Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit torrent to microsoft update only

    Firewalling
    2
    4
    213
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      richardsago
      last edited by

      Good day. Please let me know how I can limit torrent to microsoft updates only even when user will use VPN. My limited knowledge on this matter is that blocking known ports may not be effective because torrent clients can use other ports. Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • R
        richardsago
        last edited by

        Please let me know if my request is impossible to implement or is not desirable or will result in a slower internet speed for users. In your case how do you prevent a few torrent users from eating up a big part of the bandwidth?

        Also please let me know if there's any settings in the current setup that makes it more vulnerable to torrent use abuse:

        1. WANfiber is a 100 Mbps fiber connection and distributed to VLANs for Faculty, Students, Online Classrooms, and Guests groups

        2. WANstarlink is a starlink connection and distributed to a different VLAN that is exclusively used at the dormitory

        3. Faculty dorm has access to WANstarlink, and also to WANfiber when Faculty needs to work from dorm

        4. Only the Online Classrooms VLAN requires MAC Address registration. The other VLANs readily receive connection from any device that provides the correct WiFi password

        5a. A Download Limiter and an Upload Limiter were created for WANfiber. For both of them a slightly lower value of the rated speed is placed in the Bandwidth. Mask is None. Queue Mgmt Algorithm is Tail Drop, Scheduler is FQ_CODEL, Queue Length is 1000, ECN is checked

        5b. A queue was created under the limiters (one queue per group for each limiter) for the Faculty, Students, Online Classrooms, and Guests groups. Mask is None. Queue for Faculty is: Queue Mgmt Algorithm is Tail Drop, Weight is 45. The Weight value is the only difference between the queues for Faculty (45), Students (35), Online Classrooms (100), and Guests (20)

        6a. A Download Limiter and an Upload Limiter were created for WANstarlink. For both of them a slightly lower value of the averaged speed is placed in the Bandwidth. Mask is None. Queue Mgmt Algorithm is Tail Drop, Scheduler is FQ_CODEL, Queue Length is 1000, ECN is checked

        6b. A queue was created under the Download Limiter and another queue was created under the Upload Limiter for the dorm residents with a Weight of 20. Mask is None. Queue Mgmt Algorithm is Tail Drop

        1. These queues were assigned in the "In / Out pipe" under Firewall > Rules of the different groups. For example for the Faculty the In Pipe is "QUL_Faculty" and its Out Pipe is "QDL_Faculty", and for the Dorm the In Pipe is "QUL2_Dorm" and its Output Pipe is "QDL2_Dorm"

        2. There is no "acceptable use" document. This was discussed with Management and this was the decision

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @richardsago
          last edited by

          @richardsago said in Limit torrent to microsoft update only:

          Please let me know if my request is impossible to implement or is not desirable or will result in a slower internet speed for users. In your case how do you prevent a few torrent users from eating up a big part of the bandwidth?

          Not impossible.
          It will take time. A lot of 'trial and error'.
          What you call "torrent clients" is a concept that has been build by thousands of people over decades by now. Their goal is known to everybody, you and me included : hide, no matter what, this "P2P" traffic.
          By hiding I mean : 90 % of the Ethernet packet is the payload, the actual data. It's TLS encrypted, so that part is done : nobody can see what goes on. Exactly like your browser visiting some web site : TLS is also used.

          The packet header (open the wiki page that tells you what this is) : a source and destination IP. A source and destination port, UDP or TCP. Some general packet flags, a packet size, a time stamp and a sequence number.
          All these are close to random.

          So, now you're good to hear some reality : how could you, with firewall rules, match "random" traffic ?
          Short answer : you can't.
          Longer answer : and now you have to dive into the subject to understand that there are 'indicators' that can be sued to inform controlling software, like snort ? that traffic might be P2P.
          Snort uses sophisticated rules that, when applied on each packet, can give a match.

          The easy way out will be : create global Limiters for your local LAN device that you suspect using P2P. This is easy to maintain.
          Or even better : why would you even allow people on your LAN that abuse your network ?? You are the boss. You are the admin. You pay the bill. You decide. If one of these isn't true, then all this isn't your problem to begin with (and that's the best of all : no problem ^^).

          You correcly found a major issue already : Microsoft is using classic P2P also.
          So if you can get your hand on a list with Microsoft IP addresses (they have this listed somewhere on the net) you can create a bypass rule for Microsoft sourced P2P traffic. But why should you ?

          And this was the moment I continued reading you post, and saw that :
          You have a, for a school, a rather limited bandwidth.
          And not much better Starlink ...... the school is definitely in the middle of now where ^^
          Wait : a faculty ? Then that's your easy way out : you can't block people that have decided to actually learn stuff. They will bypass whatever you do **. It's back to step one : bandwidth limit everybody so they all have their equal share. Yo don't care about Microsoft updates, as they can wait a couple of days and do that at home.

          ** Like : they connect to your network, then start a VPN, then fire up your P2P and you can't do anything about it.

          So, sorry, this won't be a "click here and done" solution. It needs a lot of studying to understand what can be done. And when you've figured out something, it needs to be redone as P2P is evolving also.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          R 1 Reply Last reply Reply Quote 0
          • R
            richardsago @Gertjan
            last edited by

            Thanks @Gertjan for replying. Previously when the MAC Address of all devices were required to be registered, I divided the bandwidth to different limiters and assigned the high bandwidth users together into a limiter. But this resulted in a lower available bandwidth for the other users.

            The current setup is because of management decision to:

            1. Remove the MAC Address registration of user's devices and
            2. Remove the limiters so that if only one device was connected then that one device gets to use all the bandwidth

            I think the "acceptable use" document buy-in from management is my best option for now. But if I understand correctly this can't be enforced because there's no way to know if a device was connecting to torrent. Still, thank you very much for replying and sharing knowledge :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.