Skype will try to use random ports >1000 first, then port 80 (http), then port 443(https).
I know of no firewall rule that will match skype traffic, not even P2P-all works. So here is another way.
Use firewall to close all unused outgoing ports.
Setup http proxy to pervent port 80 from being abused
You will still have port 443 open, if you need to access secure web pages (https).
So how do you block skype from using port 443?
Skype needs 20kbps+ of continous bandwidth to support a VoIP call.
Use mangle rule to mark all port 443 traffic.
Example:
ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 dst-address=:443 protocol=tcp action=accept mark-flow=Port 443
Use queue tree, to allow traffic per user to only burst for only 15 seconds on port 443. https web access using port 443 will still work OK, but Skype calls will cut out after the 15 seconds of burst time.
Example:
queue tree> print
Flags: X - disabled, I - invalid, D - dynamic
0 name=“queue1” parent=ether1 flow=Port 443 limit-at=0
queue=ethernet-default priority=8 max-limit=1000 burst-limit=100000
burst-threshold=6000 burst-time=15
If you do not want to proxy on port 80 you can also use the burst method, however any http file transfer will also cut out at burst timer limit.
Cost of providing an Internet connection via satellite is up to $10,000 per month for 1Mbps.
If everyone on that link uses skype then you will need 10 times this.
Now imagine you are in Africa and satellite is the only connection available, and you can only just find the monthly fee.
Just because you have access to a network, it doesn’t follow that the bandwidth is all yours.
p.s.: it’s hard for me to imagine this situation when at my house this morning, i saw an advert offering 100Mbits for ~ 12$ a month with no limitations whatsoever
I could block skype on ports 80 and 443, if I could set firewall rules to only allow http or https on these ports. Anyone know how to match only these protocols on firewall ?
Another way to stop Skype would be on packet length,(skype packets are unusual lengths). I can do this with Cisco, but the function seems absent on Router OS. Any Ideas?
> I saw an advert offering 100Mbits for ~ 12$ a month with no limitations whatsoever
yeah, but this is for sure NOT GUARANTEED speed, not mentioning overseas connectivity - nobody’s gonna sell you 100Mbit for $12. Local traffic? Yes, could be possible, shared bandwidth with 1000 of other users, because nobody will fully utilize 100Mbit. Also, how do you want to transfer that bandwidth? There has to be fiber to your house… and that’s expensive. Etc, etc.
I just wanted to say that you are not going to transfer 100Mbit/sec / 8 = 12.5MB/sec * 3600 second * 24 hours * 31 days = 33480000 MB/month = 33480 GB / month = 33.5TB/month for $12.
yeah, but this is for sure NOT GUARANTEED speed, not mentioning overseas connectivity - nobody’s gonna sell you 100Mbit for $12. Local traffic? Yes, could be possible, shared bandwidth with 1000 of other users, because nobody will fully utilize 100Mbit. Also, how do you want to transfer that bandwidth? There has to be fiber to your house… and that’s expensive. Etc, etc.
yes, local latvian traffic. and it mostly is close tho this speed (i know some people who have these kinds of links. yes optic fibre to a house, and a 100mbit hub there.
i can download 700Mb from a FTP server in about 3-5 minutes if I’m lucky. This also of course depends on what connection is on the other side etc. Well in latvia normal average download speed for anything, anywhere in latvia. is like 200-400KB/s (it’s like for anyone, nothing special). connection to outside of latvia is 512Kb/s for me (depends on ISP)
Cost of providing an Internet connection via satellite is up to $10,000 per month for 1Mbps.
If everyone on that link uses skype then you will need 10 times this.
Can’t you just bill be the Gigabyte? Its the fairest way to everyone especially when the bandwidth is that expensive in that area.
Yes billing by the GB is also an option, but there is also a question of QoS.
