A few users of about 220users use 80-90% bandwith. Soloutions?
-
Hi, I'm working at the IT-department at a College where we have students who live nearby and some that live at our dorms…
For now we are using pfSense 2.0.1 as firewall, but in a few months we will be changing to Palo Alto.We have a big problem with lots of students using torrents during the whole day. Since there is no way to block torrents completely in pfsense,
I was wondering, is there a way to specify how much bandwidth a user can have at the time etc.? Because now there is a few students who use up to 80-90% of the bandwidth at the time, and lots of students are complaining about slow speed.The bandwidth is supposed to be shared between ca. 220 students... Does pfsense have a way to fix this problem? As basic pfsense installation or with a package? Not necessarily specify bandwidth per user.. but a way to share the speed equally...
Thanks In Advance!
-André
-
Who says you can not block p2p on pfsense? It can be a very difficult thing to limit yes, because the protocol is so robust. But you can filter it sure.
So is your Palo Alto going to stop it?
For starters vs letting every port you can think of outbound, limit to just the standard web ports 80, 443 - the allow other specific protocols as needed. But allowing all outbound ports for sure is going to allow for p2p.
You can turn on layer 7 filtering which has rules for p2p. You could turn on proxy that filters on category and lists and could be used to block access to torrent search/listing sites like kickass and piratebay, etc.
-
Well, at least that is the answer i get most of the times asking this question…
Yes, the Palo Alto is going to stop it.
Anyway, we have already configured ports, and p2p rules in layer 7 is in use, but this doesn't stop it.
Closing ports doesn't help much to blocking torrents when torrents also use port 80.
About the proxy, we do not want to start now with configuring proxy on every single machine.
-
P2P traffic is hard to catch, because most of it is now encrypted (and btw there is quite a bit of legitimate content offered via P2P). Depending on your needs, a setup of pfsense with appropriate firewall & traffic shaping rules and forwarding http/https via a proxy, should be good enough in most cases to ensure good use of your bandwidth.
I'd be interested to know how well PaloAlto works for you in practice, once you've deployed and used it for a few months.
-
Who said anything about having to setup anything on a client - just use a transparent proxy on pfsense.
"Yes, the Palo Alto is going to stop it."
Love to hear how that works out, please share once you have it up and running.
-
The reason why I thought you were talking about setting it up on the client, is because we have asked this question before, but then we got told that it wouldn't help with transparent proxy.
The main reason to why we want to block p2p is because it takes too much bandwidth, not because it's illegal.
But since we use the pfsense as dhcp server, we have been able to get the IP of some of the worst students, and blocked those.
That stops them for awhile at least, but surely IP and mac-addresses can be faked.When we have time, we will check out the transparent proxy and test how that works.
Sure I can share with you the result with Palo Alto, we are waiting for release of a mid priced package.
Thanks for your help.
-André
-
You want to use the proxy so you can enable category filtering, just using proxy not going to help much. But with filtering you can block access via categories to many p2p sites. And you also need to limit outbound port access. Why would user need access to port 42312 outbound?? Well if they don't have that they could never talk to me in a swarm for p2p for example. If they can not ask me for a piece of the torrent, I can not send them a piece of the file. Blocking all but standard ports should really reduce your traffic.
Sure websites work on 80.. And sure maybe some p2p clients work on 80, but the VAST majority of p2p is run on random high ports.. Many trackers even run on say 8080 vs just 80. So blocking these non standard ports should drastically reduce the bandwidth being taken up by p2p.
Have you ever looked at the connections in a swarm - I don't recall ever seeing standard ports. Grab a p2p client, say transmission or deluge or utorrent – play will all of them and grab some linux distro isos ;) And look at your connections and what ports used.. They are 99% random high ports, this is how the clients work.
You need to understand how the protocol works if you want to block it.
-
Thanks for reply.
We have blocked all high ports, the problem is with those that use torrents with port 80.
There is lot's of people who have asked us to open high ports for online games, but we always check what uses those ports before we open them.
We have blocked a lot of ports for online games, so they won't use too much of the bandwidth..
Also, I use Linux on my desktop home & at work every day. :D
And yeah, torrents use random ports, or they can specify a port.
The normal user doesn't get torrents to work.
I have noticed that with the computers that is being delivered to us because of technical problem..
-
There is not torrents that run on 80.. There would be nobody in the swarm. If your seeing huge traffic on port 80, I would assume streaming video maybe, download via http. Could be proxy for torrents sure..
