Is layer 7 shaping working for anyone?



  • first a little background…  I work for a small isp that supplies internet services to hotels.  Over the past 2 years our helpdesk staff has been battling a never ending war with guests abusing the networks with p2p traffic.  A handfull of users running bittorrent clients can make entire circuits unusable for all of the other guests.  Since we have no administrative rights over any of the guest pcs the traditional "limit traffic on a specific port" kind of qos doesn't really work for us.  Usually we have to block the offenders all together via mac filtering, or limit one user at a time by their mac address to a specific amount of bandwidth.  This inevitably creates helpdesk calls for all of the blocked guests... which we then yell at and let back on the network... however 90% of the people don't listen and we block them again.......  it's an endless cycle until we tell them they are no longer aloud to use the network...  at which time we then have hotel management breath down our necks because guests leave poor comments from getting blocked or from no bandwidth due to the p2p traffic.

    so this is what has brought me here...  i recently purchased an alix box that i have hoped to make a p2p killer with.  hell even if i can find a way to limit the p2p traffic down to 5% of the network i would be incredibly happy.  but i'm having issues with my configuration... i'm trying to make the box act as a transparent filter on the network, which would sit between the router and the server for the guest network.  this box will not be able to see the individual clients just their traffic all coming from the same ip.

    i have read through countless threads in here about the packet shaping but i have not come across any solutions that will help me in my quest to kill or at least significantly slow this specific traffic.  Half the configurations i've tried have either had no effect at all, or slow down all traffic over the bridge to whatever i set as a limit.  since i havnt seen a bittorrent client use the default ports you find listed everywhere in years i figure it is time to try layer7, but it refuses to pick up any protocol ive tried to block or limit... even http!

    any help or config snippets and rule examples would be greatly appreciated!



  • It will probably be easier to identify commonly used protocols and prioritise them than to penalize p2p.  Torrent L7 won't catch encrypted traffic so it's not exactly useful in this instance.

    i.e.  Penalize everything except what you identify as higher priority -> usually the common HTTP/ HTTPS/ FTP/ POP/ SMTP etc.



  • my problem with doing that is that i have no control over what these guests might be doing…  i cant penalize their vpn traffic or anything that they might be legitimately going to that shouldn't impact the network.

    the other half of trying to kill bittorrent traffic has to do with these properties constantly getting letters from their circuit providers about all the movies getting download....i don't have a problem with us limiting the P2P downloads back to the dark ages of dial up speed, but that would be the reason i want to kill it all together.


  • Banned

    L7 should be able to do this….if it cannot, then it doesnt work as it should. ISA2006 has this built in, and it works very well.



  • @thegreathoe:

    my problem with doing that is that i have no control over what these guests might be doing…  i cant penalize their vpn traffic or anything that they might be legitimately going to that shouldn't impact the network.

    Most of the stuff uses known ports. Web on 80, secure web on 443… fairly complete list at http://www.iana.org/assignments/port-numbers

    l2tp is on 1701, pptp is on 1723, isakmp is on 500 and so on (for vpn traffic examples).

    So it should be quite possible to do a "give these things normal priority and downgrade everything else into the basement" type approach. Work intensive for you to first make a list of stuff you want to permit untouched and then implement the rules and it still won't be bulletproof if the torrenters run their clients on a known port, but might be better than nothing.


Locked