Block torrent downloads

plisken · November 10, 2021, 5:01pm

Hello guys, what is the best way to block torrent traffic? Since L7 has no effect how can this traffic be blocked.
I want to prevent downloading movies.
Please your advice.

rextended · November 10, 2021, 5:09pm

Block all “new” incoming UDP connection vs the user (the estabilished and related are passing because the request start from user side)
Download torrent “dat” files from various source and block the IPs ranges of all servers.
This make more hard to estabilish again the connection with peers when the client restart the torrent client.
Start yourself a torrent client and block all IPs torrent use for connect to the peers.

R1CH · November 10, 2021, 5:12pm

It’s not realistically possible, the best you can do is block DNS of popular torrents and trackers, but with DHT and PeX it only takes 1 peer to get through for torrents to work. Your best option is to throttle the speed you provide so that torrents don’t negatively affect your network.

anav · November 10, 2021, 7:21pm

This is the best deterrent.
I notice in userman there are limitations you can set on users for Cap and Rate.

nichky · November 10, 2021, 9:50pm

try this :

layer7-bittorrent-exp:

^(\x13bittorrent protocol|azver\x01$|get /scrape?info_hash=get /announce?info_hash=|get /client/bitcomet/|GET /data?fid=)|d1:ad2:id20:|\x08’7P)[RP]

/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward layer7-protocol=layer7-bittorrent-exp src-address=192.168.50.0/24 src-address-list=!allow-bit
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp src-address-list=Torrent-Conn

anav · November 10, 2021, 9:59pm

Hi nichy,
What is the reference for 192.168.50.0/24 is that supposed to represent a private LAN behind the router that you want to control torrent access too??

nichky · November 10, 2021, 10:20pm

yes , that is correct.

Andoniar78 · November 14, 2021, 8:36am

I think the easiest way is to block all traffic and only allow traffic for port 80 and 443. If you have any specific software, you can open the ports for that software. For example, teamviewer 5938 tcp / udp and go investigating different ports and servers of the different programs you use.
I have had to do it this way because I have not found a more effective solution.

rextended · November 14, 2021, 9:07am

This approach fail: torrent can use with no problem port 53, 80, 443, etc.

For esample also 5060 and the others for SIP, if you prioritize blindly the "5060"s for VoIP, the torrent use that ports unblocked and prioritized.
I allow only knowed SIP servers (=user call me) and drop everything else on that ports.

plisken · November 17, 2021, 4:56pm

Thanks for your help, but there’s nothing useful with it. Layer7 protocol no longer works at https.
Maybe it’s good that I look up which PtP connections are made.

Znevna · November 17, 2021, 9:06pm

Please explain how https is related to the bittorrent protocol.