How to properly cascade a Netgear router (using Tomato) with the ISP router/modem (Orange Livebox)?

I'm running a small wireless network (6 to 10 users) on a Linksys WRT54G with Tomato firmware sharing an Internet connection. I don't want the users to download files with BitTorrent (mainly used) and other P2P apps.

I've also found some solutions about lowering P2P traffic priority using QoS. I really need to ban P2P traffic.

Does anyone know how to setup some rules to deny that kind of traffic?

I've tried to setup an Access Restriction Rule:

However it's not working at all.

One way to do this in an indirect way is by using OpenDNS.

1. Set the DNS server in your router settings to the OpenDNS servers (208.67.222.222 and 208.67.220.220)
2. Create an account on the OpenDNS web site (that's free), and follow the instructions on their web site how to configure it
3. Then in your account settings choose a custom filtering level and select to block "P2P/File sharing". If you want you can block other categories, I'd definitely block "Phishing", and depending on your needs you can add specific sites as exceptions or to be blocked.

It is an indirect way of achiving your goal and probably not what you were originally looking for, but it will work and has a number of additional advantages (e.g. blocking some other web sites you probably want to block).

Generally it's not possible. Any bittorrent client can be set up to use any port. Almost any bittorrent client can be set up to encrypt bittorrent traffic, this way it gets harder to detect it. You might still succeed with a default DENY policy, allowing only legit traffic (like HTTP and HTTPS - connections to ports 80,443), but that's another story.

The best way I could come up with until now is a combination of things:

1. Use the OpenDNS DNS servers and use their p2p category to block access to p2p sites. In Tomato, tick the box "Intercept DNS port (UDP 53)" under Advanced > DHCP / DNS to prevent user from being able to use own DNS servers.
2. In Tomato, create an Access Restriction rule, set Port / Application to "TCP/UDP, IPP2P: All IPP2P Filters" (this will block unencrypted p2p traffic)
3. In the HTTP Request field I entered some common bittorrent/emule keywords used in URLs. This prevents users from downloading .torrent files, connect to trackers that are commenly using addresses like tracker.xxx.com or domain.com/scrape, etc. My list at this moment:

announce
torrent
tracker
scrape
peerates
peerbooter
gruk.org
emule-security.net
server.met

1. In Tomato, under Administration > Scripts > Firewall I've added a couple iptables rules to prevent any user from opening way too many connections. I've also blocked some commonly used bittorrent ports:

iptables -I FORWARD -p tcp -s 192.168.1.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.1.0/24 -m connlimit --connlimit-above 25 -j DROP

iptables -I FORWARD -p tcp --dport 6881:6999 -j REJECT
iptables -I FORWARD -p udp --dport 6881:6999 -j REJECT

For blocking P2P, look into Tomato's Access Restriction. It will help you block applications by ports and you can even filter by data contained in the HTTP request. You can even block things like Active X and Java applets.

A dedicated user can bypass any restrictions, but you can make it difficult. First, you can disable plug n play for port forwarding and only forward the ports you want through, however however if it was me and i was dedicated to get through, I would just set my file sharing to use port 80 or 443 and this would just totally F you up. You cannot block those ports and it would be even worse hell 4 everyone.

Another way you can go is allow plug n play, look in the log and see what ports they connect with then set up qos on those ports allow them some bandwidth but set it the lowest priority and highest for other traffic, that way when someone uses the internet they get priority and the file sharer will have some some file sharing, but not hog the bandwidth. They will be less motivated to bypass your restrictions. Also enable ipp2p and layer7 for their sharing this is for qos for sharing applications. Some people use this to block p2p but it has some negatives as well effecting regular traffic and p2p has ways of getting around this as well.

The problem with banning access is that if they encrypt their sharing, filtering has little effect. A user with a little knowledge can set up an encrypted vpn and there is no way to block it or limit it in any way. Once this happens no keyword banning, no filtering and no port blocking will work, no blocking keyword searches either. The traffic is all encrypted, secure and private. As an example of how effective this is, China has the most advanced and effective internet restrictions in the world set up by the government and people use vpns to get around them.

Another fair way to go is to divide up the band width and only allow each user a set amount.

This is a big issue for the big service providers as well.

There is no perfect solution.

Best luck with your network

As others explain, you will most probably not be able to prevent P2P traffic. But you can just forbid it, explaining to the users (1) why you want to ban P2P and that (2) you can monitor what's going on, and may lock down offenders (if e.g. each user has it's own IP)...

More generally, this seems to be the kind of problem that's better solved with education than technology...