Hello,

I have just done the hard part of blocking the p2p, I finally "packet-mark"ed bittorrent using layer 7 as bellow:
now I have packet-mark called: "bittorent_in" now, the easy question, how can I block it using the firewall?

thanks

http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

Of course it would be better to use connection marks so you can block both ways - that way you also don't have to waste resources marking packets: once the connection is marked that connection mark is available for all packets in the connection, both ways.

if I do what you have suggested, basically I am blocking the in-WAN pockets, and if I use connection mark I block both ways, what if I only want to block only out-WAN?

thanks

You can always combine src-address/dst-address or in-interface/out-interface with other matchers to get directionality.

But what's the point of blocking P2P one way?

if I do what you have suggested, basically I am blocking the in-WAN pockets, and if I use connection mark I block both ways, what if I only want to block only out-WAN?

thanks

Without seeing your filter, I can't tell you what exactly you are catching, but if you are using the L7 bittorrent filter from the wiki/this forums, then you absolutely need to block outbound.

The filter does not catch the actual torrent data, that is encrypted and hard to identify. What the filter catches it tracker announces and scrapes. This is a glorified HTTP request where the client either gets a list of people to connect to, or advertises it's availability as a peer. Since the filter only looks for the command word the client makes, it will never flag in the inbound return packets, since most of the time they are just a "ok" response from the server. Additionally, if you don't block outbound, the client could announce, then some other peer would read that and make a new direct connection in.

Flagging bittorrent is NOT an easy thing, since it is very much designed to evade detection. Additionally, as Janis mentions regularly, there are a lot of legitimate uses for torrents, including Linux ISO's, World of Warcraft updates, and MikroTik updates.

A different approach is to use the L7 filter to flag the presence of bittorrent traffic, then add the user to a dynamic address list for a specific length of time. You can then take secondary measures such as heavily limiting the number of non-DNS UDP connections (since TCP responds better to QoS), restricting bandwidth, or marking the user's packets with DSCP bits that let other routers can use to give it a lower QoS priority. The thought here isn't to block bittorrent, but rather to detect it and manage its use of bandwidth.

There are a couple of really awesome threads in this forum that discuss some other methods for tracking and limiting the impact of Bittorrent on a network. Dig around a bit and you should be able to find something to fit your needs, otherwise just ask and I will see what I can help with.

Thanks alot, this is pretty much what I am looking for, I will feedback when I get any success

@zahiy

did you find something suitable ?

cm

Well, at least I could block bitTorrent, but I haven't tested other p2p