent p2p user to set his client to try to open 100 or more connections? I am a bit a beginner but we were all learned that p2p is a killer of 2.4 ghz wifi and so far it was quite true.
yes you're right. some torrent programs are working on port 80.Like Xunlei Thunder.It can not be blocked.
If you can not block limit that.

Maybe

Even utorrent with encrypted tracker from some private torrents can bypass many things but it has a weakness. In that case it will make connections on tcp from src 1000-5000 dst 10000-65500 (usually) and it will use a fixed listening port for incoming connections. Also, bittorent clients using dst ports 6881-6999 on tcp/udp so most of it can be traced. And xunlei, dst ports are http or tracker are on port 80?

semihgeek · Wed Jan 26, 2011 8:14 pm

I am not sure and I am begineer at networking but when you started xunlei you can feel the high load on your network.I read some articles on the net about xunlei.It says that program is working on port 80.That's why the fastest torrent client in the world

semihgeek · Wed Jan 26, 2011 8:17 pm

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

Prince90s
Is it for QoS?

erich5470 · Wed Jan 26, 2011 10:07 pm

Blocking P2P.... Is this method for blocking X-Box, Playstation and other online gaming?. I would like to block online gaming of XBox and PS and other oline gaming in those categories due to bandwidth consumption. Although, I would like to leave open the option for my users to be able to connect to my win2003 server to download media files such as my library of movies, tv show, and music.

CCDKP · Sat Jan 29, 2011 1:04 am

I am currently working on implementing a P2P throttling implementation for a school's open Wifi. Reading mves's posts got me thinking and I wanted to bounce the idea off some people while I am getting it working.

I am starting with a blacklist similar to what mves suggested. If I detect p2p traffic, they get added to a list for 30/60 minutes, which then puts them in a very very slow queue. The theory being that any false positive will quickly fall off the list, while repeat offenders will keep themselves on it. I have elected for throttling as opposed to blocking due to tracking issues. It seems that most of the P2P clients that support advanced encryption and filter bypass technologies start off with the old, easy to track, methods, then fall back to more resourceful methodologies as they get blocked. By allowing them through at a greatly reduced rate, I keep the protocols where I can find them and manage them.

This is designed to run on RB450G hardware and layer 7 filtering isn't very practical due to CPU limitations, so I have been looking for alternatives, which lead me to 2 ideas.

The first is to use TKITFrank's DNS filtering for torrent peers. I use DNS redirection to enforce it:

/ip firewall nat
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=tcp action=dst-nat to-addresses=<Router LAN IP>
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=udp action=dst-nat to-addresses=<Router LAN IP>

Instead of redirecting the DNS entries to 127.0.0.1, I set them to a Bogon IP. such as 203.0.113.253, which should never generate any valid traffic on it's own.
I then listen for request to 203.0.113.253, and put the source on the perpetrator list.
In my testing, uTorrent periodically checks the router servers, so even if a user managed to get an encrypted torrent stream past detection, the client will eventually try to check in again and the user will get flagged.

The second idea is a bit more theoretical at this point, or at least until i can figure out connection-limit a little better. The idea is that most p2p clients end up using a large number of UDP connections, usually involving very high port ranges, while legitimate traffic keeps relatively small numbers (less than 8 or so). If a user has something like 40 UDP streams (not including DNS), they are either hosting a game/VoIP server (something they can't really do on a public wifi anyway), or it's P2P. While this looks good on paper, I am not sure how practical it will be. If anyone with experience on connection-limit and udp would like to offer some input, I would appreciate it.

Once I get everything running, I will gladly post the config, since this thread is one of the few solid sources of p2p tracking in Mikrotik routers. It has been an invaluable resource for me while learning this. Thanks.

@CC_DKP

prince90s · Sat Jan 29, 2011 9:04 am

[/quote]

/ip firewall mangle 
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 
    action=mark-connection new-connection- mark=dowm_conn
add chain=prerouting content=.7z action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.avi action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.exe action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.f4v action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.flv action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.iso action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mov action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp3 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mp4 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.mpg action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.pdf action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rar action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rmvb action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.rm action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wav action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.wma action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.zip action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting content=.3gp action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="" disabled=no 
add chain=prerouting protocol=tcp src-port=21 action=mark-connection \
    new-connection-mark=dowm_conn passthrough=yes comment="FTP" disabled=no 
add chain=prerouting protocol=tcp src-port=22 packet-size=1400-1500 \
    action=mark-connection new-connection-mark=dowm_conn passthrough=yes \
    comment="SFTP" disabled=no

[/quote]

Prince90s
Is it for QoS?[/quote]

sure,it is useful.and u look this.

/ip firewall mangle
add protocol=tcp dst-port=80 connection-bytes=500000-0 connection-rate=70000-10000000 action=mark-connection new-connection-mark=heavy

erich5470 · Sun Jan 30, 2011 8:41 pm

awesome... thanks.

TKITFrank · Tue Feb 01, 2011 12:57 pm

I am currently working on implementing a P2P throttling implementation for a school's open Wifi. Reading mves's posts got me thinking and I wanted to bounce the idea off some people while I am getting it working.

I am starting with a blacklist similar to what mves suggested. If I detect p2p traffic, they get added to a list for 30/60 minutes, which then puts them in a very very slow queue. The theory being that any false positive will quickly fall off the list, while repeat offenders will keep themselves on it. I have elected for throttling as opposed to blocking due to tracking issues. It seems that most of the P2P clients that support advanced encryption and filter bypass technologies start off with the old, easy to track, methods, then fall back to more resourceful methodologies as they get blocked. By allowing them through at a greatly reduced rate, I keep the protocols where I can find them and manage them.

This is designed to run on RB450G hardware and layer 7 filtering isn't very practical due to CPU limitations, so I have been looking for alternatives, which lead me to 2 ideas.

The first is to use TKITFrank's DNS filtering for torrent peers. I use DNS redirection to enforce it:
Code: Select all
/ip firewall nat
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=tcp action=dst-nat to-addresses=<Router LAN IP>
add chain=dstnat dst-address=<Router LAN IP> in-interface=!ether1-WAN dst-port=53 protocol=udp action=dst-nat to-addresses=<Router LAN IP>
Instead of redirecting the DNS entries to 127.0.0.1, I set them to a Bogon IP. such as 203.0.113.253, which should never generate any valid traffic on it's own.
I then listen for request to 203.0.113.253, and put the source on the perpetrator list.
In my testing, uTorrent periodically checks the router servers, so even if a user managed to get an encrypted torrent stream past detection, the client will eventually try to check in again and the user will get flagged.

The second idea is a bit more theoretical at this point, or at least until i can figure out connection-limit a little better. The idea is that most p2p clients end up using a large number of UDP connections, usually involving very high port ranges, while legitimate traffic keeps relatively small numbers (less than 8 or so). If a user has something like 40 UDP streams (not including DNS), they are either hosting a game/VoIP server (something they can't really do on a public wifi anyway), or it's P2P. While this looks good on paper, I am not sure how practical it will be. If anyone with experience on connection-limit and udp would like to offer some input, I would appreciate it.

Once I get everything running, I will gladly post the config, since this thread is one of the few solid sources of p2p tracking in Mikrotik routers. It has been an invaluable resource for me while learning this. Thanks.

@CC_DKP

Hi, I thing you are on to something here

Please let us know how this is working.
I would however skip the static ports for torrents and go with the all-p2p and the L7 filter to add them in a address list. To me static ports is to unreliable. The 450G is pretty fast and you can run it @800Mhz? Have you tried it @ that speed and seen how much it uses the CPU?
Anyhow as I said before let us know how it is working.

@Normis
Can you perhaps make some sticky threads? one for blocking p2p and one for throttling p2p?

Benygh · Thu Feb 03, 2011 6:55 pm

lots of command lines and no absolute working command !?

i just want to drop un-encrypted torrent connections so i used the first command in the post which was :
ip firewall filter add chain=forward p2p=all-p2p action=drop

and it just adds a firewall rule that DOESN'T Work either ...

is there any clean, working command so that i could use in order to drop these TORRENT connections ?!

for your information: i'm using this routeros as a VPN Routing server which is enabled for PPTP and L2TP ....

bax · Fri Feb 04, 2011 5:16 pm

lots of command lines and no absolute working command !?

i just want to drop un-encrypted torrent connections so i used the first command in the post which was :
ip firewall filter add chain=forward p2p=all-p2p action=drop

and it just adds a firewall rule that DOESN'T Work either ...

is there any clean, working command so that i could use in order to drop these TORRENT connections ?!

for your information: i'm using this routeros as a VPN Routing server which is enabled for PPTP and L2TP ....

But guys is telling you that is almost imposible to block all torents ... unless you turn off all internet ... beacause torent can use any port like 80 ... why just make good QOS and leave it on ?

Here is my way which is colected here in forum or in wiki , and adapted by me for my situation.
This was usable for everybody and is working OK:
So first is L7 :

