queue tree p2p all not work

bes · February 18, 2007, 8:31am

Hi,queue tree p2p all not work,bitcomet trafic come to queue other in.
my firewall mangle settings:

[admin@juri] ip firewall> man
[admin@juri] ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; p
chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes

1 ;;; p
chain=prerouting connection-mark=p2p_conn time=8h-23h59m,sat,fri,thu,wed,tue,mon,sun action=mark-packet
new-packet-mark=p2p-day passthrough=yes

2 ;;; p
chain=prerouting connection-mark=p2p_conn time=0s-7h59m,sat,fri,thu,wed,tue,mon,sun action=mark-packet
new-packet-mark=p2p-night passthrough=yes

3 ;;; p
chain=forward protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_con passthrough=yes

4 chain=forward connection-mark=http_con action=mark-packet new-packet-mark=http passthrough=no

5 chain=prerouting connection-mark=!p2p_conn action=mark-packet new-packet-mark=other passthrough=yes

And queue tree:
[admin@juri] queue tree> pri
Flags: X - disabled, I - invalid
0 name=“Download” parent=ether1 packet-mark=“” limit-at=0 queue=default priority=2 max-limit=100000000 burst-limit=0
burst-threshold=0 burst-time=0s
1 name=“other-in” parent=Download packet-mark=other limit-at=1500000 queue=pcq-download priority=6 max-limit=1500000
burst-limit=0 burst-threshold=0 burst-time=0s
2 name=“p2p-in-day” parent=Download packet-mark=p2p-day limit-at=2000000 queue=ethernet-default priority=1
max-limit=2000000 burst-limit=0 burst-threshold=0 burst-time=0s
3 name=“http-in” parent=Download packet-mark=http limit-at=3000000 queue=ethernet-default priority=1 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s

bes · February 18, 2007, 10:39am

When i add in firewall:

[admin@juri] ip firewall> fil
[admin@juri] ip firewall filter> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward p2p=all-p2p action=drop

Bitcomet is not stopped.
mikrotik version 2.9.29

mrz · February 18, 2007, 8:38pm

try upgrading to 2.9.40
also it’s impossible to catch all p2p traffic

fatonk · February 19, 2007, 7:17am

The default rules for p2p may not match all p2p traffic, for some p2p you will have to sniff and identify and create custom rules, since always something will passthrough.

jo2jo · February 19, 2007, 7:35pm

bitcommet supports encryption…i would assume your users are using the encryption.. so MT can not tell if what they are doing is a bank tranaction, an EMAIL or a TON of p2p ing…since its encrypted

best bet i’ve found is to QUEUE problem users by IP, and just not queue port 80 and other important ones..

tgrand · February 22, 2007, 6:25pm

P2P applications still must establish identifiable tcp connections in order to establish non-detectable connections.

You can limit the amount of p2p connections by marking the connections with the following.

Mangle Rules:
chain=prerouting protocol=tcp p2p=all-p2p action=mark-connection new-connection-mark=p2p_con passthrough=yes

chain=prerouting connection-mark=p2p_con action=mark-packet new-packet-mark=p2p_pack passthrough=no

Filter Rules:
chain=forward protocol=tcp connection-mark=p2p_conn connection-limit=8,32 action=drop

This seems to control it pretty good without blocking it entirely.

abab_rafiq · February 23, 2007, 8:37am

As far as I know the basic rule to catch P2P packet is using layer 7 classifier. You can classify your packets for different ways like regular expression check, packet header check, and etc etc. So when a new P2P application came in world first you have to figureout that’s packet marks then the block of those packets come.

For first upgrade your network service I suggest to use layer 7 classifier.

Rafiq…
http://forum.linux.org.bd