Best way using pfSense to block Torrent / P2P



  • Is it possible for a mere mortal to configure something such as this? Is it possible to block P2P programs & Torrent downloads? I see folks say yes, say no, however I have yet to be able to see & read a viable solution that I can implement.

    Your advice please.

    Thanks... DW



  • I think Snort or Suricata might have some rules to detect and block p2p but it's not foolproof.



  • Thanks for the info. I realize nothing is fool proof as where there is a will there is a way. If I can block just some of it, just mitigate it a slight bit, that would be better than nothing at all.

    Thanks.... DW



  • It really depends on what you're trying to accomplish. Are you trying to get rid of p2p on moral or ethical grounds? Or are you trying to prevent it from sucking up all your bandwidth? If the latter, you can use traffic shaping to ensure that a client on your network doesn't use all the bandwidth.


  • LAYER 8 Global Moderator

    Since p2p can use pretty much any port at all.. Only way would be something doing dpi, Other option would be to use a proxy.. That could even fail with encrypted p2p..

    Are the end devices in your control? Its somewhat easier to control what APPS can run on the client to prevent such traffic then trying to do it at the network layer.

    Forcing use of proxy with only specific ports like 80/443 with good content filtering can also help. Blocking access on the proxy to only ip urls, and unknown category, etc. But it can become a PITA to administer.



  • @KOM I would prefer to block as much of it as I can. Reason being is that we have already received 5 copyright violation letters from our ISP this year from users either watching, downloading, or sharing copyrighted material. I think I may look for some type of a listing of torrent websites, and at least try blocking come of the major sites like thepiratebay.org etc....



  • @johnpoz

    72c7e969-6d4e-466c-be47-9ad83177584d-image.png

    I don't really have control of these particular devices on this particular separate network as this one in particular is primarily a BYOD network.



  • Get a VPN instead of trying to block all p2p traffic. I use Mullvad for $5/month. Route the p2p traffic through the VPN and all other traffic out your WAN.


  • LAYER 8 Global Moderator

    If he routes the traffic out his vpn, then he is just an enabler.. How is he going to route only the p2p traffic out the vpn.. He would have to route that whole network out it..

    Using the SNORT should put a hit on it, and you could also start up a shame board where the ones you do catch you you put on your shame board that they are downloading p2p while at work.. And using up everyone elses bandwidth, etc.

    Once users know you can catch some users.. They prob stop it on their own vs getting on the hall of shame board, etc.

    You could also threaten to fire upon violation of the no p2p policy, etc.



  • @johnpoz said in Best way using pfSense to block Torrent / P2P:

    How is he going to route only the p2p traffic out the vpn.. He would have to route that whole network out it.

    Assuming that this is his kid, he would either route ALL the kid's traffic out the VPN, or force the kid to define a static port in his torrent app and then route just that port's traffic out.

    I don't know if he cares about the piracy or just about the legal notices. The legality also depends on where he's from.


  • LAYER 8 Global Moderator

    This doesn't seem like his home network from last post that the network is a BYOD network.

    If was your kids you just take away their freaking devices ;)



  • Ah, I didn't see that post sneak in.

    OK then, in that case, discover who the bad actor is and then limit them down to 64kbps, and keep beating them until morale improves... 😆 😆



  • If you are willing to run a pfSense-2.5 DEVEL snapshot machine, then you can use the Snort package and enable the new Inline IPS Mode available in the Snort-4.0 package available in pfSense-2.5.

    You can enable OpenAppID, the corresponding rules and Inline IPS Mode and that will allow you to identify P2P app traffic and drop just those packets. Inline IPS Mode works great for this since you can drop the offending packets without blocking everything else the host sends or receives. You just block the P2P packets. However, this requires Inline IPS Mode; and that mode is currently only available when you use the Snort-4.0 package that is, for now, restricted to the pfSense-2.5 DEVEL snapshots.

    You can use OpenAppID in the Snort-3.2.9.9 package on pfSense-2.4, but that package only supports Legacy Mode blocking. That means once P2P traffic generates an alert for a host and inserts a firewall block, all traffic for that host is then blocked (not just the P2P traffic). That can potentially be an issue for some networks, but it may not matter as much in yours.



