Community discussions

MikroTik App
 
bes
just joined
Topic Author
Posts: 20
Joined: Fri Feb 24, 2006 10:01 pm

queue tree p2p all not work

Sun Feb 18, 2007 10:31 am

Hi,queue tree p2p all not work,bitcomet trafic come to queue other in.
my firewall mangle settings:

[admin@juri] ip firewall> man
[admin@juri] ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; p
chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes

1 ;;; p
chain=prerouting connection-mark=p2p_conn time=8h-23h59m,sat,fri,thu,wed,tue,mon,sun action=mark-packet
new-packet-mark=p2p-day passthrough=yes

2 ;;; p
chain=prerouting connection-mark=p2p_conn time=0s-7h59m,sat,fri,thu,wed,tue,mon,sun action=mark-packet
new-packet-mark=p2p-night passthrough=yes

3 ;;; p
chain=forward protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http_con passthrough=yes

4 chain=forward connection-mark=http_con action=mark-packet new-packet-mark=http passthrough=no

5 chain=prerouting connection-mark=!p2p_conn action=mark-packet new-packet-mark=other passthrough=yes

And queue tree:
[admin@juri] queue tree> pri
Flags: X - disabled, I - invalid
0 name="Download" parent=ether1 packet-mark="" limit-at=0 queue=default priority=2 max-limit=100000000 burst-limit=0
burst-threshold=0 burst-time=0s
1 name="other-in" parent=Download packet-mark=other limit-at=1500000 queue=pcq-download priority=6 max-limit=1500000
burst-limit=0 burst-threshold=0 burst-time=0s
2 name="p2p-in-day" parent=Download packet-mark=p2p-day limit-at=2000000 queue=ethernet-default priority=1
max-limit=2000000 burst-limit=0 burst-threshold=0 burst-time=0s
3 name="http-in" parent=Download packet-mark=http limit-at=3000000 queue=ethernet-default priority=1 max-limit=3000000
burst-limit=0 burst-threshold=0 burst-time=0s
 
bes
just joined
Topic Author
Posts: 20
Joined: Fri Feb 24, 2006 10:01 pm

Sun Feb 18, 2007 12:39 pm

When i add in firewall:

[admin@juri] ip firewall> fil
[admin@juri] ip firewall filter> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward p2p=all-p2p action=drop

Bitcomet is not stopped.
mikrotik version 2.9.29
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6013
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Sun Feb 18, 2007 10:38 pm

try upgrading to 2.9.40
also it's impossible to catch all p2p traffic
 
User avatar
fatonk
Member
Member
Posts: 439
Joined: Tue Feb 22, 2005 11:06 am
Location: Mitrovica/Kosova

Mon Feb 19, 2007 9:17 am

The default rules for p2p may not match all p2p traffic, for some p2p you will have to sniff and identify and create custom rules, since always something will passthrough.
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Mon Feb 19, 2007 9:35 pm

bitcommet supports encryption....i would assume your users are using the encryption.. so MT can not tell if what they are doing is a bank tranaction, an EMAIL or a TON of p2p ing....since its encrypted

best bet i've found is to QUEUE problem users by IP, and just not queue port 80 and other important ones..
:beep :beep :beep
 
User avatar
tgrand
Long time Member
Long time Member
Posts: 671
Joined: Mon Aug 21, 2006 2:57 am
Location: Winnipeg, Manitoba, Canada

Thu Feb 22, 2007 8:25 pm

P2P applications still must establish identifiable tcp connections in order to establish non-detectable connections.

You can limit the amount of p2p connections by marking the connections with the following.

Mangle Rules:
chain=prerouting protocol=tcp p2p=all-p2p action=mark-connection new-connection-mark=p2p_con passthrough=yes

chain=prerouting connection-mark=p2p_con action=mark-packet new-packet-mark=p2p_pack passthrough=no

Filter Rules:
chain=forward protocol=tcp connection-mark=p2p_conn connection-limit=8,32 action=drop

This seems to control it pretty good without blocking it entirely.
 
abab_rafiq
Member Candidate
Member Candidate
Posts: 120
Joined: Thu Aug 24, 2006 12:47 pm
Location: Dhaka

Fri Feb 23, 2007 10:37 am

As far as I know the basic rule to catch P2P packet is using layer 7 classifier. You can classify your packets for different ways like regular expression check, packet header check, and etc etc. So when a new P2P application came in world first you have to figureout that's packet marks then the block of those packets come.

For first upgrade your network service I suggest to use layer 7 classifier.

Rafiq...
http://forum.linux.org.bd

Who is online

Users browsing this forum: arm920t, Bing [Bot], Paternot and 138 guests