I am running a hotspot on an RB433AH, and some users are running torrents and downloads manager. This is making the internet speeds to slow down annoyingly. How do you block torrents and download managers using the firewall on Mikrotik Routers? Someone please help
You really can’t with any efficiency and real effectiveness. What you can do is set up queues that will limit their data rate, so like applying a profile to each user so they can’t take more than a given amount of bandwidth, use Queue trees to do some prioritization, and assign connection limits so they can’t have more than a given number of open connections at a time. There are a few threads on the forums about how to potentially prevent p2p programs, but those can be CPU heavy, and it may or may not be legal for you to block them depending on where you are located.
We use a combination of all of these, if a user has more than 200 open TCP sessions we put them in a blocked list for 1 hour that redirects to a website that tells them they are blocked for an hour due to possible file sharing or viruses. This cuts down on calls to support from them being blocked and if they are running a file sharing program they usually stop. At the same time each user is assigned a rate limit upon signing into the network, and we use queue trees and mangle rules to define what packets will get dropped in the case of link saturation.
Blocking for 1 hour looks like a good way of highlighting a possible file sharing or virus is it possible to post your configuration for this, at present i use payment reminder http://wiki.mikrotik.com/wiki/Payment_Reminders i assume your configuration could be similiar.
Here are the rules that I use to do that.
add action=accept chain=forward disabled=no dst-port=80 protocol=tcp src-address-list=abuse
add action=accept chain=forward disabled=no dst-port=53 protocol=tcp src-address-list=abuse
add action=accept chain=forward disabled=no dst-port=53 protocol=udp src-address-list=abuse
add action=drop chain=forward disabled=no in-interface="Guest Network" src-address-list=abuse
add action=add-src-to-address-list address-list=abuse address-list-timeout=2h chain=forward connection-limit=201,32 disabled=no in-interface="LAN" protocol=tcp src-address=192.168.10.0/24 src-address-list=!Do-Not-Block
add action=log chain=forward disabled=no log-prefix="Abuse Limit Reached" src-address-list=abuse
The reason why I allow HTTP and DNS to go through despite the block rule is so that in NAT I can redirect all HTTP requests to a website that displays that message. You set that website up so that it will respond to any URL or file requested so they can see the message. DNS needs to work, or when people request a website and it cannot resolve, the browser doesn’t try to go anywhere. You also have an address list that you can use to exclude certain IP addresses from ever being blocked.
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp src-address-list=abuse to-addresses=WEB_SERVER_IP
I have payment reminder script which is working OK and trying to modify to use for excessive downloading but i notice now and suspect the use of a torrent downloader which has files queued and even thought i am redirecting port 80 to internal lan webserver, the torrent program using many other ports is establishing connections, i would need to drop this traffic but allow winbox port and other ports through to communicate with cpe unit.
/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080 disable=yes
/ip firewall filter
add chain=forward src-address-list=payment_reminder protocol=udp dst-port=53 action=accept
add chain=forward dst-address-list=payment_reminder protocol=udp src-port=53 action=accept
add chain=forward src-address-list=payment_reminder action=drop
/ip proxy set enabled=yes
/ip proxy access
add action=allow disabled=no dst-address=10.XX2.0.XXX
add action=deny disabled=no redirect-to=10.XX2.0.XXX:8080/excessivedownloading.html