/ip firewall layer7-protocol
add comment="eDonkey2000 - P2P filesharing" name=edonkey regexp="^[\\xc5\\xd4\
    \\xe3-\\xe5].\?.\?.\?.\?([\\x01\\x02\\x05\\x14\\x15\\x16\\x18\\x19\\x1a\\x\
    1b\\x1c\\x20\\x21\\x32\\x33\\x34\\x35\\x36\\x38\\x40\\x41\\x42\\x43\\x46\\\
    x47\\x48\\x49\\x4a\\x4b\\x4c\\x4d\\x4e\\x4f\\x50\\x51\\x52\\x53\\x54\\x55\
    \\x56\\x57\\x58[\\x60\\x81\\x82\\x90\\x91\\x93\\x96\\x97\\x98\\x99\\x9a\\x\
    9b\\x9c\\x9e\\xa0\\xa1\\xa2\\xa3\\xa4]|\\x59................\?[ -~]|\\x96.\
    ...\$)"
add comment="" name=gnutella regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella c\
    onnect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-a\
    gent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|g\
    et /.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|q\
    ueue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-\
    9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-ty\
    pe: application/x-gnutella|...................\?lime)"
add comment="CVS - Concurrent Versions System" name=cvs regexp=\
    "^BEGIN (AUTH|VERIFICATION|GSSAPI) REQUEST\\x0a"
add comment="" name=nbns regexp=\
    "\\x01\\x10\\x01|\\)\\x10\\x01\\x01|0\\x10\\x01"
add comment="" name=shoutcast regexp="^get /.*icy-metadata:1|icy [1-5][0-9][0-\
    9] [\\x09-\\x0d -~]*(content-type:audio|icy-)"
add comment="DNS - Domain Name System - RFC 1035" name=dns regexp="^.\?.\?.\?.\
    \?[\\x01\\x02].\?.\?.\?.\?.\?.\?[\\x01-\?][a-z0-9][\\x01-\?a-z]*[\\x02-\\x\
    06][a-z][a-z][fglmoprstuvz]\?[aeop]\?(um)\?[\\x01-\\x10\\x1c][\\x01\\x03\\\
    x04\\xFF]"
add comment="" name=quake-halflife regexp=\
    "^\\xff\\xff\\xff\\xffget(info|challenge)"
add comment="" name=x11 regexp="^[lb].\?\\x0b\r\
    \nuserspace pattern=^[lB].\?\\x0b\r\
    \nuserspace flags=REG_NOSUB"
add comment="" name=rlogin regexp=\
    "^[a-z][a-z0-9][a-z0-9]+/[1-9][0-9]\?[0-9]\?[0-9]\?00"
add comment="" name=http regexp="http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x\
    09-\\x0d -~]*(connection:|content-type:|content-length:|date:)|post [\\x09\
    -\\x0d -~]* http/[01]\\.[019]"
add comment="" name=sip1 regexp=\
    "^(invite|register|cancel) sip[\t-\r -~]*sip/[0-2]\\.[0-9]"
add comment="" name=pop3 regexp="^(\\+ok |-err )"
add comment="" name=smb regexp="\\xffsmb[\\x72\\x25]"
add comment="" name=ssh regexp="^ssh-[12]\\.[0-9]"
add comment="" name=jabber regexp=\
    "<stream:stream[\t-\r ][ -~]*[\t-\r ]xmlns=['\"]jabber"
add comment="Bittorrent - P2P filesharing / publishing tool " name=bittorrent \
    regexp=\
    "^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=)"
add comment="" name=ncp regexp=\
    "^(dmdt.*\\x01.*(\"\"|\\x11\\x11|uu)|tncp.*33)"
add comment="Direct Connect - P2P filesharing" name=directconnect regexp=\
    "^(\\\$mynick |\\\$lock |\\\$key )"
add comment="" name=netbios regexp="\\x81.\?.\?.[A-P][A-P][A-P][A-P][A-P][A-P]\
    [A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P\
    ][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-P][A-\
    P][A-P][A-P][A-P][A-P]"
add comment="" name=tftp regexp="^(\\x01|\\x02)[ -~]*(netascii|octet|mail)"
add comment="" name=doom3 regexp="^\\xff\\xffchallenge"
add comment="FTP - File Transfer Protocol - RFC 959" name=ftp regexp=\
    "^220[\\x09-\\x0d -~\\x80-\\xfd]*ftp"
add comment="TSP - Berkely UNIX Time Synchronization Protocol" name=tsp \
    regexp="^[\\x01-\\x13\\x16-\$]\\x01.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?[ -~]+"
add comment="" name=ssdp regexp="^notify[\\x09-\\x0d ]\\*[\\x09-\\x0d ]http/1\
    \\.1[\\x09-\\x0d -~]*ssdp:(alive|byebye)|^m-search[\\x09-\\x0d ]\\*[\\x09-\
    \\x0d ]http/1\\.1[\\x09-\\x0d -~]*ssdp:discover"
add comment="" name=imap regexp="^(\\* ok|a[0-9]+ noop)"
add comment="Ares - P2P filesharing " name=ares regexp=\
    "^\\x03[]Z].\?.\?\\x05\$"
add comment=\
    "FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)" \
    name=fasttrack regexp="^get (/.download/[ -~]*|/.supernode[ -~]|/.status[ \
    -~]|/.network[ -~]*|/.files|/.hash=[0-9a-f]*/[ -~]*) http/1.1|user-agent: \
    kazaa|x-kazaa(-username|-network|-ip|-supernodeip|-xferid|-xferuid|tag)|^g\
    ive [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]\?[0-9]\?[0-9]\?"
add comment="" name=qq regexp="^.\?.\?\\x02.+\\x03\$"
add comment="" name=msn-filetransfer regexp=\
    "^(ver [ -~]*msnftp\\x0d\\x0aver msnftp\\x0d\\x0ausr|method msnmsgr:)"
add comment="" name=yahoo regexp=\
    "^(ymsg|ypns|yhoo).\?.\?.\?.\?.\?.\?.\?[lwt].*\\xc0\\x80"
add comment="" name=ntp regexp="^([\\x13\\x1b\\x23\\xd3\\xdb\\xe3]|[\\x14\\x1c\
    \$].......\?.\?.\?.\?.\?.\?.\?.\?.\?[\\xc6-\\xff])"
add comment="" name=gnucleuslan regexp="gnuclear connect/[\\x09-\\x0d -~]*user\
    -agent: gnucleus [\\x09-\\x0d -~]*lan:"
add comment="" name=vnc regexp="^rfb 00[1-9]\\.00[0-9]\\x0a\$"
add comment="BGP - Border Gateway Protocol - RFC 1771" name=bgp regexp="^\\xff\
    \\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xf\
    f..\?\\x01[\\x03\\x04]"
add comment="" name=openft regexp="x-openftalias: [-)(0-9a-z ~.]"
add comment="" name=h323 regexp=\
    "^\\x03..\?\\x08...\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?.\?\\x05"
add comment="Finger - User information server - RFC 1288" name=finger regexp="\
    ^[a-z][a-z0-9\\-_]+|login: [\\x09-\\x0d -~]* name: [\\x09-\\x0d -~]* Direc\
    tory:"
add comment="" name=ident regexp="^[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?[\\x09-\\x\
    0d]*,[\\x09-\\x0d]*[1-9][0-9]\?[0-9]\?[0-9]\?[0-9]\?(\\x0d\\x0a|[\\x0d\\x0\
    a])\?\$"
add comment="" name=gkrellm regexp="^gkrellm [23].[0-9].[0-9]\\x0a\$"
add comment="" name=hddtemp regexp=\
    "^\\|/dev/[a-z][a-z][a-z]\\|[0-9a-z]*\\|[0-9][0-9]\\|[cfk]\\|"
add comment="" name=socks regexp="\\x05[\\x01-\\x08]*\\x05[\\x01-\\x08]\?.*\\x\
    05[\\x01-\\x03][\\x01\\x03].*\\x05[\\x01-\\x08]\?[\\x01\\x03]"
add comment="Biff - new mail notification" name=biff regexp=\
    "^[a-z][a-z0-9]+@[1-9][0-9]+\$"
add comment="DHCP - Dynamic Host Configuration Protocol - RFC 1541" name=dhcp \
    regexp="^[\\x01\\x02][\\x01- ]\\x06.*c\\x82sc"
add comment="" name=ipp regexp=ipp://
add comment="" name=msnmessenger regexp="ver [0-9]+ msnp[1-9][0-9]\? [\\x09-\\\
    x0d -~]*cvr0\\x0d\\x0a\$|usr 1 [!-~]+ [0-9. ]+\\x0d\\x0a\$|ans 1 [!-~]+ [0\
    -9. ]+\\x0d\\x0a\$"
add comment="" name=irc regexp="^(nick[\\x09-\\x0d -~]*user[\\x09-\\x0d -~]*:|\
    user[\\x09-\\x0d -~]*:[\\x02-\\x0d -~]*nick[\\x09-\\x0d -~]*\\x0d\\x0a)"
add comment="" name=gopher regexp="^[\\x09-\\x0d]*[1-9,+tgi][\\x09-\\x0d -~]*\
    \\x09[\\x09-\\x0d -~]*\\x09[a-z0-9.]*\\.[a-z][a-z].\?.\?\\x09[1-9]"
add comment="" name=telnet regexp=\
    "^\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe].\\xff[\\xfb-\\xfe]"
add comment="" name=nntp regexp=\
    "^(20[01][\\x09-\\x0d -~]*AUTHINFO USER|20[01][\\x09-\\x0d -~]*news)"
add comment="" name=rtsp regexp="rtsp/1.0 200 ok"
add comment="" name=skypeout regexp="^(\\x01.\?.\?.\?.\?.\?.\?.\?.\?\\x01|\\x0\
    2.\?.\?.\?.\?.\?.\?.\?.\?\\x02|\\x03.\?.\?.\?.\?.\?.\?.\?.\?\\x03|\\x04.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x04|\\x05.\?.\?.\?.\?.\?.\?.\?.\?\\x05|\\x06.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x06|\\x07.\?.\?.\?.\?.\?.\?.\?.\?\\x07|\\x08.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x08|\\x09.\?.\?.\?.\?.\?.\?.\?.\?\\x09|\\x0a.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x0a|\\x0b.\?.\?.\?.\?.\?.\?.\?.\?\\x0b|\\x0c.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x0c|\\x0d.\?.\?.\?.\?.\?.\?.\?.\?\\x0d|\\x0e.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x0e|\\x0f.\?.\?.\?.\?.\?.\?.\?.\?\\x0f|\\x10.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x10|\\x11.\?.\?.\?.\?.\?.\?.\?.\?\\x11|\\x12.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x12|\\x13.\?.\?.\?.\?.\?.\?.\?.\?\\x13|\\x14.\?.\?.\?.\?.\?.\?.\?.\?\\x14|\
    \\x15.\?.\?.\?.\?.\?.\?.\?.\?\\x15|\\x16.\?.\?.\?.\?.\?.\?.\?.\?\\x16|\\x1\
    7.\?.\?.\?.\?.\?.\?.\?.\?\\x17|\\x18.\?.\?.\?.\?.\?.\?.\?.\?\\x18|\\x19.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x19|\\x1a.\?.\?.\?.\?.\?.\?.\?.\?\\x1a|\\x1b.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x1b|\\x1c.\?.\?.\?.\?.\?.\?.\?.\?\\x1c|\\x1d.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x1d|\\x1e.\?.\?.\?.\?.\?.\?.\?.\?\\x1e|\\x1f.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x1f|\\x20.\?.\?.\?.\?.\?.\?.\?.\?\\x20|\\x21.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x21|\\x22.\?.\?.\?.\?.\?.\?.\?.\?\\x22|\\x23.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x23|\\\$.\?.\?.\?.\?.\?.\?.\?.\?\\\$|\\x25.\?.\?.\?.\?.\?.\?.\?.\?\
    \\x25|\\x26.\?.\?.\?.\?.\?.\?.\?.\?\\x26|\\x27.\?.\?.\?.\?.\?.\?.\?.\?\\x2\
    7|\\(.\?.\?.\?.\?.\?.\?.\?.\?\\(|\\).\?.\?.\?.\?.\?.\?.\?.\?\\)|\\*.\?.\?.\
    \?.\?.\?.\?.\?.\?\\*|\\+.\?.\?.\?.\?.\?.\?.\?.\?\\+|\\x2c.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x2c|\\x2d.\?.\?.\?.\?.\?.\?.\?.\?\\x2d|\\..\?.\?.\?.\?.\?.\?.\?.\
    \?\\.|\\x2f.\?.\?.\?.\?.\?.\?.\?.\?\\x2f|\\x30.\?.\?.\?.\?.\?.\?.\?.\?\\x3\
    0|\\x31.\?.\?.\?.\?.\?.\?.\?.\?\\x31|\\x32.\?.\?.\?.\?.\?.\?.\?.\?\\x32|\\\
    x33.\?.\?.\?.\?.\?.\?.\?.\?\\x33|\\x34.\?.\?.\?.\?.\?.\?.\?.\?\\x34|\\x35.\
    \?.\?.\?.\?.\?.\?.\?.\?\\x35|\\x36.\?.\?.\?.\?.\?.\?.\?.\?\\x36|\\x37.\?.\
    \?.\?.\?.\?.\?.\?.\?\\x37|\\x38.\?.\?.\?.\?.\?.\?.\?.\?\\x38|\\x39.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x39|\\x3a.\?.\?.\?.\?.\?.\?.\?.\?\\x3a|\\x3b.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x3b|\\x3c.\?.\?.\?.\?.\?.\?.\?.\?\\x3c|\\x3d.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x3d|\\x3e.\?.\?.\?.\?.\?.\?.\?.\?\\x3e|\\\?.\?.\?.\?.\?.\?.\?\
    .\?.\?\\\?|\\x40.\?.\?.\?.\?.\?.\?.\?.\?\\x40|\\x41.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x41|\\x42.\?.\?.\?.\?.\?.\?.\?.\?\\x42|\\x43.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x43|\\x44.\?.\?.\?.\?.\?.\?.\?.\?\\x44|\\x45.\?.\?.\?.\?.\?.\?.\?.\?\\x45|\
    \\x46.\?.\?.\?.\?.\?.\?.\?.\?\\x46|\\x47.\?.\?.\?.\?.\?.\?.\?.\?\\x47|\\x4\
    8.\?.\?.\?.\?.\?.\?.\?.\?\\x48|\\x49.\?.\?.\?.\?.\?.\?.\?.\?\\x49|\\x4a.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x4a|\\x4b.\?.\?.\?.\?.\?.\?.\?.\?\\x4b|\\x4c.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x4c|\\x4d.\?.\?.\?.\?.\?.\?.\?.\?\\x4d|\\x4e.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x4e|\\x4f.\?.\?.\?.\?.\?.\?.\?.\?\\x4f|\\x50.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x50|\\x51.\?.\?.\?.\?.\?.\?.\?.\?\\x51|\\x52.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x52|\\x53.\?.\?.\?.\?.\?.\?.\?.\?\\x53|\\x54.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x54|\\x55.\?.\?.\?.\?.\?.\?.\?.\?\\x55|\\x56.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x56|\\x57.\?.\?.\?.\?.\?.\?.\?.\?\\x57|\\x58.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x58|\\x59.\?.\?.\?.\?.\?.\?.\?.\?\\x59|\\x5a.\?.\?.\?.\?.\?.\?.\?.\?\\x5a|\
    \\[.\?.\?.\?.\?.\?.\?.\?.\?\\[|\\\\.\?.\?.\?.\?.\?.\?.\?.\?\\\\|\\].\?.\?.\
    \?.\?.\?.\?.\?.\?\\]|\\^.\?.\?.\?.\?.\?.\?.\?.\?\\^|\\x5f.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x5f|\\x60.\?.\?.\?.\?.\?.\?.\?.\?\\x60|\\x61.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x61|\\x62.\?.\?.\?.\?.\?.\?.\?.\?\\x62|\\x63.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x63|\\x64.\?.\?.\?.\?.\?.\?.\?.\?\\x64|\\x65.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x65|\\x66.\?.\?.\?.\?.\?.\?.\?.\?\\x66|\\x67.\?.\?.\?.\?.\?.\?.\?.\?\\x67|\
    \\x68.\?.\?.\?.\?.\?.\?.\?.\?\\x68|\\x69.\?.\?.\?.\?.\?.\?.\?.\?\\x69|\\x6\
    a.\?.\?.\?.\?.\?.\?.\?.\?\\x6a|\\x6b.\?.\?.\?.\?.\?.\?.\?.\?\\x6b|\\x6c.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x6c|\\x6d.\?.\?.\?.\?.\?.\?.\?.\?\\x6d|\\x6e.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x6e|\\x6f.\?.\?.\?.\?.\?.\?.\?.\?\\x6f|\\x70.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x70|\\x71.\?.\?.\?.\?.\?.\?.\?.\?\\x71|\\x72.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x72|\\x73.\?.\?.\?.\?.\?.\?.\?.\?\\x73|\\x74.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x74|\\x75.\?.\?.\?.\?.\?.\?.\?.\?\\x75|\\x76.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x76|\\x77.\?.\?.\?.\?.\?.\?.\?.\?\\x77|\\x78.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x78|\\x79.\?.\?.\?.\?.\?.\?.\?.\?\\x79|\\x7a.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x7a|\\{.\?.\?.\?.\?.\?.\?.\?.\?\\{|\\|.\?.\?.\?.\?.\?.\?.\?.\?\\||\\}.\?.\
    \?.\?.\?.\?.\?.\?.\?\\}|\\x7e.\?.\?.\?.\?.\?.\?.\?.\?\\x7e|\\x7f.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x7f|\\x80.\?.\?.\?.\?.\?.\?.\?.\?\\x80|\\x81.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x81|\\x82.\?.\?.\?.\?.\?.\?.\?.\?\\x82|\\x83.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x83|\\x84.\?.\?.\?.\?.\?.\?.\?.\?\\x84|\\x85.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x85|\\x86.\?.\?.\?.\?.\?.\?.\?.\?\\x86|\\x87.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x87|\\x88.\?.\?.\?.\?.\?.\?.\?.\?\\x88|\\x89.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x89|\\x8a.\?.\?.\?.\?.\?.\?.\?.\?\\x8a|\\x8b.\?.\?.\?.\?.\?.\?.\?.\?\\x8b|\
    \\x8c.\?.\?.\?.\?.\?.\?.\?.\?\\x8c|\\x8d.\?.\?.\?.\?.\?.\?.\?.\?\\x8d|\\x8\
    e.\?.\?.\?.\?.\?.\?.\?.\?\\x8e|\\x8f.\?.\?.\?.\?.\?.\?.\?.\?\\x8f|\\x90.\?\
    .\?.\?.\?.\?.\?.\?.\?\\x90|\\x91.\?.\?.\?.\?.\?.\?.\?.\?\\x91|\\x92.\?.\?.\
    \?.\?.\?.\?.\?.\?\\x92|\\x93.\?.\?.\?.\?.\?.\?.\?.\?\\x93|\\x94.\?.\?.\?.\
    \?.\?.\?.\?.\?\\x94|\\x95.\?.\?.\?.\?.\?.\?.\?.\?\\x95|\\x96.\?.\?.\?.\?.\
    \?.\?.\?.\?\\x96|\\x97.\?.\?.\?.\?.\?.\?.\?.\?\\x97|\\x98.\?.\?.\?.\?.\?.\
    \?.\?.\?\\x98|\\x99.\?.\?.\?.\?.\?.\?.\?.\?\\x99|\\x9a.\?.\?.\?.\?.\?.\?.\
    \?.\?\\x9a|\\x9b.\?.\?.\?.\?.\?.\?.\?.\?\\x9b|\\x9c.\?.\?.\?.\?.\?.\?.\?.\
    \?\\x9c|\\x9d.\?.\?.\?.\?.\?.\?.\?.\?\\x9d|\\x9e.\?.\?.\?.\?.\?.\?.\?.\?\\\
    x9e|\\x9f.\?.\?.\?.\?.\?.\?.\?.\?\\x9f|\\xa0.\?.\?.\?.\?.\?.\?.\?.\?\\xa0|\
    \\xa1.\?.\?.\?.\?.\?.\?.\?.\?\\xa1|\\xa2.\?.\?.\?.\?.\?.\?.\?.\?\\xa2|\\xa\
    3.\?.\?.\?.\?.\?.\?.\?.\?\\xa3|\\xa4.\?.\?.\?.\?.\?.\?.\?.\?\\xa4|\\xa5.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xa5|\\xa6.\?.\?.\?.\?.\?.\?.\?.\?\\xa6|\\xa7.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xa7|\\xa8.\?.\?.\?.\?.\?.\?.\?.\?\\xa8|\\xa9.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xa9|\\xaa.\?.\?.\?.\?.\?.\?.\?.\?\\xaa|\\xab.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xab|\\xac.\?.\?.\?.\?.\?.\?.\?.\?\\xac|\\xad.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xad|\\xae.\?.\?.\?.\?.\?.\?.\?.\?\\xae|\\xaf.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xaf|\\xb0.\?.\?.\?.\?.\?.\?.\?.\?\\xb0|\\xb1.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xb1|\\xb2.\?.\?.\?.\?.\?.\?.\?.\?\\xb2|\\xb3.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xb3|\\xb4.\?.\?.\?.\?.\?.\?.\?.\?\\xb4|\\xb5.\?.\?.\?.\?.\?.\?.\?.\?\\xb5|\
    \\xb6.\?.\?.\?.\?.\?.\?.\?.\?\\xb6|\\xb7.\?.\?.\?.\?.\?.\?.\?.\?\\xb7|\\xb\
    8.\?.\?.\?.\?.\?.\?.\?.\?\\xb8|\\xb9.\?.\?.\?.\?.\?.\?.\?.\?\\xb9|\\xba.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xba|\\xbb.\?.\?.\?.\?.\?.\?.\?.\?\\xbb|\\xbc.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xbc|\\xbd.\?.\?.\?.\?.\?.\?.\?.\?\\xbd|\\xbe.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xbe|\\xbf.\?.\?.\?.\?.\?.\?.\?.\?\\xbf|\\xc0.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xc0|\\xc1.\?.\?.\?.\?.\?.\?.\?.\?\\xc1|\\xc2.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xc2|\\xc3.\?.\?.\?.\?.\?.\?.\?.\?\\xc3|\\xc4.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xc4|\\xc5.\?.\?.\?.\?.\?.\?.\?.\?\\xc5|\\xc6.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xc6|\\xc7.\?.\?.\?.\?.\?.\?.\?.\?\\xc7|\\xc8.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xc8|\\xc9.\?.\?.\?.\?.\?.\?.\?.\?\\xc9|\\xca.\?.\?.\?.\?.\?.\?.\?.\?\\xca|\
    \\xcb.\?.\?.\?.\?.\?.\?.\?.\?\\xcb|\\xcc.\?.\?.\?.\?.\?.\?.\?.\?\\xcc|\\xc\
    d.\?.\?.\?.\?.\?.\?.\?.\?\\xcd|\\xce.\?.\?.\?.\?.\?.\?.\?.\?\\xce|\\xcf.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xcf|\\xd0.\?.\?.\?.\?.\?.\?.\?.\?\\xd0|\\xd1.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xd1|\\xd2.\?.\?.\?.\?.\?.\?.\?.\?\\xd2|\\xd3.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xd3|\\xd4.\?.\?.\?.\?.\?.\?.\?.\?\\xd4|\\xd5.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xd5|\\xd6.\?.\?.\?.\?.\?.\?.\?.\?\\xd6|\\xd7.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xd7|\\xd8.\?.\?.\?.\?.\?.\?.\?.\?\\xd8|\\xd9.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xd9|\\xda.\?.\?.\?.\?.\?.\?.\?.\?\\xda|\\xdb.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xdb|\\xdc.\?.\?.\?.\?.\?.\?.\?.\?\\xdc|\\xdd.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xdd|\\xde.\?.\?.\?.\?.\?.\?.\?.\?\\xde|\\xdf.\?.\?.\?.\?.\?.\?.\?.\?\\xdf|\
    \\xe0.\?.\?.\?.\?.\?.\?.\?.\?\\xe0|\\xe1.\?.\?.\?.\?.\?.\?.\?.\?\\xe1|\\xe\
    2.\?.\?.\?.\?.\?.\?.\?.\?\\xe2|\\xe3.\?.\?.\?.\?.\?.\?.\?.\?\\xe3|\\xe4.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xe4|\\xe5.\?.\?.\?.\?.\?.\?.\?.\?\\xe5|\\xe6.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xe6|\\xe7.\?.\?.\?.\?.\?.\?.\?.\?\\xe7|\\xe8.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xe8|\\xe9.\?.\?.\?.\?.\?.\?.\?.\?\\xe9|\\xea.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xea|\\xeb.\?.\?.\?.\?.\?.\?.\?.\?\\xeb|\\xec.\?.\?.\?.\?.\?.\
    \?.\?.\?\\xec|\\xed.\?.\?.\?.\?.\?.\?.\?.\?\\xed|\\xee.\?.\?.\?.\?.\?.\?.\
    \?.\?\\xee|\\xef.\?.\?.\?.\?.\?.\?.\?.\?\\xef|\\xf0.\?.\?.\?.\?.\?.\?.\?.\
    \?\\xf0|\\xf1.\?.\?.\?.\?.\?.\?.\?.\?\\xf1|\\xf2.\?.\?.\?.\?.\?.\?.\?.\?\\\
    xf2|\\xf3.\?.\?.\?.\?.\?.\?.\?.\?\\xf3|\\xf4.\?.\?.\?.\?.\?.\?.\?.\?\\xf4|\
    \\xf5.\?.\?.\?.\?.\?.\?.\?.\?\\xf5|\\xf6.\?.\?.\?.\?.\?.\?.\?.\?\\xf6|\\xf\
    7.\?.\?.\?.\?.\?.\?.\?.\?\\xf7|\\xf8.\?.\?.\?.\?.\?.\?.\?.\?\\xf8|\\xf9.\?\
    .\?.\?.\?.\?.\?.\?.\?\\xf9|\\xfa.\?.\?.\?.\?.\?.\?.\?.\?\\xfa|\\xfb.\?.\?.\
    \?.\?.\?.\?.\?.\?\\xfb|\\xfc.\?.\?.\?.\?.\?.\?.\?.\?\\xfc|\\xfd.\?.\?.\?.\
    \?.\?.\?.\?.\?\\xfd|\\xfe.\?.\?.\?.\?.\?.\?.\?.\?\\xfe|\\xff.\?.\?.\?.\?.\
    \?.\?.\?.\?\\xff)"
add comment="" name=skypetoskype regexp="^..\\x02............."
add comment="" name=counterstrike-source regexp=\
    "^\\xff\\xff\\xff\\xff.*cstrikeCounter-Strike"
add comment="" name=halflife2-deathmatch regexp=\
    "^\\xff\\xff\\xff\\xff.*hl2mpDeathmatch"
add comment="" name=soulseek regexp=\
    "^(\\x05..\?|.\\x01.[ -~]+\\x01F..\?.\?.\?.\?.\?.\?.\?)\$"
add comment="" name=ssl regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add comment="" name=whois regexp="^[ !-~]+\\x0d\\x0a\$"
add comment="" name=dayofdefeat-source regexp=\
    "^\\xff\\xff\\xff\\xff.*dodDay of Defeat"
add comment="" name=teamspeak regexp="^\\xf4\\xbe\\x03.*teamspeak"
add comment="" name=ventrilo regexp="^..\?v\\\$\\xcf"
add comment="" name=http-rtsp regexp="^(get[\\x09-\\x0d -~]* Accept: applicati\
    on/x-rtsp-tunnelled|http/(0\\.9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d \
    -~]*a=control:rtsp://)"
add comment="" name=pcanywhere regexp="^(nq|st)\$"
add comment="" name=subversion regexp="^\\( success \\( 1 2 \\("
add comment=\
    "Computer Interface to Message Distribution, an SMSC protocol by Nokia" \
    name=cimd regexp="\\x02[0-4][0-9]:[0-9]+.*\\x03\$"
add comment="" name=mohaa regexp="^\\xff\\xff\\xff\\xffgetstatus\\x0a"
add comment="" name=radmin regexp="^\\x01\\x01(\\x08\\x08|\\x1b\\x1b)\$"
add comment="Chikka - SMS service which can be used without phones- http://chi\
    kka.com" name=chikka regexp="^CTPv1\\.[123] Kamusta.*\\x0d\\x0a\$"
add comment="" name=replaytv-ivs regexp="^(get /ivs-IVSGetFileChunk|http/(0\\.\
    9|1\\.0|1\\.1) [1-5][0-9][0-9] [\\x09-\\x0d -~]*\\x23\\x23\\x23\\x23\\x23R\
    EPLAY_CHUNK_START\\x23\\x23\\x23\\x23\\x23)"
add comment=\
    "Armagetron Advanced - open source Tron/snake based multiplayer game" \
    name=armagetron regexp=YCLC_E|CYEL
add comment="" name=https regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add comment="" name=bittorrent2 regexp="^(\\x13bittorrent protocol|azver\\x01\
    \$|get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcom\
    et/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\r\
    \n"
add comment="" name=bittorrent_ANNOUNCE regexp=^get.+announce.
add comment="" name=sip regexp="^(invite|register|cancel|message|subscribe|not\
    ify) sip[\\x09-\\x0d -~]*sip/[0-2]\\.[0-9]"
add comment="" name=smtp regexp="^220[\\x09-\\x0d -~]* (e\?smtp|simple mail)\r\
    \nuserspace pattern=^220[\\x09-\\x0d -~]* (E\?SMTP|[Ss]imple [Mm]ail)\r\
    \nuserspace flags=REG_NOSUB REG_EXTENDED"

Now let go to mangle (my wan adapter is PPPoE client named wan1 - change it to your wan or rename your wan to wan1):

/ip firewall mangle
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=rapidshare-host new-packet-mark=rapid passthrough=no \
    protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=rapidshare-host-script new-packet-mark=rapid \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="" disabled=no \
    dst-address-list=Youtube new-packet-mark=youtube passthrough=no protocol=\
    tcp
add action=mark-packet chain=prerouting comment="WAN1 down QoS_1 DNS" \
    disabled=no in-interface=wan1 new-packet-mark=QoS_1_Down-UDP passthrough=\
    no protocol=udp src-port=53,123
add action=mark-packet chain=prerouting comment="QoS_1 ping" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down-ICMP passthrough=no \
    protocol=icmp
add action=mark-packet chain=prerouting comment="QoS_1 syn 0-200" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down packet-size=0-200 \
    passthrough=no protocol=tcp src-port=80,443 tcp-flags=syn
add action=mark-packet chain=prerouting comment="QoS_1 ack 0-200" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_1_Down packet-size=0-200 \
    passthrough=no protocol=tcp src-port=80,443 tcp-flags=ack
add action=mark-packet chain=prerouting comment=\
    "QoS_1- SIP - Layer7 Session Initiation Protocol - Internet telephony " \
    disabled=no in-interface=wan1 layer7-protocol=sip new-packet-mark=\
    QoS_1_Down passthrough=no
add action=mark-packet chain=prerouting comment="QoS_1- SIP - Layer7 Session I\
    nitiation Protocol - Internet telephony  sip1" disabled=no in-interface=\
    wan1 layer7-protocol=sip1 new-packet-mark=QoS_1_Down passthrough=no
add action=mark-packet chain=prerouting comment="QoS_2 syn 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_2_Down packet-size=0-666 \
    passthrough=no protocol=tcp src-port=110,995,143,993,25,20,21 tcp-flags=\
    syn
add action=mark-packet chain=prerouting comment="QoS_2 ack 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_2_Down packet-size=0-666 \
    passthrough=no protocol=tcp src-port=110,995,143,993,25,20,21 tcp-flags=\
    ack
add action=mark-packet chain=prerouting comment="QoS_3 syn 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_3_Down packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=prerouting comment="QoS_3 ack 0-666" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_3_Down packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=prerouting comment=\
    "QoS_4 (small-files)  supose surfing web" connection-bytes=0-1000000 \
    disabled=no in-interface=wan1 new-packet-mark=QoS_4_Down passthrough=no \
    protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment="QoS_5 news" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_5_Down passthrough=no protocol=tcp \
    src-port=119
add action=mark-packet chain=prerouting comment=\
    "QoS_6 (big-files) supose download files" connection-bytes=1000000-0 \
    disabled=no in-interface=wan1 new-packet-mark=QoS_6_Down passthrough=no \
    protocol=tcp src-port=80,443
add action=mark-packet chain=prerouting comment="QoS_7 p2p" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_7_Down_torrent_in p2p=all-p2p \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 bittorrent" \
    disabled=no in-interface=wan1 layer7-protocol=bittorrent new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment=\
    "QoS_7 p2p via L7 bittorrent2" disabled=no in-interface=wan1 \
    layer7-protocol=bittorrent2 new-packet-mark=QoS_7_Down_torrent_in \
    passthrough=no
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 edonkey" \
    disabled=no in-interface=wan1 layer7-protocol=edonkey new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment="QoS_7 p2p via L7 fasttrack" \
    disabled=no in-interface=wan1 layer7-protocol=fasttrack new-packet-mark=\
    QoS_7_Down_torrent_in passthrough=no
add action=mark-packet chain=prerouting comment=\
    "QoS_7 p2p via L7 directconnect" disabled=no in-interface=wan1 \
    layer7-protocol=directconnect new-packet-mark=QoS_7_Down_torrent_in \
    passthrough=no
add action=mark-packet chain=prerouting comment="QoS_8 other" disabled=no \
    in-interface=wan1 new-packet-mark=QoS_8_Down passthrough=no
add action=mark-packet chain=postrouting comment="QoS UP wan1" disabled=no \
    dst-port=80,443 new-packet-mark=QoS_1_Up out-interface=wan1 packet-size=\
    0-666 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    80,443 new-packet-mark=QoS_1_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="ICMP UP" disabled=no \
    new-packet-mark=QoS_1_Up-ICMP out-interface=wan1 passthrough=no protocol=\
    icmp
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    53,123 new-packet-mark=QoS_1_Up-UDP out-interface=wan1 passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting comment="" connection-bytes=\
    0-1000000 disabled=no dst-port=80,443 new-packet-mark=QoS_2_Up \
    out-interface=wan1 passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_2_Up out-interface=wan1 \
    packet-size=0-666 passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_2_Up out-interface=wan1 \
    packet-size=0-666 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=QoS_3_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=syn
add action=mark-packet chain=postrouting comment="" disabled=no \
    new-packet-mark=QoS_3_Up out-interface=wan1 packet-size=0-666 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="" disabled=no dst-port=\
    110,995,143,993,25,20,21 new-packet-mark=QoS_4_Up out-interface=wan1 \
    passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "QoS_8 p2p via L7 bittorrent2" disabled=no layer7-protocol=bittorrent2 \
    new-packet-mark=QoS_8_Up out-interface=wan1 passthrough=no
add action=mark-packet chain=postrouting comment="QoS_8 p2p via mikrotik" \
    disabled=no new-packet-mark=QoS_8_Up out-interface=wan1 p2p=all-p2p \
    passthrough=no
add action=mark-packet chain=postrouting comment="QoS_7 other" disabled=no \
    new-packet-mark=QoS_7_Up out-interface=wan1 passthrough=no

