Reducing the impact of P2P users on home network - Firewalls

This is a discussion on Reducing the impact of P2P users on home network - Firewalls ; retsuhcs@xinap.moc (Mike S.) wrote in news:emeqm7$oj3$1@reader2.panix.com: > > > Amateur though I am, I've become the default manager for internet > access in our large home. The hardware consists of a cable modem and > older model WRT54G with updated ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 23 of 23

Thread: Reducing the impact of P2P users on home network

  1. Re: Reducing the impact of P2P users on home network

    retsuhcs@xinap.moc (Mike S.) wrote in
    news:emeqm7$oj3$1@reader2.panix.com:

    >
    >
    > Amateur though I am, I've become the default manager for internet
    > access in our large home. The hardware consists of a cable modem and
    > older model WRT54G with updated firmware. All but my own PC (which
    > connected via the local ethernet port on the router) are using
    > wireless. This has worked quite well until the two college-age folks
    > in the house started getting heavy into P2P (Limewire and Sharezaa).
    > This has had a noticeable performance impact on net access, and I'd
    > like to try to improve things.
    >
    > I am not in a position to prohibit these kids from using P2P, and
    > polite efforts to get them to limit the number of connections, and to
    > postpone heavy transfers to off-hours has not worked for very long. I
    > understand that various port blocking rules within the router are
    > largely ineffective because the P2P clients use port-hopping, and can
    > even use port 80 if notinh else works. I was wondering if a more
    > sophisticated hardware solution might help us.
    >
    > My first understanding is that the limited CPU power and RAM in an
    > inexpensive router get overwhelmed by such a large number of
    > connections. Would a more robust hardware (NAT router) be likely to
    > help? If yes, and specific suggestions?
    >
    > From what I gather, true hardware firewall appliances allow the use of
    > rules that can limit the number of connections and the bandwidth
    > allotted to each client IP address. This, to me, seems very attractive
    > (although more expensive) and I was wondering if interposing a
    > firewall between the cable modem and the router (or discarding the
    > modem and using the firewall with an access point) would achieve the
    > desired end. Any specific suggestions?
    >


    grab an old p2 box and istall m0n0wall (http://www.m0n0.ch) or pfsense
    (www.pfsense.com) on it, put it between your cable modem and the WRT54G,
    and use the traffic shaping rules to crush the P2P traffic. You won't
    prohibit it (unless you want to), but you can certainly squash it to the
    point where it becomes too boring for them to wait, and you can blame it
    on your ISP as the m0n0/pfsense box is transparent to them unless they
    physically look at your setup, or know what to look for. If you have an
    old system laying around with some extra network cards, this is the
    cheapest option.. its free.

    --

    Whats easier for kissing random strangers? Misletoe or chloroform?

  2. Re: Reducing the impact of P2P users on home network


    Wheaty wrote:
    > retsuhcs@xinap.moc (Mike S.) wrote in
    > news:emeqm7$oj3$1@reader2.panix.com:
    >
    > >
    > >
    > > Amateur though I am, I've become the default manager for internet
    > > access in our large home. The hardware consists of a cable modem and
    > > older model WRT54G with updated firmware. All but my own PC (which
    > > connected via the local ethernet port on the router) are using
    > > wireless. This has worked quite well until the two college-age folks
    > > in the house started getting heavy into P2P (Limewire and Sharezaa).
    > > This has had a noticeable performance impact on net access, and I'd
    > > like to try to improve things.
    > >
    > > I am not in a position to prohibit these kids from using P2P, and
    > > polite efforts to get them to limit the number of connections, and to
    > > postpone heavy transfers to off-hours has not worked for very long. I
    > > understand that various port blocking rules within the router are
    > > largely ineffective because the P2P clients use port-hopping, and can
    > > even use port 80 if notinh else works. I was wondering if a more
    > > sophisticated hardware solution might help us.
    > >
    > > My first understanding is that the limited CPU power and RAM in an
    > > inexpensive router get overwhelmed by such a large number of
    > > connections. Would a more robust hardware (NAT router) be likely to
    > > help? If yes, and specific suggestions?
    > >
    > > From what I gather, true hardware firewall appliances allow the use of
    > > rules that can limit the number of connections and the bandwidth
    > > allotted to each client IP address. This, to me, seems very attractive
    > > (although more expensive) and I was wondering if interposing a
    > > firewall between the cable modem and the router (or discarding the
    > > modem and using the firewall with an access point) would achieve the
    > > desired end. Any specific suggestions?
    > >

