Reducing the impact of P2P users on home network - Firewalls

This is a discussion on Reducing the impact of P2P users on home network - Firewalls ; Amateur though I am, I've become the default manager for internet access in our large home. The hardware consists of a cable modem and older model WRT54G with updated firmware. All but my own PC (which connected via the local ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 23

Thread: Reducing the impact of P2P users on home network

  1. Reducing the impact of P2P users on home network



    Amateur though I am, I've become the default manager for internet access
    in our large home. The hardware consists of a cable modem and older model
    WRT54G with updated firmware. All but my own PC (which connected via the
    local ethernet port on the router) are using wireless. This has worked
    quite well until the two college-age folks in the house started getting
    heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
    impact on net access, and I'd like to try to improve things.

    I am not in a position to prohibit these kids from using P2P, and polite
    efforts to get them to limit the number of connections, and to postpone
    heavy transfers to off-hours has not worked for very long. I understand
    that various port blocking rules within the router are largely ineffective
    because the P2P clients use port-hopping, and can even use port 80 if
    notinh else works. I was wondering if a more sophisticated hardware solution
    might help us.

    My first understanding is that the limited CPU power and RAM in an
    inexpensive router get overwhelmed by such a large number of connections.
    Would a more robust hardware (NAT router) be likely to help? If yes, and
    specific suggestions?

    From what I gather, true hardware firewall appliances allow the use of
    rules that can limit the number of connections and the bandwidth allotted
    to each client IP address. This, to me, seems very attractive (although
    more expensive) and I was wondering if interposing a firewall between the
    cable modem and the router (or discarding the modem and using the firewall
    with an access point) would achieve the desired end. Any specific
    suggestions?


  2. Re: Reducing the impact of P2P users on home network

    In article , on Thu, 21 Dec 2006
    20:26:47 +0000 (UTC), Mike S. wrote:

    >
    >
    > Amateur though I am, I've become the default manager for internet access
    > in our large home. The hardware consists of a cable modem and older model
    > WRT54G with updated firmware.

    [snip]
    > From what I gather, true hardware firewall appliances allow the use of
    > rules that can limit the number of connections and the bandwidth allotted
    > to each client IP address. This, to me, seems very attractive (although
    > more expensive) and I was wondering if interposing a firewall between the
    > cable modem and the router (or discarding the modem and using the firewall
    > with an access point) would achieve the desired end. Any specific
    > suggestions?


    Since you have a WRT54G, the first thing I would try (assuming you've
    ruled out beatings and electro-shock), is to flash the *free* DD-WRT
    third party firmware onto your WRT54G. DD-WRT has a slew of Quality of
    Service settings, including the ability to limit bandwidth by MAC
    address, which sounds right up your alley.

    The main DD-WRT wiki page is at:
    http://www.dd-wrt.com/wiki/index.php/Main_Page

    The QoS settings are described here:
    http://www.dd-wrt.com/wiki/index.php/QoS

    and you can download DD-WRT from:
    http://www.dd-wrt.com/dd-wrtv2/downloads.php


    I use DD-WRT myself, and recommend it highly. And, you can't beat the
    price!

    Good luck!

    --
    Seth Goodman

  3. Re: Reducing the impact of P2P users on home network


    In article ,
    Seth Goodman wrote:
    >In article , on Thu, 21 Dec 2006
    >20:26:47 +0000 (UTC), Mike S. wrote:
    >
    >>
    >>
    >> Amateur though I am, I've become the default manager for internet access
    >> in our large home. The hardware consists of a cable modem and older model
    >> WRT54G with updated firmware.

    >[snip]
    >> From what I gather, true hardware firewall appliances allow the use of
    >> rules that can limit the number of connections and the bandwidth allotted
    >> to each client IP address. This, to me, seems very attractive (although
    >> more expensive) and I was wondering if interposing a firewall between the
    >> cable modem and the router (or discarding the modem and using the firewall
    >> with an access point) would achieve the desired end. Any specific
    >> suggestions?


