Hello guys, what is the best way to block torrent traffic? Since L7 has no effect how can this traffic be blocked.
I want to prevent downloading movies.
Please your advice.

Block all "new" incoming UDP connection vs the user (the estabilished and related are passing because the request start from user side)
Download torrent "dat" files from various source and block the IPs ranges of all servers.
This make more hard to estabilish again the connection with peers when the client restart the torrent client.
Start yourself a torrent client and block all IPs torrent use for connect to the peers.

It's not realistically possible, the best you can do is block DNS of popular torrents and trackers, but with DHT and PeX it only takes 1 peer to get through for torrents to work. Your best option is to throttle the speed you provide so that torrents don't negatively affect your network.

It's not realistically possible, the best you can do is block DNS of popular torrents and trackers, but with DHT and PeX it only takes 1 peer to get through for torrents to work. Your best option is to throttle the speed you provide so that torrents don't negatively affect your network.

This is the best deterrent.
I notice in userman there are limitations you can set on users for Cap and Rate.

try this :


layer7-bittorrent-exp:

^(\x13bittorrent protocol|azver\x01$|get /scrape\?info_hash=get /announce\?info_hash=|get /client/bitcomet/|GET /data\?fid=)|d1:ad2:id20:|\x08'7P\)[RP]



/ip firewall filter
add action=add-src-to-address-list address-list=Torrent-Conn address-list-timeout=2m chain=forward layer7-protocol=layer7-bittorrent-exp src-address=192.168.50.0/24 src-address-list=!allow-bit
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp src-address-list=Torrent-Conn
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp src-address-list=Torrent-Conn

Hi nichy,
What is the reference for 192.168.50.0/24 is that supposed to represent a private LAN behind the router that you want to control torrent access too??

Hi nichy,
What is the reference for 192.168.50.0/24 is that supposed to represent a private LAN behind the router that you want to control torrent access too??

yes , that is correct.

I think the easiest way is to block all traffic and only allow traffic for port 80 and 443. If you have any specific software, you can open the ports for that software. For example, teamviewer 5938 tcp / udp and go investigating different ports and servers of the different programs you use.
I have had to do it this way because I have not found a more effective solution.

This approach fail: torrent can use with no problem port 53, 80, 443, etc.

For esample also 5060 and the others for SIP, if you prioritize blindly the "5060"s for VoIP, the torrent use that ports unblocked and prioritized.
I allow only knowed SIP servers (=user call me) and drop everything else on that ports.

Thanks for your help, but there's nothing useful with it. Layer7 protocol no longer works at https.
Maybe it's good that I look up which PtP connections are made.

Please explain how https is related to the bittorrent protocol.