Completely blocking p2p traffic
-
The problem with these apps is that they can choose any port or it at least is configurable to use other ports. The best thing you can do atm is to use the p2p catch all option from the traffic shaper wizard. This way anything that is not given priority will be dumped to lowest priority. Completely blocking would need some kind of packet inspection for p2p content. This is not (yet?) possible with pfSense (but keep in mind this is just the first version ;) ).
-
Yes, I know they can use random ports, I thought there is maybe something like L7 filters which recognizes type of traffic and shape it correspondingly. However, I think pfsense is really great product, just in early stages of development. I can just imagine what features will it have in a year or so. I'll try to stick to your recommendation, catching all unclassified traffic and putting it to lowest priority. Should I also combine that with 'simultaneous client connection limit', for better results? And what would be recommended limits per user for usual surfing and playing games online?
I apologize for these newbish questions but I really need some advice :) Thanks.
-
Using some of the advanced options to limit sessions is a good idea. You might want to watch your firewalls states under load or when only running special apps at diagnostics>states or at the shell menu running pftop to see what limits are needed to let your games or needed apps work. Then add some overhead to it and create/change passrules with that limit.
-
Use the shaper wizard
Choose the catch all in the p2p screen
Click on Firewall->Traffic Shaper->Queues
Click on qP2PDown
Check "Upperlimit"
Fill in 1Kb 1 1Kb for the three boxes to the right of Upperlimit
Click Save
Repeat last four steps for qP2PUp
I think you have to hit "Apply"That should effectively limit all ports you haven't explicitely shaped to 1Kbyte/second so be aware that stuff that doesn't any other rule for it will get caught and essentially dropped.
–Bill
-
I will try it, thanks.
-
I will try it, thanks.
There was also another comment in a different thread about using rules to limit the states/second of given hosts as well as the number of states a given host can create (per rule). This might be another option for you although, much like the previous suggestion, it won't stop a user from using p2p, but it can help make it rather painful (and in combination…heh, ouch).
--Bill
-
Another thing you could do if the packets are being misclassified would be to set a hard limit of 512k/64k per user so then no one user can take more than 25% of the bandwidth…..doesn't need to be those values, maybee higher but setting a ceiling so there isn't 1 hog in the pond.
-
Another thing you could do if the packets are being misclassified would be to set a hard limit of 512k/64k per user so then no one user can take more than 25% of the bandwidth…..doesn't need to be those values, maybee higher but setting a ceiling so there isn't 1 hog in the pond.
Yes, I acctually thought of that, BUT: then I can't take full advantage of full dsl speed when other users are offline :-\ (e.g. for overnight downloads or something…). But generally, that is good idea.
-
well i implemented a mini-isp solution of about 500 users. And p2p was really pain in the neck there.. So this is what i did.
Most p2p are dependent on upload. Meaning the faster u upload, the faster you can download.. so setting the hard limit og 64K upload from DSLAM reduced the congestion since many people have no need for huge upload unless p2p comes into play
secondly, all p2p software makes an initial connection to some domain or IP for retriving the list. Start packet sniffer on ur pc and then the desired P2P app.. capture the packets and analyze. Then take appropiate action to block the destination IP or fqdn. locking ports is useless since p2p wil hop to nex available port. But blocking the ip/fqdn does the trick mostly.
the last pain in neck is bittorrent..but then its dependent on upload so reducing the user upload solves many downlink cngestion problems but still im searching forward to completely banish bt.
-
Drop port 6889, will help cap some of the torrent users….at least from going off the lan....also, using another interface would work to bypass the filters so you could use it all at night:P