    [woops ... I meant discarding the ROUTER]

    >Since you have a WRT54G, the first thing I would try (assuming you've
    >ruled out beatings and electro-shock), is to flash the *free* DD-WRT
    >third party firmware onto your WRT54G. DD-WRT has a slew of Quality of
    >Service settings, including the ability to limit bandwidth by MAC
    >address, which sounds right up your alley.
    >
    >The main DD-WRT wiki page is at:
    >http://www.dd-wrt.com/wiki/index.php/Main_Page
    >
    >The QoS settings are described here:
    >http://www.dd-wrt.com/wiki/index.php/QoS
    >
    >and you can download DD-WRT from:
    >http://www.dd-wrt.com/dd-wrtv2/downloads.php


    Thanks. The WRT54G does have some QOS facility in the recent firmware but
    the DD-WRT seems to be more comprehensive. Since everything is on DHCP
    right now, I suppose the priorities for the two problem users could be
    assigned based on MAC address, as the IP's are always changing.

    Is the DD-WRT flash a one-way deal - i.e. is it possible to go back to
    Linksys factory F/W afterward?

  4. Re: Reducing the impact of P2P users on home network

    In article , on Thu, 21 Dec 2006
    21:33:04 +0000 (UTC), Mike S. wrote:

    >
    > Is the DD-WRT flash a one-way deal - i.e. is it possible to go back to
    > Linksys factory F/W afterward?
    >


    You can revert at any time - just flash with the stock firmware from the
    Linksys site.


    --
    Seth Goodman

  5. Re: Reducing the impact of P2P users on home network

    On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
    Liebermann wrote:

    >Of course, if they change their MAC address, or introduce a new
    >computer, such QoS by IP address or MAC address is useless.


    This is one of the few places where MAC-address based permissioning on
    the router is useful.

    --
    Mark McIntyre

  6. Re: Reducing the impact of P2P users on home network

    On Thu, 21 Dec 2006 22:19:08 +0000, Mark McIntyre
    wrote:

    >On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
    >Liebermann wrote:
    >
    >>Of course, if they change their MAC address, or introduce a new
    >>computer, such QoS by IP address or MAC address is useless.

    >
    >This is one of the few places where MAC-address based permissioning on
    >the router is useful.


    Yep. However, it's easy enough for a user to change their MAC
    address, making this a rather awkward method of monitoring. I've
    recently been installing arpwatch into DD-WRT to detect any "unusual"
    new users:




    Make sure to first enable JFFS2 support on the:
    Admin -> Management
    page. It won't stop the users for changing their MAC address, but it
    will detect them when they try.

    Argh.... "ipkg update" doesn't seem to be working for me today. Now,
    what did I do wrong this time? Oh, no flash space. It's full.






    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831-336-2558 jeffl@comix.santa-cruz.ca.us
    # http://802.11junk.com jeffl@cruzio.com
    # http://www.LearnByDestroying.com AE6KS

  7. Re: Reducing the impact of P2P users on home network

    Obviously a large home to you is quite different than a large home to me. I can't
    use a wireless router my main house is too big.

    "Mike S." wrote:

    > Amateur though I am, I've become the default manager for internet access
    > in our large home. The hardware consists of a cable modem and older model
    > WRT54G with updated firmware. All but my own PC (which connected via the
    > local ethernet port on the router) are using wireless. This has worked
    > quite well until the two college-age folks in the house started getting
    > heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
    > impact on net access, and I'd like to try to improve things.
    >
    > I am not in a position to prohibit these kids from using P2P, and polite
    > efforts to get them to limit the number of connections, and to postpone
    > heavy transfers to off-hours has not worked for very long. I understand
    > that various port blocking rules within the router are largely ineffective
    > because the P2P clients use port-hopping, and can even use port 80 if
    > notinh else works. I was wondering if a more sophisticated hardware solution
    > might help us.
    >
    > My first understanding is that the limited CPU power and RAM in an
    > inexpensive router get overwhelmed by such a large number of connections.
    > Would a more robust hardware (NAT router) be likely to help? If yes, and
    > specific suggestions?
    >
    > From what I gather, true hardware firewall appliances allow the use of
    > rules that can limit the number of connections and the bandwidth allotted
    > to each client IP address. This, to me, seems very attractive (although
    > more expensive) and I was wondering if interposing a firewall between the
    > cable modem and the router (or discarding the modem and using the firewall
    > with an access point) would achieve the desired end. Any specific
    > suggestions?