    >
    > grab an old p2 box and istall m0n0wall (http://www.m0n0.ch) or pfsense
    > (www.pfsense.com) on it, put it between your cable modem and the WRT54G,
    > and use the traffic shaping rules to crush the P2P traffic. You won't
    > prohibit it (unless you want to), but you can certainly squash it to the
    > point where it becomes too boring for them to wait, and you can blame it
    > on your ISP as the m0n0/pfsense box is transparent to them unless they
    > physically look at your setup, or know what to look for. If you have an
    > old system laying around with some extra network cards, this is the
    > cheapest option.. its free.
    >


    The problem with modern p2p traffic is that much of the traffic is not
    p2p transfers, but icmp discovery and http directory exchange, which
    cannot be distinguished from normal icmp and http. You can limit icmp,
    but then you'll get dropped pings and customers will complain about
    your network.

    We've found the best strategy for managing abusers is to control each
    IP/customer with an individual bandwidth profile. Our product allows
    you to allow users to burst only for specific periods of time, and also
    control the packets/second in addition to bandwidth. We've found that
    abusive protocols tend to have much higher pps usage than well-behaved
    protocols, so pps is very effective.

    The concept behind per-customer control is simple: you don't allow any
    one user to use more than his fair share of bandwidth. Another problem
    with the "squash p2p" method is that users who want to download 1 or 2
    songs can't do it, becuase you've generally disabled p2p on your
    network. If a customer subscibes to a 512K service, why shouldnt they
    be able to do whatever they want with their bandwidth, as long as they
    don't abuse it? With per customer settings, if a user chooses to fire
    up p2p, they only squash themselves. If they complain that they can't
    surf, you simply tell them to turn off the p2p program and they'll be
    able to surf. Its a strategy thats not only fair, its very, very
    effective.

    Dennis Baasch
    Emerging Technologies, Inc.


  3. Re: Reducing the impact of P2P users on home network

    dennis@etinc.com wrote in news:1167395889.320709.295340
    @i12g2000cwa.googlegroups.com:


    >
    > The problem with modern p2p traffic is that much of the traffic is not
    > p2p transfers, but icmp discovery and http directory exchange, which
    > cannot be distinguished from normal icmp and http. You can limit icmp,
    > but then you'll get dropped pings and customers will complain about
    > your network.
    >
    > We've found the best strategy for managing abusers is to control each
    > IP/customer with an individual bandwidth profile. Our product allows
    > you to allow users to burst only for specific periods of time, and

    also
    > control the packets/second in addition to bandwidth. We've found that
    > abusive protocols tend to have much higher pps usage than well-behaved
    > protocols, so pps is very effective.
    >
    > The concept behind per-customer control is simple: you don't allow any
    > one user to use more than his fair share of bandwidth. Another problem
    > with the "squash p2p" method is that users who want to download 1 or 2
    > songs can't do it, becuase you've generally disabled p2p on your
    > network. If a customer subscibes to a 512K service, why shouldnt they
    > be able to do whatever they want with their bandwidth, as long as they
    > don't abuse it? With per customer settings, if a user chooses to fire
    > up p2p, they only squash themselves. If they complain that they can't
    > surf, you simply tell them to turn off the p2p program and they'll be
    > able to surf. Its a strategy thats not only fair, its very, very
    > effective.
    >
    > Dennis Baasch
    > Emerging Technologies, Inc.
    >
    >


    That sounds all well and good, but I do know a couple of things. Each
    user (specific IP) can be allotted a particular total bandwidth share by
    using pf or m0n0. I have never done it, but I have read of it being done
    through the use of pipes/ queues, static DHCP and the like.
    Secondly, although I may have read further into it than I should have,
    it sounds to me as thought the OP is the subscriber, not the offending
    downloaders. So going on that assumption- wrong or not- it is well
    within his rights to throttle back the P2P traffic as much as he likes.
    But, if I am wrong, so be it.
    While your product sounds interesting, what is the cost? Is it
    comparable to free?
    There are a number of ISP's who do consider downloading one or two songs
    abuse... copyright infringement. But that is a topic for another group
    ;-)

    --

    Whats easier for kissing random strangers? Misletoe or chloroform?

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2