Blocking P2P

[beengone]

I've spent a ton of time reading all over about blocking P2P traffic. I have a client who received a notice that someone on their network was sharing out illegal content. So, now I need to find a way to stop that from happening again. From what I've read it may be impossible to really make this happen due to variable ports, encryption, etc. used by many modern P2P clients. From what I've read there are a few courses of action, could someone confirm or write up a short, simple article on the most effective way to block P2P traffic? Here's what I think I know:

1. Block applications if possible. New clients mean additions to the list.
2. Block trackers. This only works if the client uses trackers.
3. Use QoS rules to throttle use. Doesn't really protect an open network owner, just slows down transfers.

I'm sure I must be missing something somewhere, but can't find anything else helpful. I'm thinking about just blocking all but ports 80, 443, 25, 587 and a handful of others for the guest vlan. Is that what many of you do? What's the best way to protect against this type of problem?

 

[Hawk]

On my network I have setup in such a way that only ports which are open 80, 443, 22, 21 and so far no problems with this method. If needed I can open others on demand for set amount of duration.

My router is ASUS RT-AC68U if that helps.

 

[gatorback]

@Hawk: Please consider posting a screen shot and RT-AC68U firmware version and any other info (links, etc) that you deem helpful. I have a two RT-AC68U devices:

DETAILS
=======
#1 RT-68ACU Gateway =192.168.8.1 = (Merlin Firmware)
#2 RT-68ACU R-Bridge =192.168.8.3 = RT-68ACU (DD-WRT v3.0-r27343)

GOALS
=====
Manage access to the DD-WRT repeater bridge. Specifically, implement controls at the R-Bridge:

A) No Torrenting, youtube or similar is fine
B) Administrator to control wifi access via MAC address
c) No traffic from wired-in access points traffic into R-Bridge.

These controls are important because, I want to limit which devices can access wifi AND prevent any issues.

QUESTIONS:
==========
1) Is it possible to engage DD-WRT (Device #2) to implement controls A) & B)? The goal is to have separate controls at the gateway.

2) Is it necessary / desirable / advantageous to create a separate guest wifi network and attach the device #2 to it via wifi? If yes, continue to use R-bridge mode?

3) Can wired device access be controlled at the R-Bridge via MAC address? or is there a better way?

 

[System Error Message]

I wouldnt block all p2p traffic. Skype for example uses p2p, akamai uses p2p, torrents use p2p. Even some games like GTA 5 and space engineers are p2p based.

Instead of targetting p2p traffic, target the protocol/ports instead.

 

[coxhaus]

You need to run a software UTM firewall like Untangle or Sophos UTM Essential Security Firewall. These are the free versions I can think of. There are many paid versions of UTM firewalls out there. Some very expensive.

P2P can hop on different lower ports so you will not be able to block it with a router. You need a robust firewall.