  8. Re: Reducing the impact of P2P users on home network

    Mark McIntyre wrote:

    > On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
    > Liebermann wrote:
    >
    > >Of course, if they change their MAC address, or introduce a new
    > >computer, such QoS by IP address or MAC address is useless.

    >
    > This is one of the few places where MAC-address based permissioning on
    > the router is useful.


    If they are smart enough, they can find out what MAC addresses other
    users equipment have and "borrow" one of these.

  9. Re: Reducing the impact of P2P users on home network


    In article <458B1B90.456A4139@TheDeli.Sandwich>,
    Tony wrote:
    >Obviously a large home to you is quite different than a large home to
    >me. I can't
    >use a wireless router my main house is too big.


    Well, there are 3 floor plus basement. Except for a couple of dead spots
    in the basement (I'm using a high gain directional antenna down there)
    we've been quite impressed with the coverage.


  10. Re: Reducing the impact of P2P users on home network

    Jeff Liebermann wrote:

    > Be sure to amortize the cost of the added equipment and your time playing
    > policeman.


    And he might also ask them to sign an agreement indemnifying him and the
    other residents of the house for any fines, settlements, legal fees, or
    other expenses incurred in case the RIAA et al should come knocking at
    the door.


  11. Re: Reducing the impact of P2P users on home network

    Axel Hammerschmidt wrote:

    > If they are smart enough, they can find out what MAC addresses other
    > users equipment have and "borrow" one of these.


    At which point the OP could put limits on all devices and announce that
    this had been done to preserve some measure of service for all users.
    This might encourage the other residents of the house to evict the two
    P2P fiends.


  12. Re: Reducing the impact of P2P users on home network

    Neill Massello wrote:

    > Axel Hammerschmidt wrote:
    >
    > > If they are smart enough, they can find out what MAC addresses other
    > > users equipment have and "borrow" one of these.

    >
    > At which point the OP could put limits on all devices and announce that
    > this had been done to preserve some measure of service for all users.
    > This might encourage the other residents of the house to evict the two
    > P2P fiends.


    He could do that without first installing dd-wrt :-)

  13. Re: Reducing the impact of P2P users on home network

    Mike S. wrote:

    > In article <458B1B90.456A4139@TheDeli.Sandwich>,
    > Tony wrote:
    >
    > >Obviously a large home to you is quite different than a large home to me.
    > >I can't use a wireless router my main house is too big.

    >
    > Well, there are 3 floor plus basement. Except for a couple of dead spots
    > in the basement (I'm using a high gain directional antenna down there)
    > we've been quite impressed with the coverage.


    And some people use square feet :-)

  14. Re: Reducing the impact of P2P users on home network

    Axel Hammerschmidt wrote:
    >
    > And some people use square feet :-)


    My feet are flat... Guess I use a non-standard flat feet measurement



  15. Re: Reducing the impact of P2P users on home network

    Tony wrote:

    > Obviously a large home to you is quite different than a large home to me.
    > I can't use a wireless router my main house is too big.


    Too bad you can't afford additional access points.


  16. Re: Reducing the impact of P2P users on home network

    On Thu, 21 Dec 2006 15:30:51 -0800, in alt.internet.wireless , Jeff
    Liebermann wrote:

    >On Thu, 21 Dec 2006 22:19:08 +0000, Mark McIntyre
    > wrote:
    >
    >>On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
    >>Liebermann wrote:
    >>
    >>>Of course, if they change their MAC address, or introduce a new
    >>>computer, such QoS by IP address or MAC address is useless.

    >>
    >>This is one of the few places where MAC-address based permissioning on
    >>the router is useful.

    >
    >Yep. However, it's easy enough for a user to change their MAC
    >address, making this a rather awkward method of monitoring.