Sure there might be a few people that run their torrent client on 80 - but it would be rare as shit!! I have never seen a connection to 80 for someone in the swarm.
I would look closer at the traffic if I were you. Doesnt sound like p2p to me if port - Are you seeing hundreds of connections to different IPs all over the planet from 1 ip on your end… Then that would be p2p.. But to be honest prob users just streaming video. Sure they could be using a torrent proxy -- then block that!! There is a limited number of those, which is why you use a proxy to filter based upon url/category/keyword, etc..
-
There is no technical reason why it can not run on port 80, 80 is just another number between 1 and 65535.
I have setup SNORT to filter P2P. It blocks many hosts. Howewver, it has no effect on the ability of the torrent to download at fast speeds.
Have you looked into throttling the bandwidth? Then they can run whatever torrent they want, but it will be limited in speed. You could block ports 80 and 443 and require an HTTP proxy to be used, that would prevent most non-HTTP(s) traffic from passing, and you can allow quick speeds on those ports, and then e.g. throttle the other ports to 100kb/sec.
-
I agree there is no technical reason other than people don't do it.. Many ISPs block inbound port 80 because your not suppose to run servers on your connection, etc.
I have never ever seen a port 80 connection in any swarm I have looked it, is it possible that some people run on it - sure, highly highly unlikely if you ask me.
And running a http proxy as suggested would as you state prevent non http type traffic, ie p2p through the proxy at this port. Unless the client is proxy aware and can run over a http proxy. Be either way you would have access to these connections and where they are going an could block them very easy via the proxy then.
-
What switches do you have? If you have any Cisco managed switches you should be able to figure out which ports the offenders are on, and just throttle those ports. The other thing you can do is what joako said. The people in the dorms should already be on their own vlan, so just throttle anyone on that vlan to like 3000 / 250 kbits.
The other option that isn't ITs favorite is just give them the piece of paper saying stop torrenting or you're going to be kicked out. Obviously it would depend upon how your relationship is with other departments for that to work.
Captive Portal would also be a very good solution to tying a specific user to their bandwidth usage. You can limit people per user and have a hard timeout after x number of hours. I know a few other colleges that implemented something like that for dorm students. They have to login with their user name and password, which you can use to give you IP / Mac binding to that user. Then it doesn't matter if they try to switch to 5 other devices you can set a limit so they only have x amount of bandwidth and are only allowed so many devices at a time. The hard timeout just makes it so that if they are trying to download something and find a way around, they have to be present in the room to log back in otherwise everything just stops.
-
No, all switches is Netgear… There is only one of the dorms that use wired network, the others... wireless...
About the paper... when they first came to the school, they all had to sign a form and by that agreeing to not use the network for illegal things...
When we get Palo Alto, we will change to logon with specific username and password...
Is there a guide for how to set max limit bandwidth per user based on connected users?
We have started to block IP's based on who we notice use alot bandwidth when we check in on the traffic graph... but, ip's and mac adresses can also be faked...
Using ntop have shown that HTTP have been using alot bandwidth as well... but it's also possible to disguise traffic as http traffic...
-
"Using ntop have shown that HTTP have been using alot bandwidth as well… but it's also possible to disguise traffic as http traffic..."
Yeah the kids are all computer majors and they are all using p2p over http.. Or maybe its just them streaming videos off youtube ;) Why don't you actually look at the traffic and see what it is verse guessing and thinking its users.
"ip's and mac adresses can also be faked..."
Faked?? Kind of hard to FAKE your IP or even your mac that your actually moving traffic back and forth. Can you spoof your IP for say a dos, sure. Can you change your mac to get a different IP, again yeah sure.
Not sure what the point of that comment was. If you locked your network down correctly, would not matter if they changed their mac - they just wouldn't get on then. Since only specific mac could use specific port (dorm room)
You know exactly who is registered to which mac. If you see illegal activity, you call them on it, etc..
-
I've had good success tossing in Untangle in-line behind pfsense and using the application blocker to filter and block torrent traffic. If you are running your pfsense on a virtual stack adding untangle to the mix is a breeze and you can pull it out/put it back in-line with narry a packet drop.
-
Use OpenDNS.org as your DNS. Just open ports 80,443,53. Set your squid to transparent mode. Add firewall rule LAN e.g 3128 proxy port. Use DNS forwarder and you're done.
Ive tested it. Even if the user change dns, wont work still. Hope this help.
jigp