And now is time to queue tree:

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=200k \
    max-limit=650k name=QoS_wan1_Up parent=global-out priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=4M \
    max-limit=8800k name=QoS_wan1_DOWN parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1 packet-mark=QoS_1_Up parent=QoS_wan1_Up priority=1 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_2 packet-mark=QoS_2_Up parent=QoS_wan1_Up priority=2 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_3 packet-mark=QoS_3_Up parent=QoS_wan1_Up priority=3 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_7 packet-mark=QoS_7_Up parent=QoS_wan1_Up priority=7 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_8 torrent" packet-mark=QoS_8_Up parent=QoS_wan1_Up \
    priority=8 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_4 packet-mark=QoS_4_Up parent=QoS_wan1_Up priority=4 \
    queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down packet-mark=QoS_1_Down parent=QoS_wan1_DOWN \
    priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_3_down packet-mark=QoS_3_Down parent=QoS_wan1_DOWN \
    priority=3 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_2_down packet-mark=QoS_2_Down parent=QoS_wan1_DOWN \
    priority=2 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_4_down(small-files)" packet-mark=QoS_4_Down parent=\
    QoS_wan1_DOWN priority=4 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=5M name="QoS_5_down(news)" packet-mark=QoS_5_Down parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_6_down(big-files)" packet-mark=QoS_6_Down parent=\
    QoS_wan1_DOWN priority=6 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_7_down(torrent)" packet-mark=QoS_7_Down_torrent_in \
    parent=QoS_wan1_DOWN priority=7 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_8_down packet-mark=QoS_8_Down parent=QoS_wan1_DOWN \
    priority=8 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_5_down(youtube)" packet-mark=youtube parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name="QoS_5_down(rapid)" packet-mark=rapid parent=\
    QoS_wan1_DOWN priority=5 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down-UDP packet-mark=QoS_1_Down-UDP parent=\
    QoS_wan1_DOWN priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1-UDP packet-mark=QoS_1_Up-UDP parent=QoS_wan1_Up \
    priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1_down-ICMP packet-mark=QoS_1_Down-ICMP parent=\
    QoS_wan1_DOWN priority=1 queue=default-small
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=QoS_1-ICMP packet-mark=QoS_1_Up-ICMP parent=QoS_wan1_Up \
    priority=1 queue=default-small

This is striped litle because i have wan2 wan3 and wan4 adapters so if you have more wan adapters you must repeat this for every wan adapter ... and also I have script which is detecting new rapidshare host and youtube host (this is not reliable) ... bla bla and all it is working good ...
If you realy need to drop all p2p then try with some other software - hardware cisco bla bla ...
or ask Harry Poter to help you

And here is picture of my queue tree:

queue tree.jpg

With winbox you must change Limit At and Max Limit depent to speed your wan conection ... mine wan1 is 9M download speed and upload is 800k
so I was make little smaller Max Limit cca 90% of speed line ... watch it on picture ...

mves · Fri Feb 04, 2011 7:38 pm

@bax
Nice... I'll update my traffic rules for p2p protocols since I see new stuff here. But also, what will happen if someone turn on torrent encryption and use a https tracker? Where would that priority end up?

Also, can you do a little update on that codes? \ on the end of each line is a bit confusing.

bax · Fri Feb 04, 2011 9:41 pm

@bax
Nice... I'll update my traffic rules for p2p protocols since I see new stuff here. But also, what will happen if someone turn on torrent encryption and use a https tracker? Where would that priority end up?

Also, can you do a little update on that codes? \ on the end of each line is a bit confusing.

p2p is working ... it is not the point ... point i to make p2p with lower priority so what is hapening ... example: torrent is working with full speed when not browsing web ... but when start browsing web torent automatic get slower speed ... and browsing is normal ... also all other trafic with higher priority is normal ...
all my users have simple queve generated by hotspot (and have group like 2M for 2Mb speed) and important for knowing is that always higher "order or priority" have queeve tree or first router work with queeve tree then with simple queeve ... so users cant "kill bandwith "
You say encrypted p2p ... so what ? router is dont recognize that traficc and put it with all other trafic which is have priority 8 ... lower ...
Also for knowing is good ... every child queve you can do Max limit and this is working ... watch on picture and you will see that I have chid - QoS_5_down(news) with limit of 5M (this is trafic of my binaries news server on another segment of network).
You can limit every other child let say QoS_8 to Max limit which is let say some p2p which router dont recognize.
You cant stop p2p like every smart guy say ... software developers always make new versions of software which is alvays get better and smarter ... so this is useless fight ... let the torent with new port-protocol wherever ... router view like other trafic and give him lower priority.
If we making more complicated rules then we need much more cpu power ... memory ...
This example is from working router which is RB433 and when is there 10 hotspot users CPU is going somethimes high near 90 - 100% ... so soon is Im transfering these in x86 machine with litle more power - intel atom with 4Gb memory.
Cpu is growning also because i have lot of firewall rules for protection,userman,radius all on this tiny RB433

... but this is another part of story ...
This RB433 is with ROS ver. 4.15 which look me very stable ... some previous ver. give me lot of troubles.
My code is Ok and usable just copy and paste into terminal window of router... and you will see that is working OK.
I think that every other way to fight from p2p is useless including this example with DNS in previous posting.
Sorry for my indian english !

mves · Fri Feb 04, 2011 11:22 pm

@bax
You misunderstood my question... I asked on what queue will end up unregistered traffic like encrypted p2p? This qos you end up is excellent for 5 Ghz wi-fi however. But for 2.4 Ghz, well, even 90% p2p reduction over a day is enough. My version works good enough to block 9 out of 10 p2p users and remaining 1 will have few connections through and that is an excellent score. So while it's work, why to change it? And while torrent blocking is active there's no more complaints that internet is slow and non-responsive and no more high pings for online gamers. Plus, rapidshare, megaupload, fileserve and other file servers are quite functional. Most of the users have it's own public ip so there are no waiting for download and this kind of download don't cause any problems to us or the users even if every user got full throttle at a same time so there was never a problem with a bandwidth. Bandwidth that they payed, they use without speed reduction. So company policy remained the same... no p2p over a day. Beside, new events... Until p2p block was implemented, there were only few people used their internet over a night. Once p2p was blocked over a day, night consumption goes higher than half of the average day bandwidth (all p2p

).

And bax, don't worry about your English... we can easily understood each other neighbor

bax · Sat Feb 05, 2011 12:24 am

@bax
You misunderstood my question... I asked on what queue will end up unregistered traffic like encrypted p2p?
And bax, don't worry about your English... we can easily understood each other neighbor

Unregistered traffic end with all other traficc - which is in this example QoS_8_down with priority 8. ... see it on picture.
And all p2p I give priority 7 ... you can swich this in mangle all to 8 or vice versa , but im satisfy with this ... because this my machine which is "machine for all" is also have multiple job ... it is web server, mail server, ftp server,multiple news proxy server, torent box and I need torent turned all time ... for seeding job.
So point is that I also using and need torent protocol ... torent is very usefull ... not only for pirated material but for legal staff ... linux,even mikrotik im downloading with torent

Other thing with frekvencies and wireless is litle different ... for now I have 1 routerboard also 433 but it is acting like any other AP - just bridge and only 2,4 ... here Im in mangle I was marking traffic with forward chain ... and start to testing with only layer7 mangling ... but this is incomplete ... because no need for that for now ... there is only few users and small trafic... and I have no time for that ... and test is usefull only when you have node with full utilization - which my node isnt.
Well best thing is to test this example in live ... then start different type of download and you will see in winbox how rate is changed ... youtube (which is problematic for me -they have lot of IP adresses),rapidshare , then try to download full linux cd via http of ftp ... and in same time browsing web --- and you will se that is working ... also (Im not gamer but my kids somethimes complain to me ) try some ping test ...
Also I was forget that you need to add addres list for youtube and rapidshare. These list you can find here in forum in some old post. Like I say these "my version" QOS is adaptation from this forum and wiki examples.
And when trafic is not high why do not alow torents that run in full speed ? when somebody start web or other trafic which is more important then torents automaticaly get in slower speed .
Isn this beautifull ?
For now like I say ... only thing is that RB433 going to high cpu ... (this is time then kids complaining) and I will change this RB with x86 .
With 5 ghz I did not testing anything for now ... but Im think that the princip is same all is nianse "like Đorđe Balašević says"
Well now im notice that we are neigbours

but we must act by the rules ... says - alowed languge is english!

mves · Sat Feb 05, 2011 1:56 am

Main routers (RB800, RB433AH, x86) are connected in triangle and input links are from two different ISP's. When one link is down, everything is switched to another. Same with routers. But from that 3, links spread to another routers. Links between are 5 ghz. There are also option for users to use 2.4 or 5 ghz system. So, on 30 active routers testing is a bit limited. Using torrents on 5 ghz, OK, no problem. Qos will solve all problems... but on 2.4 over a day??? Not even a qos could help it

It would be ALL P2P. I've seen a logs. Approx 80% of users tried to start torrent over a day and at least 50% will stubbornly have it running even if their and internet connection of other users would suffer because of it. Kids want to get their porn movie and nothing can stop them for trying. In overcrowded 2.4 Ghz channels that is really a problem. Constant channel change is a regular routine to fix a bad pings. And that's why, p2p is blocked over a day on 2.4 Ghz. So at least that problem is mostly solved. On the other hand, if you want p2p... well... €, $, £ (or what ever you have) and get connected on 5 Ghz. Simple as that. Also, get higher bandwidth on 5 Ghz, no problem, €, $, £ (or what ever you have) and you got it. You want high speed like 10 mbit, personal link, €, $, £ (or what ever you have) and you got it. P2P on 2.4 Ghz over a day time, no, you can't have it

bax · Sat Feb 05, 2011 10:26 am

Thanks mves ... nice advice.
But did you try in wirelles part (2.4 ghz) to change to some fixed slower rate ?
It may be helpfull .
Unfortunately I havenot so loaded node to test by myself.

mves · Sat Feb 05, 2011 12:55 pm

Thanks mves ... nice advice.
But did you try in wirelles part (2.4 ghz) to change to some fixed slower rate ?
It may be helpfull .
Unfortunately I havenot so loaded node to test by myself.

To cut down download speed on torrent usage? That's even worst than just simply block them. It could do for a few days but then users would figure that out and you'd had a bunch of angry mob on your back. Let's take for compare action of some world wide ISP's and their throttling speed on p2p and other downloads... People got furious because they pay for certain download rate (often quite expensive) and they found out that their download rate is useless or you have it at least on a long period contract because they can use it only for browsing web and downloading e-mail

And like i said, bandwidth is not an issue. Customers did call and complaining that their p2p is down but then when they got remained that it's off limit during a day, they simply said ok. But on the other hand, when you cut someones bandwidth due to bad signal or some other malfunction, they are all over you screaming for repair crew asap. So, don't cut bandwidth if it's really not absolutely necessary.
I'll make an update of my ways of p2p blocking. Well, as soon as I figure how to get list of rules out of terminal window so it can be copy/paste

mves · Sat Feb 05, 2011 3:38 pm

Here's my full p2p blocking rules. This ones are striped from RB433 last point router. If it's not last point, you'll have to add interface on blocking segments to cut CPU usage and let the next router in a line take care of it's own set of users. There are 2 interfaces on this one (one set is striped) and CPU is at a moment at 10-15% depends of how many users are online and how many of them are trying to get P2P running. Make note that it's 10-249 IP range... Other IP's are reserved and they are avoided in logging so, set IP range for your needs. Rules are time limited and blocking P2P from 9 AM to 23:59 PM. So, users can use a P2P from midnight to 9 AM when there's much less users online. If by any chance some user got through and he don't get logged, add his IP manually under let's say Torrent all-p2p list in address list and problem solved. In addition to the rules, don't forget to add game ports of a games that are used at your network. Also, this is ONLY for bittorrent. It's not covering other P2P client protocols but since bittorrent are most commonly used, it's mostly enough to block only bittorrent.

/ip firewall layer7-protocol

add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"


/ip firewall filter

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
    layer7-protocol=BITTORENT src-address=192.168.xx.10-192.168.xx.249 time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORENT reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent Announce" \
    address-list-timeout=1h30m chain=forward comment=______Announce____ \
    disabled=no layer7-protocol=BITTORRENT_ANNOUNCE src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent udp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 protocol=udp src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=udp reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent tcp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 protocol=tcp src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=tcp reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=add-src-to-address-list address-list="Torrent all-p2p" \
    address-list-timeout=1h30m chain=forward comment=\
    __________All-p2p__________ disabled=no p2p=all-p2p src-address=\
    192.168.xx.10-192.168.xx.249 time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
    reject-with=icmp-network-unreachable time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="Torrent cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=1000-5000 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat

Also, I used reject instead of drop. Test to see which option would do better at given situation since i think that reject can raise CPU usage. Routers are also set to reboot at 9 AM to clean up P2P connections.

I'm opened to every suggestion to raise efficiency of this without speed throttling or additional excessive CPU usage.

bax · Sat Feb 05, 2011 5:11 pm

To cut down download speed on torrent usage?

In my example I was just cut out bandwith on my news server.
And in same way you can cot out p2p - which I dont do - I also need p2p ...

I'll make an update of my ways of p2p blocking. Well, as soon as I figure how to get list of rules out of terminal window so it can be copy/paste

happy to fight windmills

mves · Sat Feb 05, 2011 5:34 pm

happy to fight windmills

So far... windmills are loosing. This don Quijote won this battle. Windmills get heavy defeat so I guess it will take some time for them to get recovered. War however is not over, but this battle is

TKITFrank · Sat Feb 05, 2011 9:07 pm

happy to fight windmills

My Windmills have been loosing for more then a year

As I have stated before it's a ongoing battle but right now I am winning it!

bax · Sat Feb 05, 2011 9:35 pm

I'm glad to hear that you are successful!

Sorry obviously you do not have smart users in your network.
If I were your customer, for 5 minutes would bypass your block.
Here's last attempt at persuasion:
My torrent client switch to TCP port 80 strictly tcp ,then buy a USB stick on any GSM provider (which is expensive) redirect DNS queries to the provider's expensive (I do not care what is expensive bandwith because the DNS traffic not using lot of bandwidth), and as the gateway to keep your network and take off over your network torent with full speed.
For us to say "you can put salt on my tail. "
Very quickly your network was dead ... would be no surf.
So point is that you always can win batlle but not the war!
Guys just think ... if you give users some service and block others they will be turn your client to that alowed port , and todays software will find this open port automaticaly and adopt setings on fly.
Aborting any further assurances and be happy to continue to fight!

TKITFrank · Sat Feb 05, 2011 9:58 pm

Hi Bax,

The TCP port 80 will not work in my setup but using a GSM stick and policy redirect DNS traffic to them would work.
I guess a work around would be to block the IP of those DNS entries in the firewall as well. If unless they will use the GSM/3G for the DHT and other UDP traffic.

I will look in to the UDP packets to see if I can write a L7 for them.
I am not cute sure how bittorrent will react if the DHT requests come from one IP and they try to connect to the clients on an other. Have you tried this your selfs?

My users are about 500 students with laptops.
I think this (redirecting DNS traffic to a GSM/3G provider) is above there level.
So for me that is a good thing

Are you a ISP or do you work for a government like I do?

bax · Sat Feb 05, 2011 10:18 pm

Im amater and this job is for me just some kind of hoby (im working another job) ... so Im really some kind of "power user" ... all my knowledge is selfmade with lot of reading in my free time.
Im also have big fight with some kind of "hackers" which are stolen few times username and paswords from my paying hotspot customers ... and I was the winner

succesufully rejected this malicious users from my network ( open network - eyerybody can connect), and protecting my paying customers and just apologize for problems and give hime new password

So these systems which you try to acomplish is realy easy to breaktrough , no mater on which platform ,it may be cisco or any other brand hardware firewall ...
You just wasting time ... my primer is the best ... let user use p2p, but put these traffic in lower priority and everything is fine.

mves · Sat Feb 05, 2011 11:20 pm

I'm not worry about a smart guys... they are smart enough to use a p2p and stay low to avoid detection. But as all of you know, every torrent client leaves behind a nice trace in used ports and constant upload so you'll get caught eventually.
And considering dual ISP, you would had to place that usb stick to be your main internet connection and place non-default connection for incoming traffic. I know about that. With that way, you can download p2p from both internet connections simultaneously. That's not always work as it should be because Kaspersky for some reason activate firewall and kills tracker leaving no traces of that action.

bax · Sat Feb 05, 2011 11:32 pm

It is very easy in every operating system manually set IP address, DNS and gateway or specific route ...
Other people smarter than me have given you the same advice and you do not want to hear.
Friends, I give up give up further discussion ... do as you wish.

mves · Sat Feb 05, 2011 11:57 pm

Of course that it's easy for us... not for average user

So in that case, why does music, software and games manufacturers placing copy protection on their disks when it can be overridden? Quite easily however, but that protection can stop novice and most of the average folks which actually makes majority. It's not meant to stop advanced user because that would be quite expensive. And like I said, 90% of p2p cut is quite enough. And in addition, I'm not the only one supervising that network

I'm not saying that qos is not excellent solution. It actually is but p2p block will be active as long as it works. When it becomes totally useless, qos will be on a menu.

NetworkPro · Mon Feb 07, 2011 2:52 am

I managed to put some rules together and I came up with this:

Basicly these rules should allow only a portion of the packets to inspected with Layer 7 there fore saving CPU on the router.

/ip firewall mangle
add action=mark-connection chain=prerouting layer7-protocol=BITTORRENT new-connection-mark=p2p passthrough=yes protocol=tcp src-address-list=p2p_user

add action=mark-connection chain=prerouting connection-state=new layer7-protocol=BITTORRENT new-connection-mark=p2p passthrough=yes protocol=udp src-address-list=p2p_user

add action=mark-connection chain=prerouting layer7-protocol=BITTORRENT_ANNOUNCE new-connection-mark=p2pa passthrough=yes protocol=tcp src-address-list=HotSpot dst-address-list=!p2p_announcers

add action=add-dst-to-address-list address-list=p2p_announcers chain=prerouting connection-mark=p2pa src-address-list=HotSpot

add action=add-src-to-address-list address-list=p2p_user chain=prerouting connection-state=new dst-address-list=p2p_announcers src-address-list=HotSpot

/ip firewall filter
add action=drop chain=forward comment="Drop p2p" connection-mark=p2p
add action=drop chain=forward dst-address-list=p2p_announcers src-address-list=HotSpot

I also put in the DNS 127.0.0.1 entries by TKITFrank

I am shure these rules have holes.
I am also doing this:

/ip proxy access
add action=deny disabled=no path=*.torrent

What do you guys think?

Can you come up with ways to minimize CPU usage?

Thanks to fewi for his following post.

fewi · Mon Feb 07, 2011 2:59 am

There's no need to limit to the first 0-6666 bytes. L7 inspection is limited to the first 10 packets or 2000 bytes. From the manual:

L7 matcher is collecting first 10 packets of connection or first 2KB of connection and searches for pattern in collected data. If pattern is not found in collected data, matcher is not inspecting further. Allocated memory is freed and protocol is considered as unknown. You should take into account that a lot of connections will significantly increase memory usage. To avoid it add regular firewall matchers to reduce amount of data passed to layer-7 filters.

Benygh · Mon Feb 07, 2011 2:50 pm

sorry for asking such a stupid question but how to put all of this commands together ? should i type all of this ?! SSH and TELNET does not support PASTE function as far as i know.

P.S: i want to block P2P for my PPTP Clients, should it be gone the same way we go for PPPOE ?!

NetworkPro · Tue Feb 08, 2011 7:12 am

Why block if they are paying ? Upgrade your network and let them download

Benygh · Tue Feb 08, 2011 8:53 am

Why block if they are paying ? Upgrade your network and let them download

its counted as an abuse for our ip addresses, so we have to prevent that.

NetworkPro · Tue Feb 08, 2011 11:27 am

Who said it's an abuse?

IP addresses serve people, not the other way around

111111 · Tue Feb 08, 2011 1:10 pm

Why block if they are paying ? Upgrade your network and let them download
its counted as an abuse for our ip addresses, so we have to prevent that.

Are you a cop and government in same time?
Don't be please.
Invest in network, not in stupidity to make a client to leave your service.

But for admins of office networks ... aren't they give port by exception and anything else blocked

Possibly is more important Mikrotik team to add a option connections limit

TKITFrank · Tue Feb 08, 2011 2:47 pm

Why block if they are paying ? Upgrade your network and let them download
its counted as an abuse for our ip addresses, so we have to prevent that.
Are you a cop and government in same time?
Don't be please.
Invest in network, not in stupidity to make a client to leave your service.

But for admins of office networks ... aren't they give port by exception and anything else blocked

Possibly is more important Mikrotik team to add a option connections limit

In out government we have one firewall for the "normal" users and one for the students and schools. And they want all ports open (except 25,135-139TCP/UDP 445).. No way in hell am I going to open that in our main firewall. Thats why my RB1000 came to be

It's a whole other matter for an ISP... sometimes it is good to work for a government

mves · Thu Feb 10, 2011 3:55 am

sorry for asking such a stupid question but how to put all of this commands together ? should i type all of this ?! SSH and TELNET does not support PASTE function as far as i know.

