Peer to Peer Traffic Control

Document revision:	1.5 (Thu Sep 16 11:03:16 GMT 2004)
Applies to:	V2.8

General Information

Summary

This manual section describes techniques needed to control traffic from peer-to-peer (P2P) networks. Peer-to-peer is a concept whereby one individual host directly communicates with another, as opposed to each client referring to a common hub or server. This type of network connection allows users to share various information, including audio and video files and application programs. Uncontrolled P2P connections take all the available bandwith and left no space for other activities (like mail or HTTP browsing).

Quick Setup Guide

To drop all p2p application packets:

[admin@MikroTik] ip firewall rule forward> add action=drop p2p=all-p2p

Specifications

Packages required: system
License required: Level1 (Limited to 1 firewall rule) , Level3
Submenu level: /ip firewall, /ip firewall mangle, /queue
Hardware usage: Increases with rule count

Related Documents

Description

RouterOS is able to recognize connections of the most popular P2P protocols:

Notes

The Connection Tracking facility (/ip firewall connection tracking) must be enabled if you want to track Peet-to-Peer protocols.

It is impossible to recognize peer-to-peer traffic from the first packet. Only already established connections can be matched. That also means that in case source NAT is treating Peer-to-Peer traffic differently from the regular traffic, Peer-to-Peer programs will not work (general application is policy-routing redirecting regular traffic through one interface and Peer-to-Peer traffic - through another)

The filter will work only if it sees the traffic coming from both directions.

Traffic Marking

Submenu level: /ip firewall mangle

Description

Peer-to-peer traffic marking provided by Mangle facility labels the traffic for future processing aginst the firewall filters or queues.

Property Description

mark-connection (text; default: "") - change connection mark of the packet to this value

mark-flow (text; default: "") - change flow mark of the packet to this value

p2p (any | all-p2p | bit-torrent | direct-connect | fasttrack | soulseek | blubster | edonkey | gnutella | warez; default: any) - match Peer-to-Peer (P2P) connections:

Traffic Filtering

Submenu level: /ip firewall

Description

RouterOS gives you ability to filter out traffic generated by P2P networks.

Property Description

action (accept | drop | jump | passthrough | reject | return; default: accept) - ation to undertake if the packet matches the rule, one of the:

connection (text; default: "") - connection mark to match. Only connections (including related) marked in the MANGLE would be matched

flow (text) - flow mark to match. Only packets marked in the MANGLE would be matched

jump-target (name) - name of the target chain, if the action=jump is used

p2p (any | all-p2p | bit-torrent | direct-connect | fasttrack | soulseek | blubster | edonkey | gnutella | warez; default: any) - match Peer-to-Peer (P2P) connections:

Traffic Limiting

Submenu level: /queue

Description

You can limit peer-to-peer traffic to a given number of Kbits per second or give it lower priority than, for example HTTP traffic.

It is also possible to prioritize small file downloading over large ones using queue bursts.

Application Examples

Summary

This section will give you two examples of typical peer-to-peer traffic control configurations.

Cumulative Bandwith Limiting

Consider the following example:

Suppose we need to drop all the P2P traffic coming from the Internet, but allow the use of WinMX client between two offices limiting it to 284 Kbps in both directions. You need to do the following:

Per Address Queuing

Suppose we want to limit each P2P user to a given amount of Kbps. This can be done on a per-address basis.

We should define custom queue type kind=pcq to accomplish the task. Each user upload and download rates would be limited to the pcq-rate value in the relevant queue.