Satellite bandwidth is typically very asymmetric. The in-routes (traffic coming back to the internet) are usually a small 20% of the out-route size (download). Sometimes this may be just 64 or 128kbps shared with several sites. This is sufficient for 100’s of users who only want to browse and do a bit of e-mail (the Internet’s main two applications). However, one Skype user can block an entire in-route for the duration of the call, Plus Skype has all that chatty stuff going on even when a call is not in progress. The in-routes could be upgraded to say 512kbps per site CIR. But the cost of providing this satellite bandwidth 24/7, you cant buy satellite capacity by the GB (i.e just pay for the bandwidth you use during the call) you have to buy transponder bandwidth month by month or Year by Year. This cost about $5000 per month per MHz and you need around 1.3 MHz per Mbps in each direction. Plus you would have to upgrade the satellite equipment; this also costs $1000’s. Many remote communities in remote rural locations just could not afford the extra cost. So there is a choice. Nothing at all, or Internet and e-mail, but without unregulated VoIP. I think Skype are being very irresponsible in launching a free application with no simple way for network administrators to block it. Not all network operators are bad or greedy; they are simply trying to provide the best possible service to their customers at a reasonable cost, a cost that the customer can afford. Remember that Skype are in it for the money too, and by launching an application that is designed to evade control and regulation they will deprive many people in developing countries of low cost internet access. There are many places in the world where fiber and ADSL are yet to reach, In these locations the raw cost of internet access is 1000’s or 10,000’s of times more expensive. One hour of Skype = 35,000 text e-mails or 9 days surfing.
So If you know ways to BLOCK SKYPE, Please share them with this forum, you will be helping people in parts of the world where bandwidth is still very expensive.. People who will have their human rights and opportunities in life improved and enriched by simple low cost access to the Internet, Skype actually works against their interests.
Why not use wireless 900Mhz/2.4Ghz/5.8Ghz? It’s easy to deploy, no infrastructure costs except at broadcast points and the CPE equipment is fairly cheap, and if you could get access to any kind of bandwidth it would be far superior to satelite, but if it’s like you say and satelite’s the only possible bandwidth, then you could use satelite as your backhaul and do traffic shaping before it hits your backhaul link.
In my experiences Skype uses ~30kbps on average while in a call and very minimal 0.5kbps ~ 5kbps when just idle. It’s not a bandwidth “hungry” application, and when they built Skype one of their goals, continuing goals I might add, is to evade firewalls so Skype can be setup with little to no configuration. Skype uses a dynamic port for incomming connections and if it cannot connect on that port it will default to port 80. So the only possible way to attempt to block this application is to rip apart the packets to look at the Application level headers to find out what application the packet originated from. Someone mentioned a Layer7 Filtering program that would probably be worth looking into.
Like you said satelite is asymetrical, it wasn’t meant to deliver highspeed broadband access and the latency is terrible. Maybe you should rethink your network infrastructure?
What do you connect your wireless to if you are more than a few 10’s of miles from the nearest internet POP?
In very rural areas, the only viable access is via satellite, many people are 100s if not 1000s of miles from fiber.. And fibre is only cheap in well connected locations i.e. more than one provider. Such as capital cities in Europe, USA and Asia.
People using Skype or VoIP on a well provisioned wireless network, thats fine no problem and yes I can do packet shaping before the satellite, but still the same problem, lot of people wanting to use skype…Limmited bandwidth. For example 128kbps uplink will support 100+ WEB and e-mail users at a cost of a few $10s per month each. But if two of those users were to try and use skype, then the network will become congested and unusable.
You must realise that may countries don’t even have access to fibre for their capital cities! let alone some remote village.
BTW,
Satellites are very effective for all communications (if expensive), IP (Internet) works very well if you have the right equipment, and know what you are doing.
I’d setup a VERY conservative shaping policy for outgoing bandwidth. For all applications, not just skype. If you only have 128kbps available for uploads then i’d limit everyone to at the very most a 56kbps pipe, maybe 34kbps burstable to 56kbps? There are more applications that are a hell of a lot worse than skype as far as bandwidth usage goes (P2P networks come to mind, such as gnutella, KaZaA, bittorent, eDonkey, etc…) So I wouldn’t be hell bent at blocking Skype because tomorrow it will be some other application that’s eating up your upload bandwidth.
I’d also setup some strict firewall rules for outgoing connections, for known worm ports, and any other applications that you don’t want running on your network and can successfully block by closing ports.
It sounds like you have a failing business plan, you set out to provide cheap internet services to your users, but didn’t plan for adiquate bandwidth in your budget. If your users don’t have a choice however, and you’re the only provider, why are they complaining!?
FYI, there are users on this forum that have reported wireless links of ~50km using 5.8GHz equipment with throughput around 30mbps. If bandwidth is that far away you could setup a few relays and cover 100+ km easily (if the terrain is acceptable it all depends on AP placement). I have no idea as to how large an area you are trying to cover so this point may be null. If you’re servicing multiple countries with users scattered around the globe then I’m sure this isn’t feasable.
Don’t take this as derogitory, or insulting. I’m just pointing out the obvious and trying to give some alternative solutions and constructive critism.