Not? I used once a command promt and telnet from windows xp to connect to the router where I accidentally killed winbox access for myself. Copy/paste worked... I mean cmd promt way (edit => mark => (select) Enter, edit => paste) if you were referring to this.

Why block if they are paying ? Upgrade your network and let them download

Oh... well, they have to be more generous to have p2p allowed 24/7. You see, many of them want to have a cheap equipment, cheap internet and all benefits of the internet. To have p2p over a day on 2.4 Ghz... no way

Like I said before... €, $, £ (or what ever you have) and get connected on 5 Ghz and you'll have allowed p2p all the time

Benygh · Fri Feb 11, 2011 8:04 am

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !

i dont have any problem with the traffic because i have 1Gbps port connected to the server but i cant enforce their law which encludes not downloading the torrent !!!!

got it ?!

i think there is no absolute answer for p2p ...

i wonder if it can identify the connections why it can not drop or reject them ?!

CCDKP · Fri Feb 11, 2011 7:31 pm

Hi, I thing you are on to something here Please let us know how this is working.
I would however skip the static ports for torrents and go with the all-p2p and the L7 filter to add them in a address list. To me static ports is to unreliable. The 450G is pretty fast and you can run it @800Mhz? Have you tried it @ that speed and seen how much it uses the CPU?
Anyhow as I said before let us know how it is working.

I have the first revision up and running and in-place, and it is working fantastically. The only false positive I have found is simply having uTorrent/bittorrent/Vuze open and not actively downloading something will still trip the filter, due to the active participation in uTP/DHT even when idle. The forthcoming hotspot page will explain this to the users. Keep in mind that this is targeted at a wireless hotspot & student internet access at a local community college, so we can be a bit more aggressive than, say, an ISP.

The stock RB450G is performing surprisingly well under heavy load. We can successfully push 30 Mbit of traffic through the filters without capping the processor, although, since we implemented this, the average utilization during peak fell from 30 Mbit to maybe 7 Mbit. For what it's worth, I did notice a fairly significant drop in CPU utilization when I upgraded from 4.16 to 5.0rc7.

Address lists:
I use three address lists for the setup:
Whitelist - bypasses P2P filtering & bandwidth limiting. Manually added. I add all router interface IP's to this just to be safe.
Blacklist - Dynamically created list of offenders.
Greylist - blocks known P2P traffic, but bypasses bandwidth limitations. Designed for a group behind a NAT router so that a single user couldn't ruin the bandwidth for everyone.

DNS:
Capture all DNS traffic & redirect P2P uTP/DHT connections to a bogon IP address.
I noticed router.bittorrent.com is used now, but was not included on previous lists posted here.

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp src-address-list=!whitelist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp src-address-list=!whitelist to-ports=53


/ip dns static
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=1d
add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=jp.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=1d
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=1d

Firewall Rules:
Offenders are added to the blacklist for 45 minutes (since periods are ~50 minutes), the DNS tracking seems to flag uTorrent every 30 min, keeping offenders on, while limiting the damage to any potential false positives (although I have yet to see any).

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall filter
add action=jump chain=forward comment="P2P-All detection" disabled=no jump-target=p2p_chain p2p=all-p2p
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain
add action=jump chain=forward comment=Bittorrent disabled=no jump-target=p2p_chain layer7-protocol=BITTORRENT
add action=log chain=p2p_chain comment="P2P Debug" disabled=yes log-prefix=P2P-Debug
add action=accept chain=p2p_chain comment="Whitelist Bypass" disabled=no src-address-list=whitelist
add action=accept chain=p2p_chain comment="Whitelist Bypass" disabled=no dst-address-list=whitelist
add action=jump chain=p2p_chain comment="Greylist Src: bypass log, just drop" disabled=no jump-target=p2p_block src-address-list=greylist
add action=jump chain=p2p_chain comment="Greylist Dst: bypass log, just drop" disabled=no dst-address-list=greylist jump-target=p2p_block
add action=log chain=p2p_chain disabled=no dst-address-list=!blacklist log-prefix=P2P-Detection-New src-address-list=!blacklist
add action=add-src-to-address-list address-list=blacklist address-list-timeout=45m chain=p2p_chain comment="Blacklist P2P upload" disabled=no src-address=<LAN SUBNET>
add action=add-dst-to-address-list address-list=blacklist address-list-timeout=45m chain=p2p_chain comment="Blacklist P2P download" disabled=no dst-address=<LAN SUBNET>
add action=jump chain=p2p_chain comment="Jump Block" disabled=no jump-target=p2p_block
add action=drop chain=p2p_block comment="Drop P2P" disabled=no

QoS:
Total line is 30Mb/2Mb
whitelist IP's are unrestricted
Individual students are limited to 8Mb/256kb, as a whole the student group consumes no more than 25Mb/1.5Mb
Blacklisted IP's are limited to 29k/14k. Just enough to make web browsing possible, but painful.

For the mangle, I opted to just directly mark packets. I have not found a cleaner way since the connection marking method flags both upload and download, and I have very few entries in whitelist/blacklist (well, hopefully). If anyone knows of a more efficient method for doing this, I would love to hear about it.

/queue type
add kind=pcq name=whitelist_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=whitelist_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=blacklist_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=14k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=blacklist_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=10 pcq-rate=29k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=200
add kind=pcq name=student_queue_upload pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=256k pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000
add kind=pcq name=student_queue_download pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=8M pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name=upload_root parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=30M name=download_root parent=global-out priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=download_whitelist_leaf packet-mark=whitelist_download_packet parent=download_root priority=4 queue=whitelist_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=0 name=upload_whitelist_leaf packet-mark=whitelist_upload_packet parent=upload_root priority=4 queue=whitelist_queue_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=25M name=download_student_leaf packet-mark=student_download_packet parent=download_root priority=5 queue=student_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1500k name=upload_student_leaf packet-mark=student_upload_packet parent=upload_root priority=5 queue=student_queue_upload
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=1M name=download_blacklist_leaf packet-mark=blacklist_download_packet parent=download_root priority=8 queue=blacklist_queue_download
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=128k name=upload_blacklist_leaf packet-mark=blacklist_upload_packet parent=upload_root priority=8 queue=blacklist_queue_upload

/ip firewall mangle
add action=mark-packet chain=postrouting comment="Whitelist Download" disabled=no dst-address-list=whitelist new-packet-mark=whitelist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Whitelist Upload" disabled=no new-packet-mark=whitelist_upload_packet passthrough=no src-address-list=whitelist
add action=mark-packet chain=postrouting comment="Greylist Upload (whitelist queue)" disabled=no new-packet-mark=whitelist_upload_packet passthrough=no src-address-list=greylist
add action=mark-packet chain=postrouting comment="Greylist Download (whitelist queue)" disabled=no dst-address-list=greylist new-packet-mark=whitelist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Blacklist Download" disabled=no dst-address-list=blacklist new-packet-mark=blacklist_download_packet passthrough=no
add action=mark-packet chain=postrouting comment="Blacklist Upload" disabled=no new-packet-mark=blacklist_upload_packet passthrough=no src-address-list=blacklist
add action=mark-packet chain=postrouting comment="Student Upload" disabled=no new-packet-mark=student_upload_packet out-interface=ether1-WAN passthrough=no
add action=mark-packet chain=postrouting comment="Student Download" disabled=no new-packet-mark=student_download_packet passthrough=no

Future plans:
My first project going forward is to get a captive portal with Terms of Service working. Beyond that, I would like to look at applying QoS traffic prioritization for content, although I do not know how much this will impact CPU utilization. Given the drop in traffic I am seeing after disabling P2P, this is no longer as necessary as it once might have been.

If anyone has any feedback on this I would love to hear it. I am still learning RouterOS, so I'm sure there are better ways to implement some of this. Otherwise, I hope it helps and will keep you posted as I move forward on it.

CC_DKP

*EDIT: 2011.03.23 - Changed DNS capture code to use "redirect"
*EDIT: 2011.06.17 - Changed to reflect updated Bittorrent L7 filter

Mon Feb 14, 2011 9:47 am

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !

torrent technology is nothing illegal in itself. we offer RouterOS downloads via torrent, and many companies do the same.

mves · Mon Feb 14, 2011 3:49 pm

Hi...

@CCDKP

Can you use a p2p block on a QoS stage and get traffic get dropped by PCQ setting on let's say source port classification? So let's say, everything that uses more that 10 connections per source port in a current queue? So, will it work that way?

Also,

/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain

And, how to get dns static on/off through a scheduler? Or I'll have to only get "P2P DNS block hit" time limited to allow p2p over allowed time? Also, IP firewall nat setting, I can simply add interface or tracking IP range instead of "!whitelist", right? And can you explain to me what ip firewall nat code do... I'm a bit lost on that one

CCDKP · Mon Feb 14, 2011 7:26 pm

Can you use a p2p block on a QoS stage and get traffic get dropped by PCQ setting on let's say source port classification? So let's say, everything that uses more that 10 connections per source port in a current queue? So, will it work that way?

The QoS stage can not "drop" traffic directly, it can only slow it down. The problem with tracking by source-port is that in an RFC compliant NAT router, each person behind it typically has all their traffic come out a single port. If someone were running a NAT router on their own, inside your network, you would end up totally blocking individuals.

Also,
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain
And, how to get dns static on/off through a scheduler? Or I'll have to only get "P2P DNS block hit" time limited to allow p2p over allowed time? Also, IP firewall nat setting, I can simply add interface or tracking IP range instead of "!whitelist", right? And can you explain to me what ip firewall nat code do... I'm a bit lost on that one

The NAT code redirects all TCP and UDP traffic destined for port 53 (DNS) to the local router. This prevents users from simply setting a static DNS and bypassing your DNS control.

Scheduling should be simple enough with a couple of scripts. Set the "enable" script to create all the static DNS entries mentioned above, then flush the DNS cache. Then create a "disable" script that deletes the static entries and flushes the cache again. The NAT rules and the "P2P DNS block hit" rules could be left in place.

By default, static DNS entries have a 24hour TTL. To prevent client-side caching from causing trouble, I would suggest setting them for a maybe a 15 minute TTL instead.

Hope that gets you headed in the right direction.
@CC_DKP

mves · Tue Feb 15, 2011 5:08 pm

The NAT code redirects all TCP and UDP traffic destined for port 53 (DNS) to the local router. This prevents users from simply setting a static DNS and bypassing your DNS control.

Hmmm... let's see if I'm getting this right. On my network there are 4 DNS entries used. 2 internal most commonly used and other two are openDNS. Will this affect those users?

Scheduling should be simple enough with a couple of scripts. Set the "enable" script to create all the static DNS entries mentioned above, then flush the DNS cache. Then create a "disable" script that deletes the static entries and flushes the cache again. The NAT rules and the "P2P DNS block hit" rules could be left in place.

Maybe, but my mikrotik scripting stopped on scheduled reboot routers and emergency mass bandwidth change for users so I guess that I have no idea where to start on that one

A little bit help would be most welcome. It would be nice if someone could give me an example on how to set that entries.

By default, static DNS entries have a 24hour TTL. To prevent client-side caching from causing trouble, I would suggest setting them for a maybe a 15 minute TTL instead.

Perhaps this caused internet blackout on some routers on a last attempt for implementing static DNS entries. Well, maybe in this case even 30 seconds or less could do a trick since it needs only to block attempt, right? Beside, all of them would end up on a p2p user list for some time.

CCDKP, thanks for your help

CCDKP · Thu Feb 17, 2011 12:34 am

Hmmm... let's see if I'm getting this right. On my network there are 4 DNS entries used. 2 internal most commonly used and other two are openDNS. Will this affect those users?

Enabling the DNS redirection would prevent customers from directly using OpenDNS. If you just wanted the basic OpenDNS spyware filtering and not any of the advanced content filters, (or if you are running a hotspot like myself and want to use OpenDNS as a method for additional content filtering), then you can simply point the RouterOS's DNS server to the OpenDNS servers and use them.

If your users need to be allowed to freely use any DNS server of their choosing, it should be possible to create a L7 rule matching the DNS querys we are doing the capturing for and redirecting just those packets to our DNS server. That is a little outside my scope (as I am horrible with regex) but someone here should be able to help you. This would introduce a bit more load on the system, however, so you would need some decent hardware to do this on.

As for automating this, I looked into the scheduler and I think I have a workable solution.
Add the DNS entries as before, but change the TTL=1d to TTL=5m, then run /ip dns static print and note down all the # for the DNS entries you want to control. In my example, they are 0-12, since they are the only entries in this test box.
Adjust the time and and DNS entry numbers to fit your deployment:

/system scheduler add name=Enable_P2P_DNS_Filter interval=24h start-time=7:00:00 \
 on-event="/ip dns static enable 0,1,2,3,4,5,6,7,8,9,10,11,12; /ip dns cache flush" 
/system scheduler add name=Disable_P2P_DNS_Filter interval=24h start-time=7:00:00 \
 on-event="/ip dns static disable 0,1,2,3,4,5,6,7,8,9,10,11,12; /ip dns cache flush"

That should just about do it.
@CC_DKP

mves · Thu Feb 17, 2011 2:54 pm

Well, I've been busy on trying to run dns entries like that last time an failed so I came up on this (with a little help however) and another script that flushing cache every hour. I figure it out now how it's work

:foreach i in [/ip dns static find] do={
  /ip dns static disable $i
}

Also, that DNS list are quite outdated. There are also 1337.org, pow7.com, torrentz.com, istole.it and some others. Just look at a common tracker list in a torrent from piratebay for example. But that brings me to a huge problem. I can use a DNS entries combined with nat rule only on 2 main routers routers with ISP links. There are set DNS entries. On other routers that attempt causing internet blackout probably because there are no DNS entries. But I can't just add those rules on every interface because 5 Ghz and business side customers needs to be out of p2p blocking. It would need to redefine settings on entire network in order to use DNS entries if that is the issue. Plus, if I even think to lock usage to most commonly used dns entries (that's 4) it would required upgrade from 3.30 OS that is on few routers and so far, that routers worked fine for a very long time and it's kind of hard to change something that is tested and work

add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=jp.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=15m
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=tracker.publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=ns1.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=ns2.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=genesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=exodus.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=nemesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=tracker.openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.vo.llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=apps.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=10.rarbg.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ens-**bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

I came up with this but last entries seams that doesn't work. Does anyone know how to set this properly? Btw, ttl=15m is ok setting. I tried 15s but it did not do well.

CCDKP · Fri Feb 18, 2011 6:04 pm

Also, that DNS list are quite outdated. There are also 1337.org, pow7.com, torrentz.com, istole.it and some others. Just look at a common tracker list in a torrent from piratebay for example.

I believe you are missing the intention of the DNS blocking. The entries TKITFrank and I have listed are not torrent trackers. There are far too many trackers to block them via DNS (since almost anyone can run a tracker). Blocking of tracker activity is controlled by the L7 filters TKITFrank provided.

The DNS entries are there to block the DHT/uTP protocols from initializing. DHT/uTP are the "trackerless" protocols that bittorrent uses to establish communication when the trackers are unreachable. *Technically* DHT/uTP is not required as long as a tracker is available, since the client is able to seed these lists from peers it has located through a tracker.

HowYesNo · Mon Feb 28, 2011 2:40 am

@TKITFrank:

I done (I think) everything you said, about L7, DNS, mangle and filters... Think there is not so much things I can do wrong, but this just simple wont work! Actually, at Mangle I can see there count packets, at every of them, but when I make filter, there is no any packet caught!

And also about DNS what u were talking, what does this mean: "You will have to disable DNS query's outbound and only allow the DNS server in the Mikrotik."?

Thx in advance!
Regards,
Milan.

TKITFrank · Mon Feb 28, 2011 8:21 am

@HowYesNo

Port you config so we can see if there is something wrong.
Beside...
If I understand you correct the mangle rules work fine right?
Some things too look for.
1; Mark the packets in prerouting chain. Using L7 and the builtin p2p rulesets.
2; Set action to jump to p2p-chain
3; create a chain that is called p2p-chain.
4; set action to mark connection to p2p
5; In firewall filter create a rule under forward-chain and set connection mark to p2p. Action drop.
You have to mark all packets in mangle and send them to chain p2p-chain in mangle where you mark a connection as p2p.

Under Firewall filter you have to use the connection mark and drop packets on that chain. Be sure to use forward chain.

The "DNS thing"
You have do disable outbound dns queries or redirect them to use the mikrotik build in dns. I use the DHCP to set my mikrotik as default dns server. Then I block outbound dns queries.
There is no right or wrong do as you please. Perhaps redirect is more polite.
Make sure to add the entries that I posted before. Without this you can not block torrent traffic.

HowYesNo · Mon Feb 28, 2011 5:10 pm

Thx for answer!

Ok, here what I have done:

1) Made 2 L7 protocols that I copied from this thread (called them BITTORRENT and BITTORRENT_ANNOUNCE).

2) In mangle made 4 rules: 3 of them have same configurations... Chain - prerouting, action - jump, jump target - p2p-traffic. The first one has L7 - BITTORRENT, and the second BITTORRENT_ANNOUNCE. The third one has just P2P - all-p2p! (none of them dosent mark packets, should they, or something else? I should mark them and call like what?). I see u said there need to mark all that packets and send them to p2p-traffic chain and then there mark connection like p2p. So, if I am right, I should at those 3 rules set Packet Mark and call it ie p2p-packets.? 4th rule is made for marking connection, chain - p2p-traffic, action - mark connection, new connection mark - p2p (no any other changes made).

3) Filter rule made like this: chain - forward, connection mark - p2p, action - drop. Thats it.

4) Added those static DNS entries... But dunno how to make it work... Where should I set my primary dns disabled (or just make mikrotik be primary one) or what actually I should do, that is little unclear to me! If I disable that, would everyone be able surf the net at all?

Regards,
Milan.

TKITFrank · Mon Feb 28, 2011 8:20 pm

Thx for answer!

Ok, here what I have done:

1) Made 2 L7 protocols that I copied from this thread (called them BITTORRENT and BITTORRENT_ANNOUNCE).
OK

2) In mangle made 4 rules: 3 of them have same configurations... Chain - prerouting, action - jump, jump target - p2p-traffic. The first one has L7 - BITTORRENT, and the second BITTORRENT_ANNOUNCE. The third one has just P2P - all-p2p! (none of them dosent mark packets, should they, or something else? I should mark them and call like what?). I see u said there need to mark all that packets and send them to p2p-traffic chain and then there mark connection like p2p. So, if I am right, I should at those 3 rules set Packet Mark and call it ie p2p-packets.? 4th rule is made for marking connection, chain - p2p-traffic, action - mark connection, new connection mark - p2p (no any other changes made).
Sorry for my bad choice of words, Just make a rule in prerouting-chain where you use your L7 and the default rule for p2p and choose action jump and target p2p-chain. In the new chain called p2p-chain set action to new-connction mark and mark it to p2p.

3) Filter rule made like this: chain - forward, connection mark - p2p, action - drop. Thats it.
OK

4) Added those static DNS entries... But dunno how to make it work... Where should I set my primary dns disabled (or just make mikrotik be primary one) or what actually I should do, that is little unclear to me! If I disable that, would everyone be able surf the net at all?
Create a new rule in forward chain and set UDP/TCP protocol and dest port 53 (depending on server you might want to have source port 53 in a new rule as well) and set action to drop.
In the DNS server set primary and secondary server to you own DNS server or an ISP dns server and activate allow remote requests. Make sure only your own network can access it (The mikrotik). Announce this settings via DHCP or what ever you use
There settings should point to the mikrotik router as DNS server.

Regards,
Milan.

Hope this helps. The DNS settings are vital for this to work.

HowYesNo · Wed Mar 02, 2011 3:22 pm

I just dont know why my filter doesnt work... That doesnt have anything to do with DNS! Counter is 0 and mangle is counting! If it count packets and mark connection why then filter doesnt block those marked "p2p" connection packets? Tried to move the rule up and down, and still no changes!

About things commented above:

So rules in mangle that I made are good actually... 3 rules in prerouting chain and jump to p2p-traffic (two L7 and one default rule for p2p) and one rule in chain p2p-traffic that marks connection!

And about DNS I totaly do not understand how I should do that... Mb if u could tell me what should I do in winbox and where to go to do that. BTW I have configured DHCP on router!

TKITFrank · Wed Mar 02, 2011 3:37 pm

Hi,

Add this to your DNS
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=no name=router.bitcomet.net ttl=1d

Then post your config from firewall filter. From what I can understand your mangle rules work so perhaps its just some tiny thing in the firewall filter that is messing things up. I saw that you have tried different orders on the firewall rule.
Well anyhow I think a export of your firewall filter rules might just do the job. Please also include the mangle rules as well just in case.

How is you DNS configured btw? Do you use the DNS in the mikrotik for your clients?

HowYesNo · Fri Mar 04, 2011 9:02 pm

Hello,

Filter:
chain = forward
connection mark = p2p
action = drop

Yes I added those static DNS addresses! Just dont know what else I should do there...
I am kinda noob in mikrotik world, so I dunno where I can see how is DNS configured, actually, DNS which clients are using is not in mikrotik... That's the major thing cose I do not understand what to do...

robertfranz · Fri Mar 04, 2011 11:32 pm

if u are working with datacenters u would know that downloading torrent, sending spam is counted as an abuse and they will grant a payment for this abuse which is nearly 15$ for each one !
torrent technology is nothing illegal in itself. we offer RouterOS downloads via torrent, and many companies do the same.

He didn't say it was illegal.

He said it was a negative on his network due to conditions imposed upon him.

Most net admins have a requirement to exert due diligence in preventing users from engaging in infringing activities.

No one cares about your irrelevant bittorrent anecdote.

mves · Sat Mar 05, 2011 3:44 pm

Hi HowYesNo...

