How to use Peer-to-Peer filtering?

Description

This chapter shows some examples on how to use Peer-to-Peer traffic matching feature introducted in RouterOS? version 2.8.

To log all P2P traffic the following rule should be added:

/ip firewall rule forward add p2p=all-p2p log=yes

If the firewall logging is enabled in the router then in the log file you will see P2P packet information like this:

oct/06/2003 16:07:32 forward->ACCEPT, in:wlan1, out:prism1, prot TCP (ACK),
                      10.1.5.49:3556->81.198.155.83:13830, len 40

To drop all P2P traffic the following rule should be added:

/ip firewall rule forward add p2p=all-p2p action=drop

You can enable the logging for the dropped packets by adding the log=yes to the previous command. Then in the log file you will see such similar entries:

oct/06/2003 16:16:08 forward->DROP, in:prism1, out:wlan1, prot TCP (ACK),
                      62.85.19.201:30003->10.1.5.49:3562, len 1500

If you want to allow some of your users to use P2P then you need to add 2 (one for download, one for upload) accept rules before the drop rule:

/ip firewall rule forward add src-address=10.1.5.49/32 p2p=all-p2p
/ip firewall rule forward add dst-address=10.1.5.49/32 p2p=all-p2p

In case of DC++ you can't just add dst-address of the user in the forward chain and then drop all other P2P traffic - DC++ send out some P2P info to the other P2P user, from which you are downloading. If the upload P2P traffic is blocked then you will not be able to download too. To make one way P2P you should decrease the speed of the other way to a small speed limit, for example, P2P upload traffic limit to 10000bps (10Kbps). Then users will be able to download the P2P traffic, but their upload traffic will be maximum 10Kbps.

To do that, mark all P2P traffic using Firewall mangle:

/ip firewall mangle add p2p=all-p2p mark-flow=p2p

And then add queues to limit upload traffic to 10Kbps:

/queue tree add parent=public flow=p2p max-limit=10000

This section will help you to make P2P limitation to individual IPs and with different speed limit for each IP. Suppose we have 2 clients and we would like to limit one client s P2P traffic to 256Kbps(download)/64Kbps(upload) and the other client s P2P traffic to 384Kbps(download)/128Kbps(upload). First client s IP address is 10.1.5.49 and the second client s IP is 10.1.5.50. To do this, mark all P2P traffic using Firewall mangle:

/ip firewall mangle add p2p=all-p2p mark-flow=all-p2p action=passthrough

Then mark P2P traffic of the first client (upload/download):

Next, mark P2P traffic of the second client (upload/download):

/ip firewall mangle add flow=all-p2p src-address=10.1.5.50/32
    mark-flow=client2-p2p
/ip firewall mangle add flow=all-p2p dst-address=10.1.5.50/32
    mark-flow=client2-p2p

Add queue rules for the first client (upload/download):

/queue tree add parent=public flow=client1-p2p max-limit=64000
/queue tree add parent=local flow=client1-p2p max-limit=256000

And finally, add queue rules for the second client (upload/download):

/queue tree add parent=public flow=client2-p2p max-limit=128000
/queue tree add parent=local flow=client2-p2p max-limit=384000

If we have masquerade enabled then we can't limit the download stream. Mangle is the first firewall module that gets packets, when they are received. Next DST-NAT is done, which not only execute DST-NAT rules, but also performs un-SRC-NATting. That is why mangle do not 'see' the real addresses of the clients. As SRC-NAT is not allowing to establish connections to the NATted clients, it is possible to match all responses in already existing connections established by the clients using connection marks. To do this, first of all, connection-mark all packets from the IP of each client with different marks for each client using action=passthrough:

/ip firewall mangle add src-address=10.1.5.51/32 mark-connection=client1
    action=passthrough

Then we can remark these connections with a different flow mark and also mark the p2p traffic:

/ip firewall mangle add connection=client1 p2p=all-p2p mark-flow= client1-p2p
    action=passthrough

Finally, add a queue rule:

/queue tree add parent=local flow=client1-p2p max-limit=256000

We have already configured mangle rules and queues for download:

[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic

0 p2p=all-p2p action=passthrough mark-flow=all-p2p
1 dst-address=10.1.5.49/32 flow=all-p2p
                        action=accept mark-flow=client1-p2p

[admin@MikroTik] > queue tree print

Flags: X - disabled, I - invalid, D - dynamic
0 name="download-client1-p2p" parent=local flow=client1-p2p limit-at=0
  queue=default priority=8 max-limit=256000 burst-limit=0 burst-threshold=0
  burst-time=0
[admin@MikroTik] >

We want to allow bursting up to 400000bps for 5min (in case when the download speed is maximum all the time), after 5min, the speed limit will be back to 256000. To do that we need to modify the queue rule:

/queue tree set 0 burst-limit=400000 burst-time=600 burst-threshold=200000

We specified burst time 600 seconds (10min). This time is needed for the calculation of the specific moment when the router will drop the queue speed limit from burst-time to max-limit. Router is calculating the average value: sum of the speed in each second in the burst-time, divided with the burst-time. Now there are two cases:

In our case the user is downloading at the maximum speed. This means he could download at the burst-limit speed 5min - average value is still equal to burst-threshold which is 200000 (400000*300/600=200000). In the next second the speed limit will be greater than the burst-threshold and the speed limit will be dropped to the max-limit.

Suppose we have a network and we want to limit Peer-to-Peer traffic for each client in this network to 64Kbit/s upload and 128Kbit/s for download. This queue type is called PCQ. You can also use it in the previous examples instead of the default queue type.

First of all, create a PCQ queues - one for upload (this should classify by src-address), and one for download (this should classify by dst-address):

/queue type add name=up kind=pcq pcq-classifier=src-address pcq-rate=64000
/queue type add name=down kind=pcq pcq-classifier=dst-address pcq-rate=128000

Then we should 'catch' the P2P traffic using mangle rule:

/ip firewall mangle add p2p=all-p2p action=passthrough mark-flow=p2p

Now we can create queues:

/queue tree add parent=public flow=p2p queue=up
/queue tree add parent=local flow=p2p queue=down