  • @johnpoz Correct this standalone network in particular is not my home network. Its a network that is used during the day by individuals for training, then after hours it turns more so in to a morale network for visitors that are visiting from out of state.

    However when I receive the copy right violation letters from the ISP it jeopardizes the entire connection from the ISP due to the said copy right violation.

    I'm going to change gears and try to just block say 15-25 of the top torrent / p2p sites such as www.thepiratebay.org, etc. If I can block a portion of the traffic then I am that much better off than not blocking any of it at all.


  • LAYER 8 Global Moderator

    I always find it funny that people actually have the balls to run such applications on such a network...

    I would put in a captive portal on this network - Warning against P2P use, and detection of such use will mean loss of service of all internet on this connection... and any copyright warnings will be forwarded to the appropriate authorities ;)

    This will also will let users know that their activity is being tracked, even if not to the level they might think it is... Make a statement that all traffic is logged, etc.

    If the overall network is decent speed, dial it back so that its not favorable to p2p traffic..

    Good luck - it always sucks when a few bad apples have to ruin a good thing for everyone.. If you want to p2p, great do it from your own freaking network.. Not some guest network your on..



  • @KOM There lies the issue. The students that come through here to train are generally only here for 1 weeks. I don't receive the letters of copy right violations until moths later.

    If I can block the websites, even a portion of them, that cuts down on the possibility of getting the copy right violation letter(s)

    I am going to have to I believe look at using Squid / SquidGuard / Light Squid to block some of the websites.

    I am also going to look at logging all website activity, then trying to filter it by MAC, so that once I receive the copy right violation letter, then possibly I can go back and dig in the logs and possibly track back to the offending MAC that has been registered with me before they are allowed to access the internet. I believe this would be MAC filtering of sorts.


  • LAYER 8 Global Moderator

    You can for sure log all dhcp activity... You can also have all guest sign an AUP, clearly stated that activity is logged and p2p is forbidden, etc..

    Take away the freedom of internet, and just whitelist the sites they need to go to for training..

    edit: Also just blocking outbound udp, and unknown tcp can put a huge hit on it as well.. As p2p can use pretty much any port.. It is possible that it can be used over tcp 80/443 - but it would put a huge hit on use of it only ports allowed were tcp 80/443.

    Blocking of known p2p sites can be done with simple dns overrides, if you force clients to only use pfsense for dns.



  • @johnpoz Exactly… That is what I have done. I have implemented the Captive Portal, and have the users accepting the end user acceptance policy explaining that their MAC has been registered, and that they agree to and have read the terms of service for using this network. They will as well be made aware that vis the end user acceptance policy that violations will be enforced to the fullest extent. They login using a predefined username/password.

    Speed is Gigabit and since during the day time hours its hit hard for training I don't want to have to dial back the speed.

    Currently my implementations are in testing as I have not released this live on the live network, it is in testing currently. I am trying to get it to where I want it, blocking some sites, tracking where my test users go, and hopefully where I can manipulate the data to pull out MAC addresses and go back and track where they have been so hopefully I can catch the violator.


  • LAYER 8 Global Moderator

    Good luck, it can be a real whack a mole game to be sure.. Like trying to block spam in email - you come up with X, and then they start doing Y...


  • Netgate Administrator

    If you have Snort/Suricata block the internal IP if it triggers and set the timeout to something low users could soon learn not to do that. It would not have to catch every external IP then, just trigger once.
    Of course you would probably also get a load of false positives and people banging on your door!

    Steve



  • @WD_Doug Include use of P2P and Torrenting as violations in your employee computer use policy and fire the SOB. Worked for me.



  • @provels said in Best way using pfSense to block Torrent / P2P:

    @WD_Doug Include use of P2P and Torrenting as violations in your employee computer use policy and fire the SOB. Worked for me.

    +1

    I worked for a very large Fortune 500 corporation in the U.S., and that was exactly the policy in place. Depending on the particular severity of the offense, you got one free "forgiveness" (but a write up still went in your file to potentially be used against you at annual review time), but a subsequent offense got you the door (as in "out the door"). Some first-time offenses (such as a downloading/viewing or heaven forbid, distributing, porn) got you fired right away. No second chance.


Log in to reply