Don't worry, you'll soon figure the most things out. I've also spent lots of time figuring out what's wrong with dns entries since on some routers that killed internet completely. So, if internet works, it's most likely that you did it right. Also, I had to go without them on most of the routers since it takes lot's of base rules changing for my case and that is not on a working list for some time. TKITFrank and CCDKP have a good set of rules for blocking p2p but at a first it's hard to make them work or figure them out. Sorry guys, but we are noobs

Here's my set of rules... You don't need dns for them, yet, without dns settings dht will still pass and torrents will have access out so few connections will happen from time to time. Just copy them, log over telnet to your mikrotik and paste them.

(PART 1)

/ip firewall layer7-protocol

add comment="" name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\
    get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\
    |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n"


/ip firewall filter

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp

add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorent_____" disabled=no \
    layer7-protocol=BITTORENT

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORENT reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent Announce" \
    address-list-timeout=1h30m chain=forward comment=______Announce____ \
    disabled=no layer7-protocol=BITTORRENT_ANNOUNCE

add action=reject chain=forward comment="" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent udp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 protocol=udp

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=udp reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent tcp" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 protocol=tcp

add action=reject chain=forward comment="" disabled=no dst-port=6881-6999 \
    protocol=tcp reject-with=icmp-network-unreachable

add action=add-src-to-address-list address-list="Torrent all-p2p" \
    address-list-timeout=1h30m chain=forward comment=\
    __________All-p2p__________ disabled=no p2p=all-p2p

add action=reject chain=forward comment="" disabled=no p2p=all-p2p \
    reject-with=icmp-network-unreachable

add action=drop chain=forward comment=_____1337_____ disabled=no dst-port=\
    1337 protocol=udp 

add action=drop chain=forward comment="" disabled=no dst-port=1337 \
    protocol=tcp

add action=reject chain=forward comment="Torrent cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=udp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=10000-65500

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    Torrent src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent Announce" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent udp" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent tcp" src-port=1000-5000

add action=reject chain=forward comment="" disabled=no dst-port=10000-65500 \
    protocol=tcp reject-with=icmp-network-unreachable src-address-list=\
    "Torrent all-p2p" src-port=1000-5000

On this part... TKITFrank and CCDKP would probably said that I missed the subject and reason for DNS entries. Perhaps I did, but this works for me where ever it's active... sorry guys, I'm still a noob

(PART 2)

add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=jp.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=15m
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=15m
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=tracker.publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=ns1.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=ns2.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=genesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=exodus.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=nemesis.1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=tracker.openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.vo.llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=apps.bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=10.rarbg.com ttl=15m
add address=203.0.113.111 disabled=no name=ns1.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns2.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ns3.torrentz.com ttl=15m
add address=203.0.113.111 disabled=no name=ens-**bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

On this one I found myself of needing of flushing DNS from time to time so I've set schedule to run every 15 minutes with
(PART 2A)

/ip dns cache flush

This part you have to edit to fit for your system settings... This peace of work came from CCDKP and it works. Just edit this part in notepad before copy/paste. <ROUTER LAN IP> is for example 192.168.200.1. It's related with those DNS entries and now you'll have hits from DNS entries. Before this, you have to be sure that you have those famous router DNS settings (someone please correct me if I'm expressed myself falsely)... IP => DNS => Static => Settings... Primary and secondary DNS and it's values must be set to your DNS and check Turn On Remote Requests (hopefully that's what everyone's referring to).

(PART 3)

/ip firewall nat

add action=dst-nat chain=dstnat comment="Capture p2p DNS" disabled=no \
    dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp \
    to-addresses=<ROUTER LAN IP>

add action=dst-nat chain=dstnat comment="Capture p2p DNS" disabled=no \
    dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp \
    to-addresses=<ROUTER LAN IP>

/ip firewall filter

add action=add-src-to-address-list address-list="Torrent DNS" \
    address-list-timeout=1h30m chain=forward comment="p2p DNS" disabled=no \
    dst-address=203.0.113.111

add action=drop chain=forward comment="" disabled=no dst-address=\
    203.0.113.111

Point is, this set of rules works and have a nice blocking ratio and yet, they can sometimes be power hungry, especially with a multiple interfaces and rate of p2p usage but mostly that's just initial blow. Https trackers will however pass the blockade but they won't get far. Downfall of my settings is that you have to add ports for some online games but I think that that's much more easier than this. Add everything step by step and make sure that that segment works before adding next part. Now, internet should work and you'll have a hits on every part of the rules if there are p2p usage. But, it doesn't mean that every part needs to have hits. After everything set, check Address List and see who's IP's are logged. Sometimes, false hits can occur on 6881-6999 rules. They are quite rare but don't worry, even if they are not using p2p it won't have much effect on them if you have set passage for their favorite online games. In my case and this rules, it's CS, COD and Steam server. WoW add for specific users only because it's uses p2p for update and WoW users will regularly be found on p2p list. It's up to you will you let them automatic update or refer them to do it manually from blizzard.
Hope that this will help... goodluck

HowYesNo · Sun Mar 06, 2011 5:54 pm

Ok, I'll try those things and say if helped me...
Where u implemented those config? I see u'r from Serbia, so it's skola, igraona, ili nesto slicno?
Hvala!

mves · Sun Mar 06, 2011 10:50 pm

Ok, I'll try those things and say if helped me...
Where u implemented those config? I see u'r from Serbia, so it's skola, igraona, ili nesto slicno?
Hvala!

Wireless internet

TKITFrank · Mon Mar 07, 2011 10:10 am

Hi,

@mves
Well I don't say you missed the point completely but somewhat

Those DNS entries are only for blocking DHT and magnetic links only. You have a different approach but if it works it is good enough. Any way we can do it is fair game as far as I am concerned.

@HowYesNo
1; Activate allow remote requests on you DNS server in the mikrotik.
2; In the DHCP make sure that you have you mikrotik as DNS server.
3; Check your clients so they use the DNS server via ipconfig

semihgeek · Mon Mar 07, 2011 12:54 pm

hey
I found some Layer7 based codes.Is it useful?It seems

/ip firewall layer7-protocol
add comment="" name=torrent-wwws regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*$"
/ip firewall filter
add action=drop chain=forward comment="block torrent wwws" disabled=no layer7-protocol=\
    torrent-wwws
/ip firewall layer7-protocol
add comment="" name=torrent-dns regexp="^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"
/ip firewall filter
add action=drop chain=forward comment="block torrent dns" disabled=no dst-port=53 \
    layer7-protocol=torrent-dns protocol=udp

@TKITFrank
I am using your codes for blocking p2p.I have added both codes(yours and the codes on the top).Your firewall rules are capturing p2p before the code on the top.
I am begineer sorry for if i have a mistake.

mves · Mon Mar 07, 2011 10:36 pm

/ip firewall nat
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=tcp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>
add action=dst-nat chain=dstnat comment="Capture DNS" disabled=no dst-address=!<ROUTER LAN IP> dst-port=53 protocol=udp src-address-list=!whitelist to-addresses=<ROUTER LAN IP>

/ip firewall filter
add action=jump chain=forward comment="P2P DNS block hit" disabled=no dst-address=203.0.113.111 jump-target=p2p_chain

CCDKP, I wonder, what if I have a multiple interfaces? Will this work like that or I have to add interface there? Same with that if I want to allow p2p on some interface?

EDIT:
DHT: Waiting to log in
The beast is killed... but I'm not cleared with what... is this DNS kill?

Also, this is overkill for me... it's blocking access to those sites completely

add address=203.0.113.111 disabled=no name=utorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=istole.it ttl=15m
add address=203.0.113.111 disabled=no name=thepiratebay.org ttl=15m
add address=203.0.113.111 disabled=no name=1337x.org ttl=15m
add address=203.0.113.111 disabled=no name=mininova.org ttl=15m
add address=203.0.113.111 disabled=no name=bittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=publicbt.com ttl=15m
add address=203.0.113.111 disabled=no name=openbittorrent.com ttl=15m
add address=203.0.113.111 disabled=no name=pow7.com ttl=15m
add address=203.0.113.111 disabled=no name=vuze.com ttl=15m
add address=203.0.113.111 disabled=no name=bitcomet.com ttl=15m
add address=203.0.113.111 disabled=no name=llnwd.net ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).pow7.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).vuze.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).publicbt.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bitcomet.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).utorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.com" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).bittorrent.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).1337x.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).thepiratebay.org" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).llnwd.net" ttl=15m
add address=203.0.113.111 disabled=no name=".*\\\\(^\\\\|\\\\.\\\\).mininova.org" ttl=15m

@semihgeek
Maybe you should try something like this instead of those L7 you mentioned. In previous posts there are example like

/ip dns static
add address=127.0.0.1 disabled=no name=".*\\(^\\|\\.\\)utorrent\\.com" ttl=1d

Combine and leave what is most suitable for your needs. Don't overburden your router with rules that do the same job at a different way.

TKITFrank · Tue Mar 08, 2011 12:35 pm

@mves

EDIT:
DHT: Waiting to log in
The beast is killed... but I'm not cleared with what... is this DNS kill?

Yes it is DNS that will kill this.

Also, this is overkill for me... it's blocking access to those sites completely

Yes that is why you want to keep it to a minimum. Also L7 DNS rules will consume more CPU.

@semihgeek
I think my rules are enough right now. Those you have tend to block the sites more then the actual traffic.
My approach is to only block the traffic from the client and also torrent file download.
But if you want to block access to torrent sites then they will work excellent

CCDKP · Wed Mar 23, 2011 11:23 pm

Just an update for everyone, I was playing with filters and found a slightly more efficient DNS capturing code. These 3 lines will redirect all DNS traffic to the router, effectively capturing all DNS, no matter what IP it is destined for.

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=\
    53 protocol=tcp src-address-list=!whitelist to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=\
    53 protocol=udp src-address-list=!whitelist to-ports=53

CCDKP, I wonder, what if I have a multiple interfaces? Will this work like that or I have to add interface there? Same with that if I want to allow p2p on some interface?

That is easily adjusted by adding in-interface=<filtered interface> or in-interface=!<allowed interface> in the firewall NAT code.
HOWEVER, PC's using the router as their DNS server (if that is what you are handing out with DHCP), will still be affected, so you may want to hand out a public DNS server and only use the internal Mikrotik one for "capturing". Otherwise, you can just add individual IP's to "whitelist" and it will bypass the filter.

Also, this is overkill for me... it's blocking access to those sites completely

That is because you are blocking WAY too much. you are missing the point of the DNS blacklist and the filter itself.
The L7 is designed to detect Torrent Announce packets, not browsing torrent sites. This prevents torrent clients from getting seeds via a tracker.
the DNS is designed to block DHT from starting, which is another method bittorrent uses to find seeds when the tracker is down (ie blocked by the L7 filter)

The filter is NOT intended to block the downloading of the .torrent file, or the browsing of bittorrent-related sites, it is only designed to block the actual protocol itself from functioning.

The only DNS entries you should have are:

/ip dns static
add address=203.0.113.111 disabled=no name=router.utorrent.com ttl=1d
add address=203.0.113.111 disabled=no name=dht.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vrpc.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=vzapp020.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=client.vuze.com ttl=1d
add address=203.0.113.111 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=ip.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=jp.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=203.0.113.111 disabled=no name=inside.bitcomet.com ttl=1d
add address=203.0.113.111 disabled=no name=router.bitcomet.net ttl=1d
add address=203.0.113.111 disabled=no name=router.bittorrent.com ttl=1d

Anything beyond that is breaking web browsing and other activity.

@CC_DKP

NetworkPro · Thu Mar 24, 2011 9:50 am

We are missing code that blocks new udp announcer from working. We can't be slaves to DNS "definitions".

CCDKP · Thu Mar 24, 2011 3:48 pm

We are missing code that blocks new udp announcer from working. We can't be slaves to DNS "definitions".

The problem is that DHT/uTP is an encrypted channel specifically designed to avoid filters and detection by ISP's. Attacking DNS is currently the only weak point we have been able to identify in that system.

There is theoretically a method involving statistical analysis of the number of simultaneous UDP peer endpoints and bandwidth consumed, but that is outside the capabilities of RouterOS.

For my use scenario (hotspot / student network), UDP announce has never been an issue, since the client always attempts a TCP or DHT connection first and gets themselves blacklisted and throttled.

If you could provide a link to a working UDP announce torrent, I would be glad to take a look into it and see what I can come up with.

TKITFrank · Thu Mar 24, 2011 4:39 pm

I have not found a good working UDP L7 for that yet.

If anyone can find it please do post that info

NetworkPro · Fri Mar 25, 2011 1:56 pm

If you could provide a link to a working UDP announce torrent, I would be glad to take a look into it and see what I can come up with.

thepiratebay org has torrents that use udp announcers

if the request or response can be identified each time using a L7 or a content matcher, and the announcer IP blacklisted, we are in business.

mves · Fri Mar 25, 2011 4:22 pm

I have not found a good working UDP L7 for that yet.
If anyone can find it please do post that info

So far, my set of rules still works. Even version without DNS entries.

reinerotto · Tue Apr 26, 2011 12:34 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.

There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.

fewi · Tue Apr 26, 2011 12:49 am

Then your best option still remains to whitelist legitimate traffic and drop everything else. Blacklisting doesn't scale, as discussed in this thread. Particularly if you could face punishment for missing something that you should have blacklisted, or couldn't blacklist something because doing so was technologically unfeasible.

TKITFrank · Tue Apr 26, 2011 7:30 am

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.

Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank

reinerotto · Tue May 10, 2011 1:16 pm

Why would it affect other users if you have normal QoS set up? If one guy has 1Mbit, let him use it however he wants, even if it's all 1Mbit with P2P other users will not be affected.
There are legal problems here in Germany for prof. services "tolerating" violation of copyrights.
Or, in other words, the WISP could be held responsible for a user of the hotspot, for example, who downloads copyrighted material, in case, the access to this copyrighted material is not secured as much as possible.

Blocking P2P is one method to make violation of copyrights more difficult.
Hi reinerotto,

Have you tried my approach? If so is it not working?

/Frank

Not yet implemented. But definitely I will try.
I am still looking at other solutions to block illigetimate traffic as far as possible. Whitelisting seems to be too restictive for me, a solution of "last resort". The point is, it is a balence I have to do between facing legal risks and giving an honest user as much freedom as possible.
For instance, it will definitely not be possible to block dowloads of single copyrighted songs, for example.

otgooneo · Wed May 25, 2011 11:17 am

P2P matcher (ROS5.2) doesn`t work for uTorrent. For some torrent it works fine. Does anybody know why doesn`t work?

TKITFrank · Wed May 25, 2011 12:02 pm

Do you only use the built in p2p matcher? and if so do you use encrypted p2p in the torrent client?
If so it can not catch it. You will have to try to follow the posts in this thread

mktwifi · Tue Jun 07, 2011 7:11 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no

Thanks in advance

Best regards

CCDKP · Tue Jun 07, 2011 8:12 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

EDIT: These queues will not restrict BitTorrent Traffic, but will still throttle any traffic picked up by the P2P filter. See my post below for a better explanation.
First, when dealing with Queue tress, you always need a "root" bound to Global-in/global-out/interface/whatever, then you bind your leaf to the root. If you don't, the QoS never applies correctly.

Secondly, where you go from here depends on if this router is performing the NAT or not. If you are NOT performing NAT on this router, it is very simple:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=upload_root priority=8 queue=pcq_up_p2p

The reason this works is you are marking all p2p packets with "p2p" and using the parent interface to separate upload from download traffic.

If you are using NAT, then the rules get kind of ugly. Interface queues occur after the NAT, therefore they can't see addresses behind the NAT. This means everything gets marked as a single source IP on the upload and PCQ fails to work. They way around this is to apply the QoS to Global-out. Since Global-out sees both upload and download traffic, you need to mark packets as either upload or download p2p traffic.

For that, consider something like:

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max upload> name=upload_root parent=<upstream interface (ether1?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=<max down> name=download_root parent=<downstream interface (etherX?)> priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p_download parent=download_root priority=8 queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p_upload parent=upload_root priority=8 queue=pcq_up_p2p

/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p_upload p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p_download p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p_download passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p_upload passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p_download passthrough=no

Also, a bit of consideration for speed, I would add the following as the first rule in mangle:

add action=accept chain=prerouting disabled=no passthrough=no src-address-list=!P2P_LIMIT dst-address-list=!P2P_LIMIT

This way you let all traffic not on your P2P_LIMIT list bypass the CPU-heavy L7 filters.

I hope this is enough to get you started. I posted a config I used here: http://forum.mikrotik.com/viewtopic.php ... &start=120
Otherwise, Janis's MUM talk was really helpful in finally figuring out QoS for me. The video is here: http://www.tiktube.com/index.php?video= ... xClIoEKDH=

Best of luck
--@CC_DKP

TKITFrank · Thu Jun 09, 2011 10:53 am

Hi,

Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500 \
name=bridge1 priority=0x8000 protocol-mode=none transmit-hold-count=6
/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=1M name=download_blacklist_leaf packet-mark=\
blacklist_download_packet parent=download_root priority=8
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=yes limit-at=0 \
max-limit=128k name=upload_blacklist_leaf packet-mark=\
blacklist_upload_packet parent=upload_root priority=8
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
add kind=pcq name=pcq_down_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
add kind=pcq name=pcq_up_p2p pcq-burst-rate=0 pcq-burst-threshold=0 \
pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
pcq-dst-address6-mask=128 pcq-limit=40 pcq-rate=0 pcq-src-address-mask=32 \
pcq-src-address6-mask=128 pcq-total-limit=14000
set default-small kind=pfifo name=default-small pfifo-limit=10
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=128k name=P2P_Down packet-mark=p2p parent=global-out priority=8 \
queue=pcq_down_p2p
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=1M name=P2P_Up packet-mark=p2p parent=global-in priority=8 \
queue=pcq_up_p2p
/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2 path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether3 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no \
use-ip-firewall-for-vlan=no
/ip dns static
add address=127.0.0.1 disabled=no name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=no name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=no name=inside.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=no name=router.bitcomet.net ttl=1d
add address=127.0.0.1 disabled=no name=router.bittorrent.com ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$utorrent\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$vuze\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.org" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.com" ttl=1d
add address=127.0.0.1 disabled=no name=".*\$^\\|\\.\$bitcomet\\.net" ttl=1d
/ip firewall address-list
add address=193.238.77.80 disabled=no list=P2P_LIMIT
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall mangle
add action=mark-packet chain=prerouting comment=LIMIT_P2P_DROP disabled=no \
new-packet-mark=p2p p2p=all-p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT new-packet-mark=p2p p2p=all-p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT new-packet-mark=p2p passthrough=no src-address-list=P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT new-packet-mark=p2p passthrough=no
add action=mark-packet chain=prerouting disabled=no layer7-protocol=\
BITTORRENT_ANNOUNCE new-packet-mark=p2p passthrough=no src-address-list=\
P2P_LIMIT
add action=mark-packet chain=postrouting disabled=no dst-address-list=\
P2P_LIMIT layer7-protocol=BITTORRENT_ANNOUNCE new-packet-mark=p2p \
passthrough=no

Thanks in advance

Best regards

CCDKP · Thu Jun 09, 2011 9:32 pm

Dear Guys!
I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success.
I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit.
Could you check my configuration and tell me where are errors?

Just a note... don't use the DNS entries if you just want to traffic shape. They will ONLY block.

After reading TKITFrank's note, I realized I made a big blunder. I got a little wrapped up in fixing the Queue's, I didn't think about the end goal of the project. The QoS Example I helped with above will not shape bittorrent traffic.
It will work fine for anything flagged by the p2p filter normally, but not for normal bittorrent traffic.

The reason is simple. The bittorrent data connections through which the major volume of traffic are transferred is encrypted, randomized, and specifically designed to avoid traffic shaping filters. The L7 filters we are working with are designed to flag the announce packets and peer exchanges, which are used to help peers establish the data connections with each other.

A good analogy for BitTorrent would be two teenagers meeting up to covertly talk about something (and about as equally hard to fully stop). When they want to talk, they call each other on their cellphones, agree to meet at someplace like the mall, then they get together and talk. It is very simple to "block" this system by controlling the egress points. Take away the cellphone (the announce packets we filter for), and block online chat/email (DNS filtering). This prevents them from agreeing where and when to meet up, thus stopping the conversation. Throttling is FAR more difficult. While you can limit cellphone minutes and email messages, it only takes one small message one time of getting through for them to successfully meet up. Once they have met up, they can have a full conversation and decide when and where to meet up again from there.

The only somewhat viable method for throttling P2P traffic is to use the L7 and DNS filters to detect the presence of P2P traffic, then throttle the whole connection down for some predetermined amount of time. This has the unfortunate side-effect of slowing down all of that user's "legitimate" traffic as well as P2P. I use this method as a deterrent on a few public hotspots (see my example post on page 3 of this thread). I block all p2p, BitTorrent announce, and BitTorrent DNS I can, but when I detect the traffic, I go the extra mile and throttle their connection down to unusable speeds for the next hour. That way if any p2p traffic makes it through undetected, it is still throttled, and more likely, the user will get fed up with the slow connection for browsing the web that they leave and go use someone else's network.

Sorry for the confusion on this. If nothing else, just applying an even PCQ to all user's traffic can make a connection a lot more usable, especially when a single user is pulling down a lot of data. I apply this to all routers I set up, regardless of any p2p blocking I may be doing.

