Blocking torrents on my network

[MamaLing]

Hi everyone!

I'm looking for a solution to block torrenting on my network. I think the best solution would be to use a Pi-hole and add torrent tracker servers on the blocklist. However, I want to prevent other users on the network to avoid Pi-hole, if they manually set an other DNS server on their devices, blocking won't work. So what I think is to re-route most common public DNS server addresses to my local Pi-hole. How can I do that? I have an Asus RT-AC86U with the newest Asus-Merlin. Routing clients through VPN isn't working on my router, unfortunately. Could you suggest any other solution for my problem?

 

[Ripshod]

There are literally thousands of trackers available, and it's common to see torrents on 20+ these days so filtering is going to be very difficult. Port blocking is out as bittorrent can use any port, tcp or udp.
If they run it through a VPN it's gonna make life difficult.
I'm sure there will be a filter list somewhere for skynet but a quick search returns nothing updated more recently than 2yrs ago.

 

[dev_null]

Another approach might be to set quotas on download volumes for certain clients, or limit download speeds. IIRC, there was a thread or two and perhaps a script that aimed to do that (might be a couple of years back).

 

[MamaLing]

I wouldn't mind if torrent traffic would go through VPN on the router, but that's not optional for me because VPN redirection isn't working on my router, perhaps because of a bug. I'm just concerned about torrenting for legal reasons, I don't want to get into trouble because of some user on my network.

 

[ColinTaylor]

I wouldn't mind if torrent traffic would go through VPN on the router, but that's not optional for me because VPN redirection isn't working on my router, perhaps because of a bug. I'm just concerned about torrenting for legal reasons, I don't want to get into trouble because of some user on my network.

Then use a VPN client on the PC that's doing the torrenting. Or fix the problem you had with VPN Director.

 

[dev_null]

This is what I was recalling: https://www.snbforums.com/threads/edit-real-time-quota-monitoring-download-upload-data-used.50066/

(There was another thread that included my (fave) add-on, but dn-vnstat doesn't measure individual device bandwidth.)

 

[bennor]

Frew older discussions (some very old):

guest wifi -how to disable torrent downloads

Does anyone know if there is a simple way (or any way possible) to restrict/disable all torrent downloads for the clients on the guest wifi ? (without knowing their MAC's upfront) Any help would be greatly appreciated! 87U 378_50

www.snbforums.com

detect / block torrents

Since streaming portals start to implement torrents in the backend, I would like to block torrents. Best would be if this could this be implemented in the router (ac66u). Are here any suggestions hints for this?

www.snbforums.com

TOR Network : how to block ?

Hello, Is it possible to block TOR network with my RT-AC68U router with Merlin's firmware of course ? Do you know where i can find information ? Thanks Regards -- Asus RT-AC68U with Merlin's firmware 380.68_4

www.snbforums.com

And from one of those discussions is this very old link on updating iptables to block torrent traffic:

Question | DigitalOcean

Technical tutorials, Q&A, events — This is an inclusive place where developers can find or lend support and discover new ways to contribute to the community.

www.digitalocean.com

 

[Tech Junky]

Block the udp ports the clients use.

 

[ColinTaylor]

Block the udp ports the clients use.

BitTorrent clients haven't used fixed UDP ports for over a decade. They use random ports on TCP and UDP.

 

[Tech Junky]

BitTorrent clients haven't used fixed UDP ports for over a decade. They use random ports on TCP and UDP.

The actual client uses specific ports depending on which client you're using. You could also target the tracker ports as they don't change. or get a layer 7 firewall and block by program type. Even iptables in Linux can block by program or traffic type.

 

[Ripshod]

The actual client uses specific ports depending on which client you're using. You could also target the tracker ports as they don't change. or get a layer 7 firewall and block by program type. Even iptables in Linux can block by program or traffic type.

That's old skool. Transmission can use any tcp/udp port , selected at random on start/restart. Can also use port 80 or 443 to get around blocks. Most other clients are the same.
Edit
Extract from my config file

    "peer-port": 54279,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": true,

You may be thinking of the UI port, which the default for transmission is 9091. But that can also be changed.

 

[ColinTaylor]

The actual client uses specific ports depending on which client you're using.

Not on any of the clients I've used in recent years. They use multiple techniques and multiple ports to avoid being blocked.

You could also target the tracker ports as they don't change. or get a layer 7 firewall and block by program type. Even iptables in Linux can block by program or traffic type.

A combination of blocking the trackers and DPI is probably the best you can do nowadays, and even that isn't foolproof.

 

[RMerlin]

Detecting torrent traffic can only be done through DPI. Ports are randomized. Remote trackers may very well listen on ports 53 or 443 to bypass firewalls/blocking.

 

[bennor]

The actual client uses specific ports depending on which client you're using.

An example. uTorrent has the option to randomize the port including when one starts the application.

Other Torrenting clients (like qBittorrent) I've seen have similar options to randomize the port.

 

[Eric Lieb]

As others have said, can't really be done. The best you can do is put in bandwidth limiters to make torrenting painfully slow. Or you can put a captive portal up with legal disclaimers and jargon including traffic is monitors and logged and will be turned over upon request for illegal actions. Or something like that, which is how a lot of hotels and public wifi attempts to mitigate the risk

As for blocking dns outside pihole, it can be done fairly easily with higher end router software like pfsense which you can cofigure firewall rules to block lan queries to known DNS servers and which forces the client to use the DNS resolver that you setup, but not sure if Asus routers can handle that

 

[abidarwish]

It may not be a good idea but you can install merlin clash and run vless client config. The vless server (intel/amd) can be setup on your local network using this script:

GitHub - abidarwish/silkroad: An autoscript to setup xray server to run vmess/vless/trojan to bypass certain restriction.

An autoscript to setup xray server to run vmess/vless/trojan to bypass certain restriction. - GitHub - abidarwish/silkroad: An autoscript to setup xray server to run vmess/vless/trojan to bypass ce...

github.com

All users connected to your ac86u cannot bypass this measure except using vpn.