guest wifi -how to disable torrent downloads

[greggy101]

Does anyone know if there is a simple way (or any way possible) to restrict/disable all torrent downloads for the clients on the guest wifi ? (without knowing their MAC's upfront)
Any help would be greatly appreciated!

87U 378_50

 

[rodak]

Not possible since torrents can be encrypted.

Sent from my LG-D802 using Tapatalk

 

[rumblpak]

Not possible since torrents can be encrypted.

Sent from my LG-D802 using Tapatalk

That's not necessarily true. You could technically implement a firewall that has a whitelist of allowed outbound services and drop everything else.

 

[greggy101]

That's not necessarily true. You could technically implement a firewall that has a whitelist of allowed outbound services and drop everything else.

Any idea how to?

 

[Martineau]

Any idea how to?

The following illustrates how outbound services allowed on Guest 2.4GHz SSID #1 can be limited to a whitelist:

GUEST_IF="wl0.1"

iptables -I FORWARD -i $GUEST_IF -j DROP
iptables -I FORWARD -i $GUEST_IF -p tcp -m multiport --dports http,https,imap,smtp,pop3,sftp,ftp,imaps -j ACCEPT

 

[greggy101]

The following illustrates how outbound services allowed on Guest 2.4GHz SSID #1 can be limited to a whitelist:

GUEST_IF="wl0.1"

iptables -I FORWARD -i $GUEST_IF -j DROP
iptables -I FORWARD -i $GUEST_IF -p tcp -m multiport --dports http,https,imap,smtp,pop3,sftp,ftp,imaps -j ACCEPT

So, the same for Guest 5Ghz?

Thanks!

 

[beady_uk]

I am looking to do this on an Asus RT-AC87U router running latest merlin firmware. I am a bit new to this so could someone explain how to implement the above.

Thanks

 

[System Error Message]

torrents use the torrent protocol that is UDP based. Its easier to do this using layer 3 but on layer 2 you would need a special router for that such as from mikrotik which you can tag packets from layer 2 coming from an interface and than pass them to layer 3 firewall to filter. This sort of filtering requires the traffic going through the CPU. I havent seen a layer 2 firewall from ubiquiti yet.

So even if torrents were encrypted it would still be using the same protocol and would require the router to recognise it. encrypting torrents is only so no one knows what you're sharing and probably a way against some network based malware injection but it doesnt help if someone on the torrent network is a tracker or giving an infected file.

 

[beady_uk]

torrents use the torrent protocol that is UDP based. Its easier to do this using layer 3 but on layer 2 you would need a special router for that such as from mikrotik which you can tag packets from layer 2 coming from an interface and than pass them to layer 3 firewall to filter. This sort of filtering requires the traffic going through the CPU. I havent seen a layer 2 firewall from ubiquiti yet.

So even if torrents were encrypted it would still be using the same protocol and would require the router to recognise it. encrypting torrents is only so no one knows what you're sharing and probably a way against some network based malware injection but it doesnt help if someone on the torrent network is a tracker or giving an infected file.

So would blocking everything except http & https would have no effect?

 

[System Error Message]

blocking everything except those 2 will block torrents unless the torrent is using a http proxy. A lot of things are important for the internet to function and use UDP. NTP and DNS are the important ones.

 

[beady_uk]

blocking everything except those 2 will block torrents unless the torrent is using a http proxy. A lot of things are important for the internet to function and use UDP. NTP and DNS are the important ones.

So would you be able to assist me in blocking torrents somehow? Thanks for the assistance so far

 

[System Error Message]

I cannot help you with blocking, if you use an asus router you can try RMerlin's firmware and some IPTable examples. If you were using mikrotik i could help you block torrents coming from wifi only.

 

[beady_uk]

I cannot help you with blocking, if you use an asus router you can try RMerlin's firmware and some IPTable examples. If you were using mikrotik i could help you block torrents coming from wifi only.

I am using merlin firmware but do not know where to start with ip tables. Looking for guidance

 

[System Error Message]

https://www.digitalocean.com/community/questions/updating-iptables-to-block-torrent-traffic
this should help, it doent hurt to google around if you cant find it on this forums.
He is doing it for his vpn whereas you're doing it for your internet so make sure to check which interface he is applying it on.

 

[Nullity]

You cannot really block torrents. You can setup really complicated firewalling and perhaps hinder it, but completely blocking is practically impossible, without severely limiting the places & services that you allow connections to/from.


Another method would be to not allow any IP to saturate the connection, by using traffic-shaping or traffic-policing. With pfSense you can use limiters (FreeBSD dummynet) to dynamically share bandwidth proportionally among active LAN IPs. This means 3 users downloading on a 3mbit connection would be rate-limited to 1mbit each, but if there is bandwidth available/unused, anyone can use all (or most, depending on how you configure it).Traffic-shaping is a simpler way of dealing with hostile/greedy traffic.


As I understand it, blocking torrents is not the preferred method of dealing with it's traffic, since it can use any TCP or UDP port along with encryption.