--@CC_DKP

TKITFrank · Fri Jun 10, 2011 8:15 am

Hi,

I think the only thing to do at the moment in MikroTik is to mark all OK traffic and place them in queues and then have a rest of whats left queue for p2p and well the rest

This approach has been said before in this thread if i am not mistaken. But that is a bit off topic since the thread is about blocking. Perhaps there should be two threads one for blocking like this one and a new for traffic shaping? Both are vital for us users

@Normis is this something you can sort up and arrange? In the same time there is a thread in Routerboard Hardware that is about the same thing perhaps that one should be moved as well?

p.s Anyhow I think this thread has some good ideas both for blocking and traffic shaping from many people so perhaps sticky? d.s

CCDKP · Fri Jun 17, 2011 6:35 am

So after checking into some user complaints, I discovered Yahoo.com has a very high false positive rate on the bittorrent_announce filter. Any site with the words both "get" and "announce" in the source will trigger. Has anyone found a good way to refine this filter to more bittorrent-specific detection?

Edit:
So after doing a bit of research and learning more about the protocol, I discovered a typo in the existing Bittorrent L7 filter. As TKITFrank has listed, (and as the Manual's L7 Wiki page shows):

/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

If you break this out, it is actually a combination of several filters:

\x13bittorrent protocol
azver\x01$
get /scrape\?info_hash=get /announce\?info_hash=
get /client/bitcomet/
GET /data\?fid=
d1:ad2:id20:
\x08'7P\)[RP]

After looking at the source code for the ipp2p project, i realized the 3rd line should be two separate filters, "get /scrape\\\?info_hash=" and "get /announce\\\?info_hash=", the second of which is the target of TKITFrank's Bittorrent_announce filter. After correcting the filter, I noticed a LOT higher detection rate.

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:

/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

Would anyone else mind giving this a try and seeing if it helps their detection rate?

--@CC_DKP

mves · Wed Jul 06, 2011 11:38 pm

Hi guys... I'm back

CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.

add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.

I've also added this rule some time ago because no one considered tracker scrapping.

CCDKP · Wed Jul 06, 2011 11:52 pm

Hi guys... I'm back
CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change. I'm also keeping BITTORRENT_ANNOUNCE part for compare.
Code: Select all
add comment="" name=BITTORRENT_SCRAPE regexp=^get.+scrape.
I've also added this rule some time ago because no one considered tracker scrapping.

You shouldn't need a separate scrape rule anymore, either. If you look at the original rule that was screwed up:

get /scrape\?info_hash=get /announce\?info_hash=

Both the Scrape and Announce filters were merged into a single rule, rendering both useless. By using the updated rule I provided, both Scrape and Announce will be flagged as originally intended.

get /scrape\?info_hash=
get /announce\?info_hash=

--@CC_DKP

mves · Thu Jul 07, 2011 12:05 am

Yes... thanks for that one

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why

I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "_____________P2P - Upload_______________" disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=udp src-address=xx.xx.xx.xx \
    src-port=10000-65535
add action=mark-packet chain=prerouting disabled=no dst-port=10000-65535 \
    new-packet-mark=P2P passthrough=yes protocol=tcp src-address=xx.xx.xx.xx \
    src-port=1000-5000
add action=mark-packet chain=prerouting comment="Other - Upload" disabled=no \
    new-packet-mark=Other passthrough=yes src-address=xx.xx.xx.xx


add action=mark-connection chain=prerouting comment=\
    "_____________P2P - Download_____________" disabled=no new-connection-mark=\
    P2P p2p=all-p2p passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no layer7-protocol=\
    BITTORRENT new-connection-mark=P2P passthrough=no src-address=xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx src-port=10000-65535
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65535 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx src-port=1000-5000
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=udp src-address=\
    xx.xx.xx.xx
add action=mark-connection chain=prerouting disabled=no dst-port=6881-6999 \
    new-connection-mark=P2P passthrough=no protocol=tcp src-address=\
    xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=P2P disabled=no \
    new-packet-mark=P2P passthrough=no
add action=mark-connection chain=prerouting comment=\
    "____________Other - Download____________" disabled=no \
    new-connection-mark=Other passthrough=no src-address=xx.xx.xx.xx
add action=mark-packet chain=prerouting connection-mark=Other disabled=no \
    new-packet-mark=Other passthrough=no

CCDKP · Thu Jul 07, 2011 12:35 am

Yes... thanks for that one

And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why
I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me know.

A couple things to note:
First, you need to be careful about your use of "Passthrough".
Passthrough means that once the rule is applied continue down the chain.

As it stands now, anything that matches rule 1 would have the "p2p" mark added, then would continue down the chain, trip rule 4, have the packet mark changed to "other", then continue down through all the Download rules. Conversely, anything that trips one of your connection mark rules would have the connection marked, then skip the rest of the rules (including the actual marking of the packet). The general rule of thumb is:
action=mark-connection passthrough=yes
action=mark-packet passthrough=no

Secondly, you want to be doing the L7 bittorrent filter on both upload and download traffic, since the majority of the times it will flag is the client making a Get request of the server (upload traffic).

On that note, remember the bittorrent L7 filter primarily detects the tracker information, which is very a small HTTP query. It can not track the actual P2P data exchange if it is using encryption.

Finally, what are you using for a queue type, and are you performing NAT on this router? If you are using PCQ and are performing NAT, you have to mark upload and download packets separately, then use Global-out as the root, so that PCQ occurs prior to SNAT.

With all that high-number port marking, how does it handle traffic like skype? I would be very leery to run something like this, as I would be frightened at the number of false positives.

--@CC_DKP

mves · Thu Jul 07, 2011 1:19 am

Oh... I've striped everything else and left entries only for P2P catcher... I thought it can be useful for someone. I'm using PCQ on queue tree and I'm using that only on myself so it's working fine on my home computers. I'm connected to the link through ubiquti Airgrid M5-HP in a router mode with directly assigned public IP. Basically, I have bandwidth separately reserved only for http, P2P, local file server and unlimited for winbox, ssh, snmp... Skype works fine however

Like I said... it works on me and my home network. I never said it's a good or right solution but it works on my needs. If you put before this rules http, game ports or what ever else you need, you probably won't have any problems because everything else that is not a stuff that you are using will end up on P2P and the Other filter. Previously, in my rules set of p2p blocking, I've also implemented port blocking of this same ports (not related with this). In this case however, I did not block p2p to me but simply put a cap on allowed bandwidth to my home network. If you put 1 kb down/up on those ports on queue tree, you could probably made a mess on your network because this was not planed for killing p2p but only for easing on available bandwidth. I was planed this for implementing on 5Ghz network for QOS but I never manage it to work as it should be. However, it suited perfectly for my home network.

Edit...
And for false positives, yes, you are right, matching ports like that can easily lead to false positive if applied on a global plan. You could log P2P users IP from firewall filter and place it to src address list on those ports in a mangle so you'll have only detected users goes through this. In this case you'll cut a false positives to a regular detection. If it helps, great. Next, it's up to you will you find any working usage of this for implementing in a p2p blocking or working QOS.

phuc061290 · Wed Oct 05, 2011 10:17 pm

great post. thanks.
. ..
. . .

CCDKP · Tue Oct 11, 2011 9:03 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.

add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp

This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves

mves · Tue Oct 11, 2011 10:04 pm

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
Code: Select all
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=tcp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Did you make a typo? It's should be protocol=udp, right?

mves · Wed Oct 12, 2011 2:17 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.

/ip firewall layer7-protocol
add name=Skype regexp="^..\\x02............."

/ip firewall filter
add action=accept chain=forward disabled=no layer7-protocol=Skype

add action=accept chain=forward disabled=no dst-port=53 protocol=udp

add action=drop chain=forward connection-limit=16,32 disabled=no protocol=udp

Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?

CCDKP · Wed Oct 12, 2011 8:36 pm

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp.
...
Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection limit gets grey. So, is this some kind of bug?

I just set the UDP to something reasonable. I haven't seen skype hold open more than 8-9 simultaneous udp streams on a group call. I don't like relying on L7 filters for whitelisting, because if skype changes the signature then everything starts getting blocked. I prefer to "fail open" and let p2p traffic through, since I will see a spike in bandwidth and know to go fix it.

And yes, it does appear to be a bug in winbox.

engineertote · Tue Oct 18, 2011 10:20 pm

I'm fighting with this bit torrent for the past week but this bad torrent is win

i have follow all ways to limit it with no success , , i just tried

add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp

and did small test with bit torrent and its getting much more them limit

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising.
Code: Select all
add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp
This limits each IP to 16 non-DNS UDP streams. 16 should be enough that skype and other non-p2p applications shouldn't get impacted, but you may need to tweak them for your network.

Again, it's not a magic bullet, but it can help when combined with various other methods described within this post.

Edit: Corrected typo, Thanks mves

CCDKP · Tue Oct 18, 2011 11:09 pm

and did small test with bit torrent and its getting much more them limit

Bittorrent can use both TCP and UDP connections. Connection limiting on TCP is a bit touchier since so many things rely on it. The point of restricting the number of UDP connections isn't to completely kill Bittorrent, nothing can. The point of it is to move more connections over into TCP where they can be managed a little easier.

UDP poses a problem because it doesn't respond well to upstream Quality of Service. TCP uses window sizing to dynamically throttle connections, while UDP just keeps sending more packets. By limiting the UDP streams, more connections are forced over into TCP, where Quality of Service can work its magic and limit the data better.

If you go into the connection tracking on your router, you will see it is correctly limiting the number of UDP connections, there are just a lot more TCP connections to go along with it.

mves · Wed Oct 26, 2011 6:04 pm

@engineertote
Try my approach. So far, it's still working with a quite good blocking ratio. No mangle rules and no DNS filtering. Downside is, you'll have to allow online game ports.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

/ip firewall filter
add action=accept chain=forward comment=Skype disabled=no dst-port=12350 \
    protocol=tcp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (UDP)" disabled=no dst-port=\
    27000-27050,28960 protocol=udp
add action=accept chain=forward comment=\
    "Online games - CS, COD, Steam server (TCP)" disabled=no dst-port=\
    27000-27050,28960 protocol=tcp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    11050-11070,18181-18186,19567-19587 protocol=udp
add action=accept chain=forward comment=\
    "Online Igre - Battlefield : Bad Company 2" disabled=no dst-port=\
    13505,18390,18395 protocol=tcp

add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=__________All-p2p__________ disabled=no \
    in-interface=XXXXXXXXXX p2p=all-p2p src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX p2p=\
    all-p2p reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=Torrent address-list-timeout=\
    1h30m chain=forward comment=" ______Bittorrent_____" disabled=no \
    in-interface=XXXXXXXXXX layer7-protocol=BITTORRENT src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no in-interface=XXXXXXXXXX \
    layer7-protocol=BITTORRENT reject-with=icmp-network-unreachable \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 udp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=udp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=udp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list="Torrent 6881" \
    address-list-timeout=1h30m chain=forward comment="____6881-6999 tcp___" \
    disabled=no dst-port=6881-6999 in-interface=XXXXXXXXXX protocol=tcp \
    src-address=xx.xx.xx.xx-xx.xx.xx.xx time=\
    9h-23h55m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=6881-6999 in-interface=\
    cortanovci protocol=tcp reject-with=icmp-network-unreachable src-address=\
    xx.xx.xx.xx-xx.xx.xx.xx time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

add action=reject chain=forward comment="House cleaning" disabled=no \
    dst-port=10000-65500 protocol=tcp reject-with=icmp-network-unreachable \
    src-address-list=Torrent src-port=10000-65500 time=\
    9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list=Torrent src-port=\
    1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=udp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=10000-65500 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward disabled=no dst-port=10000-65500 protocol=tcp \
    reject-with=icmp-network-unreachable src-address-list="Torrent 6881" \
    src-port=1000-5000 time=9h-23h59m,sun,mon,tue,wed,thu,fri,sat

xx.xx.xx.xx-xx.xx.xx.xx
IP range for filtering on interface (customer ONLY, without gateway, example, 192.168.200.10-192.168.200.240)

in-interface=XXXXXXXXXX
name of your target interface

The above system is for blocking bittorent protocols with allowed running time from midnight to 9:00 (AM). Make note that it's port based blocking so you'll have to add ports for online games that are used on your network and are affected with port blocking. You can get false readings on 6881-6999 ports but that's small percentage. It blocks up to 90-95% of bittorent traffic. It's also version without DNS filtering. You can add DNS filtering but then it can't be used for filters below.

To get them under control (not blocking, just reducing number of connections), use logging parts from above filters to get p2p users IP and turn off blocking parts and logged addresses redirect to the filters below.

/ip firewall filter
add action=accept chain=forward disabled=yes dst-port=53 protocol=udp
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list=Torrent
add action=drop chain=forward connection-limit=16,32 disabled=yes dst-port=10000-65500 protocol=tcp src-address-list="Torrent 6881"
add action=drop chain=forward connection-limit=16,32 disabled=yes protocol=udp src-address-list="Torrent 6881"

Of course, you have to edit all to match your system. Hope that it'll help.

di9383 · Fri Dec 09, 2011 4:53 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.

TKITFrank · Fri Dec 09, 2011 5:53 pm

Hi,

No I did not, Will see if I can get a test during next week at work.
Have a nice weekend!

di9383 · Sun Dec 11, 2011 1:14 pm

TKITFrank, as I can see, DHT really doesn't work with your DNS filter rules, but peer exchange (through tracker I suppose) is working fine, receiving peers and downloads torrent files:( May be you have an advice for me..
PS If it's matters, I use Utorrent 3 (last release) with russian torrent tracker rutracker.org. Can sent you link for torrent file for testing, if you want (because, tracker seems to be in russian only, and it will be hard for you to use it for test, I suppose).

otgooneo · Wed Dec 14, 2011 5:37 am

Hi every one.
I use following on my office router RB433UAH. We have about 170 hosts and 70 of them is IPPhones. Also some users use SIPclient software on their workstation. It detects torrent trackers of both local network and external network. Then it will drop all high port and peer to peer connections related this hosts. I use logging for this drop rule and sometimes I see some of SIP RTP connections dropped by this rule. But there is no voice interruption and this issue can be only on office staff, who tries to use torrent. At last, it pretty good works for me. I tested it using many kind of torrent clients.

[otgonkhuu@MOBINET] /ip firewall mangle export
#RouterOS P2P matcher and L7-filters can`t block torrent client, which supports encryption. 
#But it can catch even 1 connection. So source addresses of those connections are the TORRENTUSERS.
#The advantage is it can list my office torrent trackers also it can list peers of external network.
#TorrentExc is my address list of allowed torrent trackers. It is exclusion list.
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrent announcer to TorrentUsers" disabled=no layer7-protocol=\
    BITTORRENT_ANNOUNCE src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add Bit torrenter to TorrentUsers" disabled=no layer7-protocol=BITTORENT \
    src-address-list=!TorrentExc
add action=add-src-to-address-list address-list=TorrentUsers \
    address-list-timeout=10m chain=forward comment=\
    "Add all torrenter to TorrentUsers" disabled=no p2p=all-p2p \
    src-address-list=!TorrentExc
#This is the all connections, which are might be torrent traffics.
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=tcp \
    src-port=10000-65000
add action=mark-connection chain=prerouting disabled=no dst-port=10000-65000 \
    new-connection-mark=Torr passthrough=yes protocol=udp \
    src-port=10000-65000
add action=mark-connection chain=prerouting comment=P2P disabled=no \
    new-connection-mark=Torr p2p=all-p2p passthrough=yes src-address-list=\
    !TorrentExc

[otgonkhuu@MOBINET] > ip firewall filter export
#Filter rule drops all high port peer to peer connections sourced from address list "TorrentUsers"
add action=drop chain=forward comment="Block P2P-Manual" connection-mark=Torr \
    disabled=no dst-address-list=!TorrentExc src-address-list=TorrentUsers

My L7 is same as others. Like posted on http://l7-filter.sourceforge.net/

mves · Wed Dec 14, 2011 1:42 pm

@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

Also, if you are using port blocking, why bother with mangle rules?

otgooneo · Thu Dec 15, 2011 9:20 am

Thank you mves for updated L7. Yes you right. If blocking by ports, there no need to mangle rule. I just few months ago tried to block P2P using many examples in that forum. So I just forgot to move rule from mangle to filter rule.
By the way, today I have tested again my torrent blocker, unfortunately my rules already outdated. uTorrent can under this rules. They can work 10 minutes later when started torrent client.

It uses ports lower than TCP, UDP 10000. Can`t block ports lower than 10000. It is bad for other network applications. So I need to work again on this.

mves · Thu Dec 15, 2011 12:40 pm

Try my set of rules. It's pure firewall port blocking without any other needed setting. Downside is, you have to add allowed set of ports for certain applications. Add my set of rules on disable and turn them on one by one. Use torch to find out what ports are used for applications they are using and add exception in a firewall before P2P blocking part. It's just like a game ports I had to add in exception. But once you set it right, you'll cut P2P to an acceptable level and hopefully other applications won't be affected if you set it right.

CCDKP · Wed Jan 11, 2012 6:39 pm

I posted this in another thread, but figured it would be useful here for anyone searching, since this seems to be the default thread to send people to:

With the current state of encrypted bittorrent, there is no tracking it specifically. The traffic is explicitly designed to avoid being filtered and throttled.

Here are some hard facts on shaping p2p traffic:

Older p2p like kazaa and eDonkey respond well to the p2p l7 filter
The L7 bittorrent filter in the wiki and forums only flags Tracker activity
Even if the tracker is blocked, DHT/UTP allows bittorrent peers to exchange host info
The L7 filter does not flag DHT/UTP, use DNS to block if needed.
The L7 filter does not flag bittorrent peer transfers (the actual bulk data)
Bittorrent peer transfers are usually encrypted and designed to not be tracked
Even when encrypted well, bittorrent still "leaks" detectable packets periodically
Peer transfers are primarily UDP connections, but will fail over to TCP
UDP transfers do not respond to standard QoS (UDP lacks flow-control, it is left up to the application)

From this, the best non-blocking approach I have come up with for handling p2p traffic is as follows:
Whitelist - Detect what you can (http/https, DNS, SSH, skype, games, whatever seems important) and increase its priority.

Flag p2p users - Look for the presence of p2p/bittorrent traffic from a user and add them to a dynamic address list for a preset amount of time (5-20 minutes). You will not be able to catch all the traffic, but by identifying the "leaks", you know the traffic is coming from the user somewhere. Every time a packet flags, it should renew the address list timer.

Take secondary measures - As long as a user stays flagged, impose additional limits on them. Some examples:

Add a heavy non-DNS UDP connection limit - This forces udp bittorrent traffic over to TCP, where traditional QoS and packet shaping can regulate it properly (since TCP flow-control is handled by the TCP/IP stack, not the application). This may have adverse effects on video games and skype quality, but after the user closes down the p2p applications, their address list entry will time out and they will go back to normal. UDP conn limit was added in 5.7 for console, and 5.8 for WinBox.

Limit non-whitelist traffic - Add a reduced bandwidth cap for non-whitelisted traffic. Not always the best plan for ISP's, but useful for hotspots.

Reduce non-whitelist priorty - Reduce the priority of all non-whitelisted traffic while the user is flagged.

Flag the user's traffic - If these rules are implemented on CPE / tower equipment, add DSCP marks to non-whitelisted traffic to let your core know it has a high potential of being p2p traffic (and to reduce it's priority if needed)

tyronzn · Thu Jan 12, 2012 5:33 pm

[quote="mves"]@otgooneo
L7 is a bit outdated, thanks to the CCDKP's observation. All P2P L7 rules are now fitted into single one.

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
    e\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /dat\
    a\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it

CCDKP · Thu Jan 12, 2012 5:51 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it

Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.

tyronzn · Thu Jan 12, 2012 5:56 pm

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it
Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it, I have had an EXTREMELY low false-positive rate. Again, this is only for flagging tracker and peer exchange traffic, not data transfer. If there is a case for false positives, I would really like to be on top of it and see if we can tune the rules down better to clear it up.

no problemo amigo,i will build up a list tonight and post in the morning

tyronzn · Fri Jan 13, 2012 7:18 am

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed

CCDKP · Fri Jan 13, 2012 4:45 pm

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed

It's good to hear you aren't seeing any false positives. If something comes up, please let me know.

With Bittorrent, explicitly, if it gets any sort of foothold, it will quickly steamroll to full capacity. That L7 rule just stops standard tracker exchanges. DHT/UTP peer exchanges are another way to exchange hosts without access to the tracker. Blocking these requires filtering DNS, as mentioned elsewhere in this thread. If you don't do both, you will have almost no impact on the torrent's ability to send data.

Another emerging issue is encrypted UDP trackers, which up to this point, nobody has found a way to identify and block. If you read about 5 posts up I talk about a method for flagging the presence of torrent traffic, then using that to clamp down secondary measures on all of the user's data. This seems like the best general purpose route for an ISP, as it doesn't explicitly block torrent traffic, it just punishes the user and helps to make the traffic more manageable. In the case of a public hotspot that you want to block torrents for liability reasons, I have a few posts across page 2 & 3 talking about flagging a user for p2p and dropping them to horrible dial-up speeds to get them to go elsewhere.

Blocking p2p traffic entirely is a bit like trying to carry water with a colander. Unless you have every last hole plugged, all the water will get out.

tyronzn · Fri Jan 13, 2012 7:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway

n21roadie · Fri Jan 13, 2012 8:34 pm

Yeah a while ago i added a bunch of dns addresses of the common trackers which just points to a loopback IP,sometimes i have luck with that and other times not,its a hit or miss sometimes with p2p.Quite some time ago i created rules whereby if a user is downloading p2p at certain rates for a certain period of time it adds them to a p2p address list which i throttle quite badly and after 5 or 10 minutes it removes them from the address list.This seemed to work quite well but since then i have upgraded bandwidth,so i dont have contention issues.Until such time i'll let the suckers have their full line speed.

As i stated above i still firmly believe in policy based routing,create one gateway which is the primary and a secondary gateway which you route important traffic through such as mail and http etc and let torrents fight each-other through the primary gateway

Does the throttle effect all connections or just the p2p connections?

