how block connection of p2p?
ip firewall filter add chain=forward p2p=all-p2p action=drop
that is amazing!
For some years now good p2p soft can obfuscate, encrypt its connections so routers dont know its a p2p connection.
Instead of dropping p2p like that I suggest you implement traffic prioritization per traffic type or at least the new http://wiki.mikrotik.com/wiki/Connection_Rate easy QoS. You may still need it even if you drop unencrypted p2p connections because the encrypted ones may still take bandwidth and transmission time on ur network.
And keep in mind that the easiest way to achieve QoS is to overprovision the bandwidth 
And even with QoS working pretty well - more bandwidth makes it at least double the good feeling of the users and in cases with connections under 2 Mbit/s - more BW is a must.
Hi,
I did need to block all P2P and did sort of like Chupaka said. My basic setup i based on http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling But I have made some modifications. My setup tagges also encrypted packages (SSL) on non SSL ports.
This will however not block P2P that uses 443. But there are not many at the moment.
I have done some tests and i have not yet been able to make Bittorrent work. I use a RB1000 to back up my rule set.
Mangel
2 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=DIRECTCONNECT
3 chain=prerouting action=jump jump-target=p2p-service p2p=all-p2p
4 chain=prerouting action=jump jump-target=p2p-service layer7-protocol=BITTORRENT2
5 chain=prerouting action=jump jump-target=tcp-services connection-state=new protocol=tcp dst-port=443
6 chain=prerouting action=jump jump-target=p2p-service connection-state=new protocol=tcp layer7-protocol=HTTPS dst-port=!443
7 chain=prerouting action=jump jump-target=tcp-services tcp-flags=syn connection-state=new protocol=tcp
8 chain=prerouting action=jump jump-target=udp-services connection-state=new protocol=udp
9 chain=prerouting action=jump jump-target=other-services connection-state=new
10 chain=p2p-service action=mark-connection new-connection-mark=p2p passthrough=no
26 chain=tcp-services action=mark-connection new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535 dst-port=443
Filter
5 ;;; Drop and log all P2P
chain=forward action=add-src-to-address-list src-address-list=local-addr address-list=p2p-users address-list-timeout=4w3d connection-mark=p2p
6 chain=forward action=log connection-mark=p2p log-prefix=“P2P”
7 chain=forward action=jump jump-target=drop connection-mark=p2p
L7
HTTPS: Regexp
^(.?.?\x16\x03.\x16\x03|.?.?\x01\x03\x01?.\x0b)
BITTORRENT2: Regexp
^(\x13bittorrent protocol)
DIRECTCONNECT: Regexp
^($mynick |$lock |$key )
Oh cool. Try uTorrent with Encryption turned on (Enabled) and try to download a torrent file that has many seeders for example a Lniux distro, for example SuSe distrib via BT. Test your setup against that
against that you can try to use a transpartent proxy for port 80 TCP and block everything else
Tried uTorrent (Encrypted and non encrypted) and the PriateBay, Also tired to download RouterOS from mikrotik torrent. No luck
Did a test in June this year. I have not tested if the new client drops as well. But i drop a load of packages so i guess it is still working.
I want to use the Web-Proxy but my setup protects a shitload of students. At the moment they can not fingerprint my setup. But the regulary check agains if we use a proxy and there they can see what type of system i am using 
That’s good, but if you will force encryption, these patterns will not work so nice.
If I am not mistaken I did just that. Can you have encrypted otherwise? :S
I will try it in an hour or two to confirm this.
When testing, wait longer for example 5 or even 10 mins after starting the torrent, to be sure. Finding a seeder that has encryption could take time, depending on settings, number of new connections per second etc…
And those students will just use VPN and still get what they need from p2p
Nope no joy, I am currently downloading the complete RouterOS torrent but it is all red… And I have encryption to Forced.
I have waited 7,30min at the moment.
Any ideas how to bypass?
Or a link to a torrent that will work perhaps?
Most VPN will not work with my current setup. SSL-VPN will work however…
i dont get this are you asking for ways to test to bypass firewall or testing how good your firewall rules are?
as there are many ways to bypass firewall with p2p?
are you using utorrent to download?
as i have some tricks you can try out
Well let it get a list of seeders! Can it reach the announcer?
It can list how many seeders there is. But non get connected.
I can’t open it to try to get some connections becourse it’s in production environment.
So I think it still works.
Feel free to test the rules if it works for you.
Try to Uninstall and ReInstall (clean) uTorrent with the latest version, also try from another host. Sometimes uTorrent messes its configs. Thanks.
I just did on the test machine (Netbook) It was a clean install from the factory and a new install of uTorrent.
My previous setup was an old test laptop but the results seem to be the same
Your customers can still use websites and Skype etc etc right? Even after they try and download torrents ?
and what if you set utorrents port to port 80?
and not randoum on startup?
Yes they can still use “Internet” my “address-list” is for my monitoring only.
Is that port not only for incoming connections?