    What I meant was to restrict the list of MACs that can get IPs from
    the router, then set up QoS rules on each of those. If your students
    change their MAC, they can't get an IP. Obviously they could clone the
    MAC of someone else in the house but then that person would get locked
    out and they'd complain.

    --
    Mark McIntyre

  17. Re: Reducing the impact of P2P users on home network

    On Fri, 22 Dec 2006 00:44:24 +0100, in alt.internet.wireless ,
    hlexa@hotmail.com (Axel Hammerschmidt) wrote:

    >Mark McIntyre wrote:
    >
    >> On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
    >> Liebermann wrote:
    >>
    >> >Of course, if they change their MAC address, or introduce a new
    >> >computer, such QoS by IP address or MAC address is useless.

    >>
    >> This is one of the few places where MAC-address based permissioning on
    >> the router is useful.

    >
    >If they are smart enough, they can find out what MAC addresses other
    >users equipment have and "borrow" one of these.


    Sure, but then the other person would get locked out, and complain.
    It'd be a quick job to ID who was 'stealing' access, and permanently
    exclude them.

    Myself, I just block all P2P use by edict, and if I were to catch
    anyone at it (detectable by large upload volumes) I'd take away their
    net access for a month, or require them to pay the bill, or both. This
    is my house, I'm in charge!


    --
    Mark McIntyre

  18. Re: Reducing the impact of P2P users on home network

    On Thu, 21 Dec 2006 17:10:08 -0700, in alt.internet.wireless ,
    massello@newsguy.com (Neill Massello) wrote:

    >Jeff Liebermann wrote:
    >
    >> Be sure to amortize the cost of the added equipment and your time playing
    >> policeman.

    >
    >And he might also ask them to sign an agreement indemnifying him and the
    >other residents of the house for any fines, settlements, legal fees, or
    >other expenses incurred in case the RIAA et al should come knocking at
    >the door.


    We have a lodger and our agreement with them contains exactly such a
    clause.
    --
    Mark McIntyre

  19. Re: Reducing the impact of P2P users on home network


    "Neill Massello" wrote in message
    news:1hqplu1.hczdyu15vebqbN%massello@newsguy.com.. .
    > Tony wrote:
    >
    >> Obviously a large home to you is quite different than a large home to me.
    >> I can't use a wireless router my main house is too big.

    >
    > Too bad you can't afford additional access points.
    >

    Or high gain antennas



  20. Re: Reducing the impact of P2P users on home network

    Mike S. wrote:
    > Amateur though I am, I've become the default manager for internet access
    > in our large home. The hardware consists of a cable modem and older model
    > WRT54G with updated firmware. All but my own PC (which connected via the
    > local ethernet port on the router) are using wireless. This has worked
    > quite well until the two college-age folks in the house started getting
    > heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
    > impact on net access, and I'd like to try to improve things.
    >
    > I am not in a position to prohibit these kids from using P2P,


    Just advise whomever is responsible that you will be expecting them to
    pay the $10,000 fine noted in the demand letter that will be addressed
    to you.


    and polite
    > efforts to get them to limit the number of connections, and to postpone
    > heavy transfers to off-hours has not worked for very long. I understand
    > that various port blocking rules within the router are largely ineffective
    > because the P2P clients use port-hopping, and can even use port 80 if
    > notinh else works. I was wondering if a more sophisticated hardware solution
    > might help us.
    >
    > My first understanding is that the limited CPU power and RAM in an
    > inexpensive router get overwhelmed by such a large number of connections.
    > Would a more robust hardware (NAT router) be likely to help? If yes, and
    > specific suggestions?
    >
    > From what I gather, true hardware firewall appliances allow the use of
    > rules that can limit the number of connections and the bandwidth allotted
    > to each client IP address. This, to me, seems very attractive (although
    > more expensive) and I was wondering if interposing a firewall between the
    > cable modem and the router (or discarding the modem and using the firewall
    > with an access point) would achieve the desired end. Any specific
    > suggestions?
    >


+ Reply to Thread
Page 1 of 2 1 2 LastLast