Benygh · Sat Jan 14, 2012 12:17 am

Hi,
i use this and it works good, it drops all the p2p connections and so far we didn't get any abuse reports from DC.

:local temp;
:local temp2;
:local temp3;
:foreach i in=[/ip firewall connection find p2p!="none"] do={
:set temp3 [/ip firewall connection get $i src-address];
:set temp2 [:find $temp3 ":" -1];
:set temp3 [:pick $temp3 0 $temp2];
:foreach j in=[/ppp active find address=$temp3] do={
/ppp active remove $j;
}
}

TKITFrank · Fri Jan 20, 2012 2:25 pm

TKITFrank, did you try your rules with the last version of utorrent client(3.0 and above).Asking about it, because you rules, posted earlier in this topic, seems to work for me. But now, with the last version of utorrent, they don't. Neither with ssl encryption turned on or off.

Hi,
This week I have been doing the last handoff on the new RB1100AHx2 that will replay my old RB1000 as main firewall for out schools.
I did as you said and checked this and I use utorrent 3.1 and it still works. Do you use the DNS blocking? They are vital...

If you have a working torrent file that will bypass my filter please let me know so I can do a test.

edit...
Did find something interesting...
It seems Peer Exchange uses Multicast.
This is from wireshark...
BT-SEARCH * HTTP/1.1
Host: 239.192.0.0:6771
Port: 40133
Infohash: C355C153B20BECF719121DE149C8DDCF57B32870

Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.

di9383 · Sat Jan 21, 2012 11:36 am

Try to block clients from using "multicast peer communication" Unless you use Multicast in your network for video and so on it could be a good idea to block it.
Perhaps this will help.

May be you can tell me, where to do it?

About DNS filtering..yes, I use it too. But it doesn't work for me.
May be you can advise what is wrong or missed in my config? Thanks in advance.

TKITFrank · Sat Jan 21, 2012 12:07 pm

Hi,

Not knowing how your network is built I would guess you have to to it at the client switches or CPE's. Do you use Multicast? if not block it.
I can post my DNS entries on Monday when I am at work. But to mee yours looks fine. They should kill DHT.

CCDKP · Sun Jan 22, 2012 12:09 am

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).

Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.

di9383 · Sun Jan 22, 2012 10:03 pm

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged).

You are right. Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.

Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use their own DNS server (google, opendns, etc) and bypass the filter.

All clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).

CCDKP · Sun Jan 22, 2012 10:48 pm

Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed.

The two biggest flags for bittorrent are the scrape and announce commands sent to the trackers. For a long while, the Bittorrent rule on the wiki that everyone used had a typo in it that disabled it's ability to detect scrapes and announces. This lead to someone (TKITFrank?) making the bittorrent_announce rule to capture them.

The problem comes from the bittorrent_announce rule being rather vague, and able to pick up false positives. The corrected part of the rule that grabs announces also looks for the info_hash parameter, which is a dead giveaway for bittorrent:

get /announce\?info_hash=

Compare this with the filter rule in bittorrent_announce:

add name=BITTORRENT_ANNOUNCE regexp=^get.+announce.

This rule basically looks for anything with the word "get" and "announce". On Yahoo's homepage, there is an object called "Announcebar" at top. When you load the page, at some point a request is generated for "get /announcebar/announcebar_1.0.22.css", which will trip the bittorrent_announce rule, but won't be troubled by the proper rule due to the lack of the info_hash parameter.

If you want to look more into the problem, I detailed the issue with the bittorrent filter here: http://forum.mikrotik.com/viewtopic.php ... 50#p268237

ll clients in my network uses mikrotik DNS as their primary and the only one DNS server. They can not change it (have no permissions). Also, I have a rule in Mikrotik, that deny all DNS traffic going through the router (so, no other server can be used).

First, remember that DNS can use TCP in addition to UDP. Any response over 512 bytes requires TCP to be used. With DNS Sec, DNS over TCP is becoming more common.

Rather than just drop the DNS traffic, you can just as easy redirect it to the internal DNS server:

/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp to-ports=53

di9383 · Mon Jan 23, 2012 11:02 am

Thanks for your help and explanations. After disabling bittorrent_announce rule it started to block torrent traffic in some way:) I also corrected my DNS drop filter - use dstnat instead - seems to work as it should.
One more question. Do encrypted torrent connections should be blocked too? Because, mine don't...

Update: Ups.., seems so, that with encryption enabled in my torrent client, filters are still blocking download...misunderstood a little, because at first when I turned encryption on the torrent file began to download. And now I'm testing with different files - nothing.

TKITFrank · Mon Jan 23, 2012 6:39 pm

Hi,

This is a draft will add more info later this week.

Did some testing today and found out that you can bypass my filter by starting the connection on one site and then resume them behind my firewall. To block them you have to use a series of things. This is what I have found.
By marking udp packet size from 62-500 and tagging them as p2p traffic you can successfully identify the dest host that the client connects to. And block the start of the DHT and the encrypted transfer. In my case I marked the packets and added them to a connection-mark just like with the L7 filters.

Step 1;
Complement the current mangle rule set with a udp rule that marks all packets with size 62-500 except dst port 53. And direct them to the P2P chain.

Step 2;
I also created a new L7 filter for the DHT. That I added to the other L7 filters. I hope I remember the regex correctly.
/ip firewall layer7-protocol
add name=BITTORRENT_DHT regexp="^d1\:.d2\:id20\:"

Step 3;
Finally I added a rule in the filter table that uses connection-mark p2p to add destination ip to list p2p-users-ext.
I did then use that list to block all connections in forward chain. I did two lists both src and dst based on those address-lists.

Note that this is only a draft of what I have done. I will add the correct syntax later this week. And I have not done any false positive tests yet. Will do them in 2days when I try them on the main firewall.
So use with care!

NetworkPro · Sat Jan 28, 2012 12:53 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
Code: Select all
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP

Not Working. Can't catch announce.

CCDKP · Sat Jan 28, 2012 1:10 am

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of:
Code: Select all
/ip firewall layer7-protocol
 add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
--@CC_DKP
Not Working. Can't catch announce.

Could you please provide a link to the torrent file & what tracker was used, or a packet capture of the announces not getting flagged so I can work on getting the filter updated? My understanding is there is a new wave of encrypted UDP and HTTPS encrypted trackers, which this rule will not be able to catch, but if this is the case I would still like to look at the traffic and see if we can find *something*.

Also, is the rule catching anything for you? If you are bench testing this, is DHT/UTP disabled? Clients can still exchange peers over DHT/UTP without announcing to the tracker.

NetworkPro · Sat Jan 28, 2012 1:41 am

I used this to catch the announce

^get.+announce\?info

di9383 · Sun Jan 29, 2012 10:58 am

CCDKP, do I understand right, these rules above work with encrypted option in torrent client enforced too? I suppose, their blocking effect comes at announce blocking level (where we use dns block) and doesn't depend on all other options?

TKITFrank · Tue Jan 31, 2012 10:02 am

Hi,

This is my new config, I have been testing to some time and I have had issues with false positive. The config below seems to eliminate those false positive I have found. However there might be more... I you find it please let me know. And also how so I can replicate it and correct it.

I will try to implement it in an live environment today or tomorrow. I did some live testing last week but I found out that the UDP block blacklisted common sites for reasons unknown. This seems to be corrected now.

Anyhow any input regarding this is appreciated. And also USE WITH CARE....

EDIT,
Seems like SteamPowerd gets caught by the TCP tracker rule. I will look in to this...
Did a workaround for this, (TCP-Tracker blocking, UDP-Bittorrent blocking) rules now make a new connection-mark that is called "suspicious" this traffic only gets used when a client has been using P2P from the "safe" rules. Have a look at the code in Mangle and Filter to see where I use it. The summery of it is that normal clients will trigger the suspicious traffic rule but it will not get applied since they don't use P2P. Only P2P users will get punished.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT_DHT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA
add action=mark-connection chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 new-connection-mark=suspicious packet-size=62-500 passthrough=no protocol=udp src-port=!53
add action=mark-connection chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=10000-65535 new-connection-mark=suspicious packet-size=100-500 passthrough=no protocol=tcp src-port=1024-65535 tcp-flags=psh,ack

add action=jump chain=prerouting connection-state=new disabled=no dst-port=443 jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no dst-address-list=!dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=other-services
add action=mark-connection chain=p2p-service disabled=no new-connection-mark=p2p passthrough=no

/ip firewall filter
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=10m chain=forward comment="Drop and log all P2P" connection-mark=p2p disabled=no src-address-list=local-addr
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=forward connection-mark=suspicious disabled=no src-address-list=local-addr
add action=log chain=forward connection-mark=p2p disabled=no log-prefix=P2P src-address-list=local-addr
add action=jump chain=forward connection-mark=p2p disabled=no jump-target=drop src-address-list=local-addr
add action=jump chain=forward disabled=no dst-address-list=p2p-users-ext jump-target=drop src-address-list=p2p-users
add action=jump chain=forward disabled=no dst-address-list=p2p-users jump-target=drop src-address-list=p2p-users-ext

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

gnuttisch · Tue Jan 31, 2012 3:54 pm

Hi

Trying out your (TKITFrank) p2p traffic shaper/blocker but I cant get it to work successfully, mayby i have missed something? The queue limiting the data but some off it seams to getting bye.

Iam testing like this. OfficeLAN --> RB750G In BridgeMode --> RB433 Hotspot --> Client.

# jan/02/1970 00:02:47 by RouterOS 5.12
# software id = 8952-JWTY
#
/interface bridge
add l2mtu=1520 name=bridge1
/interface ethernet
set 0 name=Eth1_WAN
set 1 name=Eth2_LAN
set 2 name=Eth3
set 3 name=Eth4
set 4 name=Eth5
/ip firewall layer7-protocol
add name=HTTPS regexp=\
    "^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\
    \\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnu\
    tella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get /.*content-ty\
    pe: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-\
    9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[\
    0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*content-type: application/x-gnut\
    ella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\
    \\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\
    \?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"
/queue tree
add max-limit=1M name=IN parent=global-in
add max-limit=1M name=OUT parent=global-out
add max-limit=10k name=p2p_in packet-mark=P2P_PacketMark parent=IN
add max-limit=10k name=p2p_out packet-mark=P2P_PacketMark parent=OUT
/interface bridge port
add bridge=bridge1 interface=Eth1_WAN
add bridge=bridge1 interface=Eth2_LAN
/interface bridge settings
set use-ip-firewall=yes
/ip dhcp-client
add disabled=no interface=bridge1
/ip dns
set max-udp-packet-size=512 servers=192.168.19.1,195.67.199.24
/ip firewall filter
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=\
    10m chain=forward comment="Drop and log all P2P" connection-mark=p2p \
    src-address-list=local-addr
add action=add-dst-to-address-list address-list=p2p-users-ext \
    address-list-timeout=10m chain=forward connection-mark=suspicious \
    src-address-list=local-addr
add action=log chain=forward connection-mark=p2p log-prefix=P2P \
    src-address-list=local-addr
add action=jump chain=forward connection-mark=p2p jump-target=drop \
    src-address-list=local-addr
add action=jump chain=forward dst-address-list=p2p-users-ext jump-target=drop \
    src-address-list=p2p-users
add action=jump chain=forward dst-address-list=p2p-users jump-target=drop \
    src-address-list=p2p-users-ext
/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" \
    dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=BITTORRENT_DHT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting dst-address-list=!dns-externt jump-target=\
    p2p-service layer7-protocol=GNUTELLA
add action=mark-connection chain=prerouting comment="UDP-Bittorrent blocking" \
    dst-address-list=!dns-externt dst-port=1024-65535 new-connection-mark=\
    suspicious packet-size=62-500 passthrough=no protocol=udp src-port=!53
add action=mark-connection chain=prerouting comment="TCP-Tracker blocking" \
    connection-type=!ftp dst-address-list=!dns-externt dst-port=10000-65535 \
    new-connection-mark=suspicious packet-size=100-500 passthrough=no protocol=\
    tcp src-port=1024-65535
add action=jump chain=prerouting connection-state=new dst-port=443 jump-target=\
    tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new dst-address-list=\
    !dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS \
    protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=tcp-services \
    protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=udp-services \
    protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=\
    other-services
add action=mark-connection chain=p2p-service new-connection-mark=p2p \
    passthrough=no
add action=mark-packet chain=postrouting connection-mark=p2p new-packet-mark=\
    P2P_PacketMark
/ip smb shares
set [ find default=yes ] directory=/pub
/queue interface
set Eth1_WAN queue=ethernet-default
set Eth2_LAN queue=ethernet-default
set Eth3 queue=ethernet-default
set Eth4 queue=ethernet-default
set Eth5 queue=ethernet-default

CCDKP · Tue Jan 31, 2012 4:03 pm

CCDKP, do I understand right, these rules above work with encrypted option in torrent client enforced too? I suppose, their blocking effect comes at announce blocking level (where we use dns block) and doesn't depend on all other options?

That is correct. The "Encrypt" option in a torrent client only covers client to client communications. The L7 filter is designed to prevent tracker communication, while the DNS is designed to prevent DHT/UTP from bootstrapping. With these methods blocked, the clients never learn about other clients, so in theory we don't have to worry about inter-client communication being encrypted.

The downside is that if a client can boot strap in any way (DHT seeded off-site or through external internet connection), or the client uses one of the new encrypted trackers, then peer lists are created, encryption is used, and we are helpless to find it. This is why we suggest using these rules to detect the presence of traffic, then take secondary measures against the clients.

Sun Feb 05, 2012 12:45 am

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

TKITFrank : I think you have a typo in the last 2 line of the L7 rules. E.g. you have:

add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

Should it not be that the "." is an "a" on those two lines?

add name=BITTORRENT_DHT regexp="^d1\\:ad2\\:id20\\:"

Also, what is in your dns-externt address-list?

TKITFrank · Sun Feb 05, 2012 11:33 am

/ip firewall layer7-protocol
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

TKITFrank : I think you have a typo in the last 2 line of the L7 rules. E.g. you have:

add name=BITTORRENT_DHT regexp="^d1\\:.d2\\:id20\\:"

Should it not be that the "." is an "a" on those two lines?

add name=BITTORRENT_DHT regexp="^d1\\:ad2\\:id20\\:"

Also, what is in your dns-externt address-list?

No the line is correct. I have found that the "A" sometimes becomes a "R". So to be sure I have made it a wildcard. I have also made the DHT rule merge in to the BITTORRENT rule. They seem to overlap.
My current addresslist have not changed but it seems to be obsolete with new ruleset. I have improved t more last week but I am currently testing it. I will release new code late this week or next.

NetworkPro · Sun Feb 05, 2012 12:28 pm

After I saw ACTA I officially do not filter anything. I move all the effort to QoS which is now a very well developed topic.

Sun Feb 05, 2012 2:58 pm

TKITFrank : OK, thanks.

NetworkPro : Our intention is similar, to identify the traffic and then we can place the traffic into appropriate priority queues.

TKITFrank · Fri Feb 10, 2012 3:53 pm

Hi,

Here is the new setup... This will perhaps beside blocking allows for traffic-shaping of encrypted torrent traffic.
What will happen is that only users that use P2P programs will be subject to the rules that contain some false positive ("UDP-Bittorrent blocking" and "TCP-Tracker blocking").
They have a 2min timeout before they will be off the hook if the close the P2P programs.
But a rule before the "UDP-Bittorrent blocking" and "TCP-Tracker blocking" can whitelist some gameservers and so on.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA

add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack

add action=add-src-to-address-list address-list=p2p-users address-list-timeout=2m chain=p2p-service comment="" disabled=no src-address-list=local-addr
add action=mark-connection chain=p2p-service comment="" disabled=no new-connection-mark=p2p passthrough=no

/ip firewall filter
add action=jump chain=forward comment="" connection-mark=p2p disabled=no jump-target=drop
add action=jump chain=forward comment="" disabled=no dst-address-list=p2p-users-ext jump-target=drop-no-log src-address-list=p2p-users
add action=jump chain=forward comment="" disabled=no dst-address-list=p2p-users jump-target=drop-no-log src-address-list=p2p-users-ext

CCDKP · Fri Feb 10, 2012 4:26 pm

TKITFrank,

While testing out some of the new rules, I hit a very interesting discovery. uTorrent 3.0 will try to established UTP connections over Teredo IPv6 tunnels, which are on by default on Windows Vista & Windows 7. If you fire up a decent sized torrent on a Windows 7 machine and look under "peers" you may notices some valid IPv6 peers show up.

Due to the Teredo encapsulation, the DHT rules had a difficult time flagging those connections. If you look at logs or packet captures, look for traffic destined for UDP 3544.

TKITFrank · Fri Feb 10, 2012 4:53 pm

TKITFrank,

While testing out some of the new rules, I hit a very interesting discovery. uTorrent 3.0 will try to established UTP connections over Teredo IPv6 tunnels, which are on by default on Windows Vista & Windows 7. If you fire up a decent sized torrent on a Windows 7 machine and look under "peers" you may notices some valid IPv6 peers show up.

Due to the Teredo encapsulation, the DHT rules had a difficult time flagging those connections. If you look at logs or packet captures, look for traffic destined for UDP 3544.

Hi,

Yes I noticed this early on as well. I do not know of any way to inspect that traffic so I have blocked it

I'm sorry I did not include that in my configuration this however is VITAL for the blocking to work.
Thanks for the notice! =)

Belyache · Wed Feb 15, 2012 12:52 am

@TKITFrank

Hi all: I am new to Mikrotik. I have an RB450G that I am planning to use as a router/hotspot in a free wireless environment.

I struggled to get the User-manager to operate correctly, so I eventually when with hotspotsystems.com free system. It works OK, not perfect, but OK.

----
On to the second part of my problem, the one I am posting here about.

We have an issue with Torrents being downloaded illegally. Since MikroTik seemed to have the best solution, I chose this router.

I have read through this stream of posts, which seems to me a work in progress. That is fine. I am having trouble following your posts though, I do understand what you are doing, just not how to put it all together.

I see a post from Jan 31 posting your setup code, then again on Feb 10, posting your new setup code.
1) Are either of these posts complete?
2) Is the second post an addition to the previous post?
3) do we wipe the previous rules and start over?
4) Do you still need the DNS rules?
5) What DNS rules are you using now?

Would you be kind enough to post your code as complete? in otherwords, show all of the code needed to make the rules work.

I appreciate users like you that have taken the time to figure out these extremely complex problems. And I am sure others do as well.

Thanks

Glenn

TKITFrank · Wed Feb 15, 2012 7:53 am

Hi Belyache,

To make a long story short this has been an ongoing battle.. I will try to summery it for you.
I also included CCDKP's note about IPv6. As he stats is it VITAL for the blocking.

1) Are either of these posts complete?
I have made them below.
2) Is the second post an addition to the previous post?
....
3) do we wipe the previous rules and start over?
No and Yes depends on your setup. Mine is quite complex. It uses Dimitry on firewalling as a base and from there i have heavily modified it. But as I have writen it below should be ok to implement on any system.
4) Do you still need the DNS rules?
From what I can see NO. I currently have them disabled to test if i need them anymore. But They don't hurt so anything except torrent.
5) What DNS rules are you using now?

/ip dns static
add address=127.0.0.1 disabled=yes name=router.utorrent.com ttl=1d
add address=127.0.0.1 disabled=yes name=dht.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vrpc.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vzrpx020.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=vzapp020.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=client.vuze.com ttl=1d
add address=127.0.0.1 disabled=yes name=mirror-user1.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=ip.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=jp.bitcomet.com ttl=1d
add address=127.0.0.1 disabled=yes name=torrent-cache.bitcomet.org ttl=1d
add address=127.0.0.1 disabled=yes name=inside.bitcomet.com ttl=1d
add address=127.0.0.2 disabled=yes name=router.bitcomet.net ttl=1d

Now for the Complete setup. I hope I have not missed anything

/ip firewall layer7-protocol
add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
add name=GNUTELLA regexp="^(gnd[\\x01\\x02]\?.\?.\?\\x01|gnutella connect/[012]\\.[0-9]\\x0d\\x0a|get /uri-res/n2r\\\?urn:sha1:|get /.*user-agent: (gtk-gnutella|bearshare|mactella|gnucleus|gnotella|limewire|imesh)|get\
    \_/.*content-type: application/x-gnutella-packets|giv [0-9]*:[0-9a-f]*/|queue [0-9a-f]* [1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?\\.[1-9][0-9]\?[0-9]\?:[1-9][0-9]\?[0-9]\?[0-9]\?|gnutella.*co\
    ntent-type: application/x-gnutella|...................\?lime)"
add name=DIRECTCONNECT regexp="^(\\\$mynick |\\\$lock |\\\$key )"
add name=HTTPS regexp="^(.\?.\?\\x16\\x03.*\\x16\\x03|.\?.\?\\x01\\x03\\x01\?.*\\x0b)"

Note you have to enter your external DNS servers here and also the local networks.

/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=DNS-servers disabled=no list=dns-externt
add address=xxx.xxx.xxx.xxx disabled=no list=dns-externt
add address=78.31.0.0/16 comment=Spotify disabled=no list=spotify
add address=xxx.xxx.xxx.xxx disabled=no list=local-addr

Make sure that the rules below is first in the mangle and filter sets. Above anything else.

