D-Link Forums
D-Link Wireless Routers for Home and Small Business => Information => Archive => Topic started by: Sammydad1 on January 25, 2010, 05:01:10 PM
-
Hi,
Anybody have a way of blocking bittorrent use thru the router ?
Such as is there some universal IP that is used for all Bittorrent use ?
Thanks !!
SD1
-
You could try advanced > application rules but I do not know if it will work.
-
You could try advanced > application rules but I do not know if it will work.
Not going to work well. The problem is that some clients use a different port every time they start up. Also, there is no centralized IP to block.
Most of them are going to try and use UPNP, which you turn off, but that won't stop downloading.
-
If it was me I would just use what is built into the OS like domain and group policy.
Would securespot work for this?
-
Is it possible to limit the number of internet connections from a given internal LAN IP ? Default is pretty much unlimited....if you can limit it to say 4 or 5 it would put a throttle on the torrents I would think....
-
You can block bittorrent. It's easier of you have dd-wrt or PFSense/monowall etc. but since this is dlink forum, i'll tell you how but not step by step instructions...it will take about an hour to do. :P
First. Grab all your necessary ports that you WANT to allow. This means ICMP (so you can ping out from client to hosts), DNS, any other low level protocols to make your network function, port 80, 443, 22 if you SSH and all that jazz.
Now, you create rules. Go through the rule wizard have it apply to MAC addresses, since they are harder to change than IP addresses. When you get to the port restrictions, enter in all the ports you want blocked. ie:
AllowDNS Port 1-52
AllowDNS2 Port 54-65535
These two rules block every single port EXCEPT port 53.
If you want exceptions for a particular machine create an allow all rule > log only and the client it apply's to.
Once your done and double checked everything, go ahead and apply it. Before long you will have lots of people running to you complaining their torrents aren't working. LOL though they will probably say their internet isn't working, which it is, they just mean their torrents aren't working.
-
That's what we call a 'workaround" ;D
-
It works very well too. I had to do this to prove a point to the room mates who always said the internet is slow. I had my suspicions and applied the rule to one person. Not to long after, the internet was blazing and the router never halted to a stop.
-
Hi,
Thanks for that answer. It looks feasible but with some additional work on my part... Next question is:
Are there enough entry lines to Allow all of the items I do want, for my other users ?
Dave
-
But as soon as I scanned the ports I would tell utorrent to use port 53. 8)
-
Use openddns as your dns provider.. go into their setup and block filesharing..
works great for me.. though if they hardcode their own dns, they can get around it.
-devoh
-
I think each filter allows about five or so ranges, so you just repeat the steps to create another rule forthe other port ranges. I believe with basic HTTP service including messenger and xbox360, i had to create four separate rules to get all the ranges in.
-
Hi,
I need some explanation to this, since I am not an expert:
First. Grab all your necessary ports that you WANT to allow. This means ICMP (so you can ping out from client to hosts), DNS, any other low level protocols to make your network function, port 80, 443, 22 if you SSH and all that jazz.
I just need some hints on which menu-items to use, and some general descriptions. No details necessary.
Thanks!
-
First off, the forum doesn't scale images, and I am already doing a lot of work to get this done so I am not going to scale them down myself. PLEASE DO NOT QUOTE in a reply.
It has been a while since I used the dir-655 so I cannot remember in which order the rules fall after creating them, if the previous rule is at the bottom of the list and each subsequent rules fall on top or visa-versa. That being said, here is how you accomplish this feat.
Go to Access Control, Enabe Access Control then Add Policy(http://rfeiqw.bay.livefilestore.com/y1pvP8XploN83vgG-65l66aPMgXCopxZs5m0tylD3nwYlrI_Xl366rYzENuzyMASnXQMvoBsczuzFSFErVbASfZBfK8jCOY4SGL/Untitled.png)Give policy a name. Set the policy to always apply. Set address type to MAC. If computers are already on the network and recognzied, you can add macs by selecting the computer in the corresponding drop down menu. Click on ok, then repeat the steps for other computers. After each computer, you will have to set the radio box to "MAC" again because it likes to switch back to "IP". When done click next.
