Claimed Infringement

RouterOS Beginner Basics
1

my company provides bandwidth via satellite to many customers around zimbabwe as well as installing mikrotik products to enable them control. just the other day we had a clients site marked for a claimed infringement for downloading movies via bittorrent. I have setup mangle rules to mark bittorrent connections on a layer7 basis and added firewall rules to drop any and all bittorent. strangely it seems to pass through.

i would like one of the following. either to be able to block all file sharing and P2P software 100% or to be able to Log the type of traffic customers do. I did ask a south african company licensed in mikrotik products and i was told that you are only able to view real time connections via IP > Firewall > Connections. preferably i would like to log everthing.

below are the mangle and firewall rules.

4 ;;; Drop Bittorrent L7 Input
chain=input action=drop layer7-protocol=bittorrent

5 ;;; Drop Bittorent L7 Forward
chain=forward action=drop layer7-protocol=bittorrent

6 ;;; Drop Bittorrent L7 Output
chain=output action=drop layer7-protocol=bittorrent

13 chain=prerouting action=mark-connection
new-connection-mark=bittorrent connection passthrough=no
layer7-protocol=bittorrent

any help would be greatly appreciated.

2

you can safely remove those rules from “input” and “output” chains. they don’t do anything, you need only forward.

of course if you want to be strict, you can make a NAT rule to forward all web traffic to the transparent proxy, and drop all other traffic, that would impact p2p users for sure.

3

ok ill be working on creating a new firewall with your recommendations. definitely similar to what our supplier from south africa suggested.

but is there a way to actually log who is doing what traffic? the problem is we need to show the client that we caught them. otherwise we will be liable. so far we are just taking screenshots :stuck_out_tongue: but that is a labor intensive operation and since we cant keep checking for 24 hours straight, chances are that we will miss a few.

basically we wish to be able to remotely login to our routers and check the logs to see what has been passing through the link.

thanks.

4

you can use Torch to see ip addresses and ports, and how much traffic is going there.

http://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools#Torch_.28.2Ftool_torch.29

5

hi. coming back to this, please could you link or further explain “of course if you want to be strict, you can make a NAT rule to forward all web traffic to the transparent proxy, and drop all other traffic, that would impact p2p users for sure.”

thanks! :slight_smile:

6

BitTorrent is a tough one to track and block due to the advanced encryption it is starting to use. The built-in BitTorrent filter doesn’t do a real great job of blocking it. Here is an enhanced L7 filter:

/ip firewall layer7-protocol
add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\
    |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet\
    /|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"

The biggest problem is that even if you block tracker access, bittorrent uses a peer-to-peer trackerless system known as DHT to establish links. This can also be blocked, but it requires intercepting DNS.

There is an awesome thread about blocking p2p. It’s a bit long, but well worth the read:
http://forum.mikrotik.com/t/how-block-connection-of-p2p/18495/1

Personally, I use a system that blocks what p2p it can, then upon detection, temporarily throttles the user down to unbearable speeds. This was designed for public wireless hotspots, where the goal is to make the network unusable for p2p’ers so they go elsewhere. It could easily have the QoS/Mangle removed from it and just work as blocking/logging for you. I detailed it here: http://forum.mikrotik.com/t/how-block-connection-of-p2p/18495/121


@CC_DKP

7