/ip firewall mangle
add action=jump chain=prerouting comment="Common P2P-Blocking" disabled=no dst-address-list=!dns-externt jump-target=p2p-service p2p=all-p2p
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=BITTORRENT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=DIRECTCONNECT
add action=jump chain=prerouting comment="" disabled=no dst-address-list=!dns-externt jump-target=p2p-service layer7-protocol=GNUTELLA
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="UDP-Bittorrent blocking" disabled=no dst-address-list=!dns-externt dst-port=1024-65535 packet-size=\
    62-500 protocol=udp src-address-list=p2p-users src-port=!53
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=62-500 protocol=udp src-address-list=\
    !dns-externt src-port=!53
add action=add-dst-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting comment="TCP-Tracker blocking" connection-type=!ftp disabled=no dst-address-list=!dns-externt dst-port=\
    1024-65535 packet-size=100-500 protocol=tcp src-address-list=p2p-users src-port=1024-65535 tcp-flags=psh,ack
add action=add-src-to-address-list address-list=p2p-users-ext address-list-timeout=10m chain=prerouting connection-type=!ftp disabled=no dst-address-list=p2p-users dst-port=1024-65535 packet-size=100-500 protocol=tcp \
    src-address-list=!dns-externt src-port=1024-65535 tcp-flags=psh,ack
add action=jump chain=prerouting connection-state=new disabled=no dst-port=443 jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no dst-address-list=!dns-externt dst-port=!443 jump-target=p2p-service layer7-protocol=HTTPS protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new disabled=no jump-target=other-services
add action=add-src-to-address-list address-list=p2p-users address-list-timeout=2m chain=p2p-service disabled=no src-address-list=local-addr
add action=mark-connection chain=p2p-service disabled=no new-connection-mark=p2p passthrough=no
add action=mark-connection chain=tcp-services disabled=no dst-port=20-21 new-connection-mark=ftp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=22 new-connection-mark=ssh passthrough=no protocol=tcp src-port=513-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=23 new-connection-mark=telnet passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=25 new-connection-mark=smtp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=53
add action=mark-connection chain=tcp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=80 new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=110 new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=113 new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=119 new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=137-139 new-connection-mark=netbios passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=143 new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-address-list=spotify dst-port=443 new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-address-list=!spotify dst-port=443 new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=445 new-connection-mark=ms-ds passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=465 new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=990 new-connection-mark=ftps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=993 new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=995 new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1080 new-connection-mark=socks passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1723 new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1863 new-connection-mark=msn passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=2379 new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3128 new-connection-mark=squid-proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3389 new-connection-mark=win-ts passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=3845 new-connection-mark=smartpass passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=4070 new-connection-mark=spotify passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=2000-3000 new-connection-mark=bwtest passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=4242-4243 new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=tcp src-port=4661-4662
add action=mark-connection chain=tcp-services disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services disabled=no dst-port=5900-5901 new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=6667-6669 new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=8080 new-connection-mark=http-proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=8291 new-connection-mark=winbox passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=42041-42052 new-connection-mark=voddler passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no dst-port=55536-55663 new-connection-mark=ftp-passive passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services disabled=no new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services disabled=no dst-port=53 new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=67 new-connection-mark=dhcp passthrough=no protocol=udp src-port=67-68
add action=mark-connection chain=udp-services disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=123
add action=mark-connection chain=udp-services disabled=no dst-port=123 new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=137-139 new-connection-mark=netbios passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=161-162 new-connection-mark=snmp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=514 new-connection-mark=syslog passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1701 new-connection-mark=l2tp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=3544 new-connection-mark=ms-ipv6 passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=4665 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=4672 new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=2000-3000 new-connection-mark=bwtest passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services disabled=no dst-port=12053 new-connection-mark=overnet passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=20561 new-connection-mark=mac-winbox passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=42041-42052 new-connection-mark=voddler passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services disabled=no dst-port=1024-65535 new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services disabled=no new-connection-mark=other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services disabled=no icmp-options=8:0-255 new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services disabled=no new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services disabled=no new-connection-mark=other passthrough=no

/ip firewall filter
add action=drop chain=forward comment="Block Teredo IPv6-tunnel" disabled=no dst-port=3544 protocol=udp src-port=1024-65535
add action=drop chain=forward comment="Drop all P2P" connection-mark=p2p disabled=no
add action=drop chain=forward comment="" disabled=no dst-address-list=p2p-users-ext src-address-list=p2p-users
add action=drop chain=forward comment="" disabled=no dst-address-list=p2p-users src-address-list=p2p-users-ext

Please note that this also opens up for just not blocking but also for marking packets to allow you to trafficshape encrypted torrent traffic.
I have not tried it but it should with some modifications work.

Hope this will help!

Belyache · Wed Feb 15, 2012 4:15 pm

TKITFrank:

Thank you for the post and sharing your efforts. I think your last post will help many here.

I will get to work on it this morning.

It is obvious that you have put a lot of time into making this work.

It is people like you that make IT easier for the rest of us.

Glenn

CCDKP · Wed Feb 15, 2012 4:35 pm

Hi all: I am new to Mikrotik. I have an RB450G that I am planning to use as a router/hotspot in a free wireless environment.

Since you are operating a free hotspot instead of a fixed ISP with paying customers, you may wish to consider something like I implemented way back on page 3 (http://forum.mikrotik.com/viewtopic.php ... 83#p249583). The problem with trying to block p2p is it is very aggressive at finding any hole it can to get out. If you don't stay on top of new changes, the filter looses effectiveness fairly quickly.

Since I was working with primarily free hotspot users, I took the approach of detecting ANY p2p presence and just flat out punishing the user. Rather than trying to block everything, I block the low-hanging fruit, and use them for detection. One a user is caught, they are temporarily throttled down to dial-up speeds. This makes the hotspot pretty much unusable for them, so they tend to get frustrated and go elsewhere (and assume it is either their PC or an overloaded hotspot rather than content filtering they could try to bypass). With all the revisions TKIT has needed to make on the blocking side to stop Toredo tunnels and updated DHT connections, my original hotspot is still running fine. This is because bittorrent tends to try the obvious methods of connection before getting "sneaky" about getting out.

The advantage this offers is that as long as a few packets manage to get detected every so often, the user is kept on lockdown and it doesn't matter if they actually manage to establish a peer data connection, since they are already at 28k/14k (and it turns out a lot of clients will shun a connection this slow). The downside is that this method is attempting to change behavior by encouraging the p2p user to either stop p2p or go elsewhere. It works great for things like hotspots and college networks, but is not a solution for places like ISPs and corporate networks. If you are managing a network like that, then TKITFrank's method is far more appropriate.

The various methods here are very much mix & match depending on how you want to go about your filtering. We are trying hard to catch a protocol built on the foundation of not being easily detected or throttled. Make you you keep an eye on this thread going forward. What works right now might not after a new generation of clients are released. Good luck!

Belyache · Wed Feb 15, 2012 5:01 pm

CCDKP:

Thanks for your post.

I had seen your posts, but TKIT's efforts seemed to be more up - to - date, not a judgement on your code, it just seemed to be out of date, and with the way bittorrent has been changing, I thought maybe TKIT's rules were right way to go.

I will test both your code and his code and see which way works best. And yes, I am giving the service away for free, so I really don't care if someone gets upset with me over P2P not working.

Have you been able to implement the Hotspot User-manager from Mikrotik? I would prefer to use it, but I can't seem to access it properly unless I am already logged into the router, but that defeats the purpose.

Thanks for your time, and as I said to TKIT, you guys really help the rest of us out. It can be very frustrating trying to recreate what someone else has already figured out. I try to think of the IT community as a bunch of mentors, willing to help out the next guy. To all of the IT guys listening, take it easy on the guys trying to help. (guys being generic for guys and gals, we're all in it together).

Glenn

TKITFrank · Thu Feb 16, 2012 7:36 am

Hi,

CCDKP describers it well.

This is because bittorrent tends to try the obvious methods of connection before getting "sneaky" about getting out.

That is the same technique I use and it was his Idea (Thanks CCDKP), I just took it one step further

I can not punish my users like he can. I have to maintain a working connection for them.

With all the revisions TKIT has needed to make on the blocking side to stop Toredo tunnels and updated DHT connections, my original hotspot is still running fine.

My main problem has been and there by the many revisions... That the UDP and TCP blocking rules that cripple the encrypted traffic where like a broad sword. I needed to find a way to only use the broad sword on people that use P2P and then as soon as the shut down the P2P program open up the connection again. That took a lot of my time and some thinking to make (Love Wireshark...). But I have been running it for a week or two now and I have constant communication with the IT representative at the schools. They have yet not made any remarks on it.

Anyhow I think that we all can contribute to one and another to make the most working filters. This thread shows what good co work can provide in terms of results!
Now everyone can use them and make new revisions on them to suite there own setup. No setup is alike. What works for me will perhaps not work for CCDKP or yourselves and vise versa.

In the end I guess that it might be a loosing battle but for now it seems to be status quo... Lets see how long we can keep it up.

Hope the filters work for you!

farazhamzaa · Sun May 20, 2012 11:18 am

add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"

when i try to ad this in l7 then it gave me error like

coudnt add new l7 protocol, bad regexp unmatched()(6)

Mon May 21, 2012 2:51 pm

ROS v5.16 no errors for me

[admin@RB1100] /ip firewall layer7-protocol> add name=BITTORRENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrape\\\
?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:.d2:id20:|\\x08'7P\\)[RP]"
[admin@RB1100] /ip firewall layer7-protocol>

dreamrider · Sat Jul 14, 2012 6:45 am

Note you have to enter your external DNS servers here and also the local networks.

/ip firewall address-list
add address=xxx.xxx.xxx.xxx comment=DNS-servers disabled=no list=dns-externt
add address=xxx.xxx.xxx.xxx disabled=no list=dns-externt
add address=78.31.0.0/16 comment=Spotify disabled=no list=spotify
add address=xxx.xxx.xxx.xxx disabled=no list=local-addr

Tell me, please, how to configure this section correctly. My external DNS server is 80.233.238.254 and Googles one - 8.8.8.8. My local network is 172.16.10.1/27 and internal DNS server - 172.16.10.1.
What means address 78.31.0.0/16 ?
Those rules is like Chinese alphabet for me

But I want use all of this for blocking p2p...

TKITFrank · Mon Jul 16, 2012 9:43 am

Hi,

Here is your setup

/ip firewall address-list
add address=80.233.238.254 comment=DNS-servers disabled=no list=dns-externt
add address=8.8.8.8 disabled=no list=dns-externt
add address=172.16.10.1/27 disabled=no list=local-addr

The 78 address was included by mistake... I use that for trafficshaping spotify.

dreamrider · Mon Jul 16, 2012 9:49 am

Thanks! I'll try it!
EDITED: Works 50/50. Some minutes speed is zero, some minutes - max. All the time - like a wawe

Interesting.

TKITFrank · Mon Jul 16, 2012 7:47 pm

Hi,

I have a setup that blocks about 700 students on 2 different sites. I have not seen that behavior..

Can you give me your setup? Sounds like something is missing or a rule out of order...

dreamrider · Mon Jul 16, 2012 10:20 pm

http://files.fm/down.php?i=dadfttu&n=Ro ... ck_P2P.rar
In the archive is notepad document, I don't know why I can not post this text here. May be danger code??

Look at this, please and give me a right config for this, OK?
Thanks!

TKITFrank · Tue Jul 17, 2012 7:33 am

Hi,

Add this to the top.
add action=drop chain=forward comment="Drop DNS" connection-mark=dns disabled=no

NOTE that you have to use the dns proxy/server in the RouterOS.

dreamrider · Tue Jul 17, 2012 7:42 am

It is a mangle, i think?
And other simple question - how I can add an exception for 1 IP address?

Oh, no - it is a firewall filter rule, sorry.

TKITFrank · Tue Jul 17, 2012 7:43 am

nopp
/ip firewall filter

dreamrider · Tue Jul 17, 2012 7:47 am

Yea, I see, edited my post before read your answer.

TKITFrank · Tue Jul 17, 2012 7:47 am

It is a mangle, i think?
And other simple question - how I can add an exception for 1 IP address?

That should be possible but a little more difficult since the DNS server as no ACL for records.
If you allow an ip to use DNS forward (opposite to the rule least posted) and also excludes it in the rules that block the traffic in firewall filter it can be done.
Or adds an allow rule above the blocking rules.

dreamrider · Tue Jul 17, 2012 7:54 am

Add an address in "DMZ" is no good idea, right? Or it is not possible for those complicated rules?
EDITED: Your rules works like a charm! Down/Up speed=ZERO!
P.S. But adding one IP to exclusions after two hours headacke - w/o success... Google hide answer for me. (I mean - your firewall rules is very strong

)

TKITFrank · Tue Jul 17, 2012 12:29 pm

Add an address in "DMZ" is no good idea, right? Or it is not possible for those complicated rules?
EDITED: Your rules works like a charm! Down/Up speed=ZERO!
P.S. But adding one IP to exclusions after two hours headacke - w/o success... Google hide answer for me. (I mean - your firewall rules is very strong )

My rules kills all. So the DMZ idea will not work. But if you add this it might work. I have not tested them I am @ work right now. But give it a try...
/ip firewall address-list
add address=xxx.xxx.xxx.xxx disabled=no list=p2p-exclude-addr

Make sure this is first in the chain. Above the block rules.
/ip firewall filter
add action=accept chain=forward comment="Exclude DNS" src-address-list=p2p-exclude-addr connection-mark=dns disabled=no
add action=accept chain=forward comment="Exclude Teredo IPv6-tunnel" src-address-list=p2p-exclude-addr disabled=no dst-port=3544 protocol=udp src-port=1024-65535
add action=accept chain=forward comment="Exclude all P2P" src-address-list=p2p-exclude-addr connection-mark=p2p disabled=no
add action=accept chain=forward comment="" disabled=no dst-address-list=p2p-users-ext src-address-list=p2p-exclude-addr
add action=accept chain=forward comment="" disabled=no dst-address-list=p2p-exclude-addr src-address-list=p2p-users-ext

Now make sure the client uses the google/other dns servers directly and not the DNS server in the Mikrotik. Then it should work.. So if you use a DNS ridirect you have to exclude it as well.

n21roadie · Tue Jul 17, 2012 1:05 pm

@TKITFrank
Will your filter work on a CPE using PPPoE where it gets it's DNS from AP and the AP DNS entries are using a private IP address pointing back to load balancer and this in turn is getting it's DNS from ISP

TKITFrank · Tue Jul 17, 2012 1:22 pm

@TKITFrank
Will your filter work on a CPE using PPPoE where it gets it's DNS from AP and the AP DNS entries are using a private IP address pointing back to load balancer and this in turn is getting it's DNS from ISP

Have not tried. I use it @ my main firewall. But if the AP has the DNS entries it should work. As long as the clients can't use another dns other then the one with the block in it is fine. Also the MS-Teredo block is necessary.
But I am not sure on the load it will cause on the CPE. Give it a try

dreamrider · Tue Jul 17, 2012 3:05 pm

@ TKITFrank
You are a genius! Exclusion is working.
What you talking about DNS:

Now make sure the client uses the google/other dns servers directly and not the DNS server in the Mikrotik. Then it should work.. So if you use a DNS ridirect you have to exclude it as well.

Have I exclude address 172.16.10.1? See-

 /ip dns> print
                servers: 80.233.238.254,8.8.8.8,8.8.4.4
        dynamic-servers: 
  allow-remote-requests: yes
    max-udp-packet-size: 512
             cache-size: 512KiB
          cache-max-ttl: 1w
             cache-used: 44KiB

and

/ip dns static> print
Flags: D - dynamic, X - disabled, R - regexp 
 #     NAME         ADDRESS                                        TTL         
 0     RouterOS     172.16.10.1                                    3d

This is DNS redirection about you talking? w/o static DNS my network not works. How correctly exclude this address?
Thank you!

TKITFrank · Tue Jul 17, 2012 3:37 pm

Hi,

With the drop rule you deny all traffic from your clients to DNS servers except the router it selves. Then they can only use the RouterOS dns and that one we have blocked access to the torrent masters. With the bypass you can tell you client to go directly to the Google servers and the also to communicate with external DNS servers the allow for torrents to work.

Normally you block clients to use DNS on external sources via the firewall filter rule. And redirect under NAT all DNS traffic to your Mikrotik doing so causes the client to think it uses external DNS server but it don't.
If you want to bypass the redirect you have to do an exclusion like in firewall filter. Hence the redirect applies before firewall filter.

TKITFrank · Wed Jul 18, 2012 1:41 pm

@dreamrider did it work as intended?

dreamrider · Wed Jul 18, 2012 4:52 pm

Yes, all work as intended yet. Exclusion work, another PC's can not leech torrents.

TKITFrank · Thu Jul 19, 2012 6:42 am

Excellent! If you find out a way to bypass the filter let us know. And we can all work together to write a new rule to block

dreamrider · Mon Jul 30, 2012 1:43 am

@TKITFrank
Sorry for this "small offtopic"

"mark-connection" imho do not works as intended. I do not see connections marked as "winbox", "ping", "skype" for example, etc, etc, etc. (Skype I'd marked with Layer7 Protocol - it is working for now). P2P blocking works fine, but I'd love to see all wonder of Connection Marks

Maybe I forgot something? Here is my ip firewall mangle rules:
http://pastebin.com/FYQR0RSj
For you all of connection marks works correctly?
Regards! And thanks again for help!

TKITFrank · Mon Jul 30, 2012 12:30 pm

Hi,

Well short answer yes. My firewall system is based on http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling but I have modified it to be based on screens like the Juniper Netscreen/SRX models. This allows for faster processing of rules and correct rules on correct security screen. Making my 309 rules here at home only being perhaps 30 that the different traffic hits.
It would take some time to explain how it works but the basics of how I use it is that I make services defined in mangle. The use them I firewall filter.

Do you see any connection marks under firewall connection?

connmark.JPG

If not have you added the connection mark "view"?

connmark2.JPG

dreamrider · Tue Jul 31, 2012 9:30 am

Of course I see connection marks under firewall connection. There you can see - icmp was not marked as ping, for example.

TKITFrank · Tue Jul 31, 2012 10:07 am

Hummm... and you ping from a computer behind the router and not from the router it selves?

dreamrider · Tue Jul 31, 2012 10:16 am

Ping via netwatch to google, external GW, local computers, etc. From router, of course. From my computer I ping google.com and connection not marked too. (Sorry for my bad English...)

TKITFrank · Thu Aug 02, 2012 3:13 pm

Is it only ping / icmp or all other traffic as well?

Regardless I think you should start a new thread about this and we can continue there

Also try the basic to add a new connection mark that is simple at the top in mangle. If it works or not.

dreamrider · Fri Aug 03, 2012 9:28 am

Also try the basic to add a new connection mark that is simple at the top in mangle. If it works or not.

with chain=forward connections marks fine. Not with tcp-services, other-services.
OK, it is not a big problem, not need start a new thread

Thanks for your help!

n21roadie · Sat Aug 11, 2012 4:09 pm

So far no luck with trying to setup this on a CPE using instructions
http://forum.mikrotik.com/viewtopic.php ... 00#p303639
and not sure it's a problem with pppoe that CPE is using

/ip firewall address-list
add address=10.150.0.1 comment=DNS-servers disabled=no list=dns-externt
add address=10.150.0.34 disabled=no list=dns-externt
add address=172.16.10.1/27 disabled=no list=local-addr

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=10.150.0.1,10.150.0.34,172.16.10.1

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 \
    to-addresses=0.0.0.0

karina · Tue Aug 14, 2012 8:47 pm

Forgive me for this rant. this is my opinion on this subject.

if you are an ISP operating a cabled / wired network then let them use it. clients expect it as part of an internet service. Limiting the number of sessions your clients are allowed as well as bandwidth control is all you should need to do to keep your network healthy. If your clients choose to partake in illegal activities then your contract with them should state that this is at their own risk and you take no responsibility. Add an extra note to say that if authorities demand user information from you because of copyright infringement, you will have to comply. If your CPU's are smokin then its time to upgrade.

if you operate a 80211 wireless network then you will need to control its use to protect your network , TDMA protocols can operate safely with simple session and bandwidth controls as above.

For the 80211 wireless networks a little more control is needed. You will never block ptp. as you perfect your filters new methods are invented. Its an ongoing battle you will never win and will consume far to much of your valuable time trying to do so.

Blocking ptp forces the client software to switch to other methods that are hard or impossible to detect.

In my experience its the upload to your AP'S that will cause most damage if its over 128k and more than 20 sessions

Downloads can be much higher up to 2MB as long as sessions are controlled.

I use layer7 filters and the built in filter to mark all ptp traffic. because i do not block it most clients remain in easy detectable unencrypted mode

i then use a PCQ to limit the upload/download to 128k/1mb of ptp traffic and 20 sessions max. these limits seem to satisfy most ptp client software that they have a decent enough connection and dont bother finding encrypted peers etc. Of course the odd client will be forcing encrypted seeds, for these guys you will just have to throttle their entire connection untill you can get them to agree to use unencrypted methods.

Be Honest. explain in your t &c that these methods are deployed to enhance everybodies experience. Add a clause to say that using covert methods to bypass your speed restriction will end up with their entire connection restriced.

note: to low a speed will also cause ptp client software to seek other methods to connect.

delix · Tue Aug 21, 2012 8:13 pm

Hi karina!
Could you pls share your settings in detail for beginners =)

TKITFrank · Fri Aug 24, 2012 7:55 am

@n21roadie
Does any traffic get cough?
Does the prerouting rules work?

Perhaps you can post your complete config and we can look at it

Also please in more detail tell us about you finding where it is not working.

@karina
I think this topic is only about blocking and beyond the whether to block or not to block discussion. We all have our reasons whether it is company/government rules or just plane simple network load.
In my case we block the traffic right now as good as 100% at the moment. But as said this is an ongoing battle so sooner or later we have to adept the filter to the new conditions. If this is what have to be done then I think it's fine, this is the way they want it @my place and that's fine by me. I don't think that we should tell other whether or not they have done the wrong decision.
If you are an ISP then the customers always have the option to choose an other ISP if they are not happy about the current. In my case I'm not an ISP and I have regulations and laws to follow.

If you have an working setup that is not to block but to shape in the way you describe then create another thread so people can use your setup as well. Then we complete the different approaches.

And hopefully others can benefit from it as well.