P2P script

Trisc · Thu Dec 16, 2004 6:06 pm

I'm trying to get a script to work that will drop all p2p traffic between certain times every day.

So far I can enable a rule from a script but I can't disable it. Has anyone done this before and is willing to share the answer?

TC

edzix · Thu Dec 16, 2004 6:22 pm

so where is a problem? add two scheduler tasks - one will call a script which will disable the rule, the second one will enable that rule. Each task will have separet start-time values, but with interval=24h

Edgars

Trisc · Thu Dec 16, 2004 11:08 pm

To enable a rule in a script do I have to issue a print command first?

TC

[ASM] · Fri Dec 17, 2004 1:41 am

use the find command... something like:

/ip firewall rule forward enable [/ip firewall rule forward find p2p=all-p2p action=drop]

OrCAD · Sun May 08, 2005 1:16 pm

oki!

Jrslick22 · Mon May 09, 2005 7:40 am

can you please post the details of how you made this work?

edzix · Mon May 09, 2005 2:08 pm

/system scheduler add name=enable interval=24h start-date=8/05/2004 disabled=no on-event=en
/system script add name=ed source={
     /ip firewall rule forward enable [/ip firewall rule forward find comment=p2p] 
}

/system scheduler add name=disable interval=24h start-date=9/05/2004 disabled=no on-event=dis

/system script add name=dis source={
     /ip firewall rule forward disable [/ip firewall rule forward find comment=p2p] 
}

Edgars

randyloveless · Fri May 13, 2005 5:26 am

edzix

in 2.9 would we just change the rule to filter? or is there more to do

Randy

edzix · Fri May 13, 2005 11:35 am

yes, but there should be such entry with comment 'p2p'.

Edgars

OrCAD · Wed Jun 22, 2005 12:26 pm

Hi,
I have this bug, somewhere p2p-enable or p2p-disable scheduler fail or don't execute command.

script
/ip firewall filter {enable [find comment="lock P2P"]}

scheduler setting is:
start date= (today)
start time=22:00:00
step=24:00:00 (1day)

I use regular NTP-client for read time & date....
Is possible scheduler fail after reboot or wathcdog reboot?
Regard's

edzix · Wed Jun 22, 2005 1:04 pm

The command < ip firewall filter {enable [find comment="a b"]} > works fine. You can give us printout of '/sys sched' and '/sys script' menus.

Edgars

OrCAD · Wed Jun 22, 2005 1:16 pm

/system script

0 name="p2p_disable" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password last-started=may/08/2005 12:53:44 run-count=4
source=/ip firewall filter {disable [find comment="Lock P2P"]}

1 name="p2p_enable" owner="admin" policy=ftp,reboot,read,write,policy,test,winbox,password last-started=may/08/2005 12:53:24 run-count=1
source=/ip firewall filter {enable [find comment="Lock P2P"]}
__________________________________________________________
/system scheduler

# NAME ON-EVENT START-DATE START-TIME INTERVAL RUN-COUNT
0 ;;; Disabilita Blocco P2P
UnLock p2p_disable jun/22/2005 22:00:00 1d 0
1 ;;; Abilita Blocco P2P
Lock p2p_enable jun/23/2005 08:00:00 1d 0

OrCAD · Wed Jun 22, 2005 2:13 pm

and after scheduler successfully enable rule for P2P lock, hotspot user's still to conitinue p2p-download.
How to block this?
I want to kill all estabilisced connection with p2p IP because filter rule:

chain=forward p2p=all-p2p action=drop

not work!
Is possible?
10x

edzix · Wed Jun 22, 2005 2:26 pm

and after scheduler successfully enable rule for P2P lock, hotspot user's still to conitinue p2p-download.
How to block this?
I want to kill all estabilisced connection with p2p IP because filter rule:

chain=forward p2p=all-p2p action=drop

not work!
Is possible?
10x

not possible. There shoud be a new connection made in order to block it by firewall. There is no possibility to block already established connection.

Edgars

edzix · Wed Jun 22, 2005 2:38 pm

If you want these connection to be dropped/limited/whatever_else at certain hours you should follow the following example (will drop the connection):

/ip firewall mangle add p2p=all-p2p mark-connection=p2p-con disabled=no
/ip firewall filter add connection=p2p-con action=drop disabled=yes comment="Lock P2P"

...

If there there is necessary to limit P2P you should add a firewall rule with mark-flow parameter.

Edgars

OrCAD · Wed Jun 22, 2005 3:19 pm

Many thank's, but I've another question:

---- mangle -----
0 chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn

1 chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p

2 chain=forward connection-mark=!p2p_conn action=mark-packet new-packet-mark=other

---- queue tree -----
0 X name="queue1" parent=wlan1 packet-mark=p2p_conn limit-at=8000 queue=wireless-default priority=8 max-limit=10000 burst-limit=0 burst-threshold=0 burst-time=0s

1 name="queue2" parent=ether2 packet-mark=p2p limit-at=8000 queue=default priority=8 max-limit=10000 burst-limit=0 burst-threshold=0 burst-time=0s

2 X name="queue3" parent=wlan1 packet-mark=other limit-at=9000000 queue=default priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 burst-time=0s

3 name="queue4" parent=ether2 packet-mark=other limit-at=9000000 queue=default priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 burst-time=0s

4 name="queue5" parent=ether3 packet-mark=p2p limit-at=8000 queue=default priority=8 max-limit=10000 burst-limit=0 burst-threshold=0 burst-time=0s

5 name="queue6" parent=ether3 packet-mark=other limit-at=9000000 queue=default priority=1 max-limit=10000000 burst-limit=0 burst-threshold=0 burst-time=0s
-----------------------------------------------------------------
ether2 ---> internet
ether3 is the HotSpot

in queue tree I see the color change from green to red but P2P user's download don't respect maxlimit=10k, download amount of 300kbit and over. Why?
Queue not work properly or I've bad configurated it?
I see the end of mangle section manual for P2P limiting.....
Edzix, can U help me?

OrCAD · Wed Jun 22, 2005 5:20 pm

Solved...
I've switch chain from FORWARD to PREROUTING

Best regard's.

P2P script

P2P script

Who is online