(http://rfeiqw.bay.livefilestore.com/y1pr5gIvOZ1lROWT1BNxgTtMIqaSM454D1FPclUrRHPpqr-wRYpVNULilCCmvHHjK3ByCoitPuGXFdU06dCrP2HmqeLVs2CA8le/Untitled1.jpg)
(http://rfeiqw.bay.livefilestore.com/y1p6wrBYwZ74EgOGSk1HkgmWw1-Q7fv0ptiy3GdMhaiSAZO8e8omjkKqS4sy7c5LdIVs4BR4_lQeRKSnXBxZEgPSFl7LoR9pqZf/Untitled2.jpg)(http://rfeiqw.bay.livefilestore.com/y1pYR9T5t0FRRNtK2pTZwzRESonB-U9CUsYZyPr-5ibgPWc7nOlkenJmnzzEVYnYUlz4M5alnVIlQJ7t4zefQkg07HWVfLTXgzc/Untitled3.jpg)click on the radio button "block some access" and check off "Apply Advanced Port Filters" then click next.(http://rfeiqw.bay.livefilestore.com/y1poOF_2q9StuAsCdjtKA-UKXWgyPT1ltVdF2YRVF1nvIVuFkkRHGU8DuQjq8bOoNz_XCtJ06unT30qBGgf9rkJBx4PpuoAKlOg/Untitled4.jpg)Give each filter a name, enter the IP address ranges.
I would suggest applying the full subnet to this rule in case some decide to set a static IP address outside the DHCP range. Don't add the router's address since that will block other essential communications between router and hosts and router and the internet etc.(http://rfeiqw.bay.livefilestore.com/y1ppl6dDoPDduyhEGW0e23hbIUhkJ6nV7g3huiPV0ElpLYra0bUN3P7WDiN4hFLRTOniubxVtkSV5b6LWrSyVdNOUhW1QrYOQN8/Untitled5.jpg)Next choose the protocol and then the port ranges. For the ports you WANT to keep, make sure they don't fall within the port ranges.
As you can see from my example, I am allowing DNS, HTTP and HTTPS ONLY. Everything else with the TCP protocol is blocked. This alone won't block torrents as they can use UDP as well.
To effectivly block one port, you need two rules. ie: in the example, I have blocked ports 1-52 and 54-79 Notice how I skipped over port 53, which is used for DNS resolution. (translating urls into IP addresses). The same is done with port 80 and finally with the SSL port, 443.
Once you have filled all these sections up with ports you want to block, click "SAVE".
If you used up all your rule slots, you will have to repeat the steps again to create more rules.
Do NOT exit out of the Access control or reboot the router when you are done. Instead, repeat the steps above in a new policy, substituting the TcP protocol with UDP.
Once you have both policies made, create yet another policy(http://rfeiqw.bay.livefilestore.com/y1pCA1ez1pCJ6IHrMZaNe57iLt2SsP_dMzwmhSpQP_3BCEMnXUcF3zUhHfzMcf6jhsq-qJB5ZDPu8jxrz2CvSRaQOUJsUX3m4Kn/Untitled6.jpg)When you get to the section asking to block some, block all, or log web access only, you will want to choose the option to "log web access only"(http://rfeiqw.bay.livefilestore.com/y1pNOL5cUMmomG0kRw0wDif9ULKOYhL0GWgl09JtlaJjEaLY78bhBuVCKmkttR88beCjvI84eKBubAmtRNWcHPAZyyz06fYX1oi/Untitled8.jpg) and put in the MAC addresses of the computers that will have full access to which your port filtering rules will not apply. As shown below. Make sure this rule is at the top of the list from the other rules.
Once this is all completed. reboot the router (since it's impossible to clear state tables). This will force clients to reconnect and adhere to your policies.
-
Well a vpn connection to a server listening on port 80 could get around this. Just saying.
-
yup but i doubt the person has teh know how to do it. not to mention it wouldn't have much an effect as they woudl be limited to the servers upstream speed, and all the ocnnection would be hitting that vpn server and not the client so probably wouldn't have much of an impact anyways.
-
Thanks! Works beautifully. Although placing destination ip addresses in the lan subnet causes an error and it should be left to 0.0.0.0 to 255.255.255.255