Reducing the impact of P2P users on home network

Amateur though I am, I've become the default manager for internet access
in our large home. The hardware consists of a cable modem and older model
WRT54G with updated firmware. All but my own PC (which connected via the
local ethernet port on the router) are using wireless. This has worked
quite well until the two college-age folks in the house started getting
heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
impact on net access, and I'd like to try to improve things.

I am not in a position to prohibit these kids from using P2P, and polite
efforts to get them to limit the number of connections, and to postpone
heavy transfers to off-hours has not worked for very long. I understand
that various port blocking rules within the router are largely ineffective
because the P2P clients use port-hopping, and can even use port 80 if
notinh else works. I was wondering if a more sophisticated hardware solution
might help us.

My first understanding is that the limited CPU power and RAM in an
inexpensive router get overwhelmed by such a large number of connections.
Would a more robust hardware (NAT router) be likely to help? If yes, and
specific suggestions?

From what I gather, true hardware firewall appliances allow the use of
rules that can limit the number of connections and the bandwidth allotted
to each client IP address. This, to me, seems very attractive (although
more expensive) and I was wondering if interposing a firewall between the
cable modem and the router (or discarding the modem and using the firewall
with an access point) would achieve the desired end. Any specific
suggestions?



Mike S.

In article <emeqm7$oj3$(E-Mail Removed)>, on Thu, 21 Dec 2006
20:26:47 +0000 (UTC), Mike S. wrote:

>
>
> Amateur though I am, I've become the default manager for internet access
> in our large home. The hardware consists of a cable modem and older model
> WRT54G with updated firmware.
[snip]
> From what I gather, true hardware firewall appliances allow the use of
> rules that can limit the number of connections and the bandwidth allotted
> to each client IP address. This, to me, seems very attractive (although
> more expensive) and I was wondering if interposing a firewall between the
> cable modem and the router (or discarding the modem and using the firewall
> with an access point) would achieve the desired end. Any specific
> suggestions?

Since you have a WRT54G, the first thing I would try (assuming you've
ruled out beatings and electro-shock), is to flash the *free* DD-WRT
third party firmware onto your WRT54G. DD-WRT has a slew of Quality of
Service settings, including the ability to limit bandwidth by MAC
address, which sounds right up your alley.

The main DD-WRT wiki page is at:
http://www.dd-wrt.com/wiki/index.php/Main_Page

The QoS settings are described here:
http://www.dd-wrt.com/wiki/index.php/QoS

and you can download DD-WRT from:
http://www.dd-wrt.com/dd-wrtv2/downloads.php


I use DD-WRT myself, and recommend it highly. And, you can't beat the
price!

Good luck!

--
Seth Goodman

In article <(E-Mail Removed) >,
Seth Goodman <(E-Mail Removed)> wrote:
>In article <emeqm7$oj3$(E-Mail Removed)>, on Thu, 21 Dec 2006
>20:26:47 +0000 (UTC), Mike S. wrote:
>
>>
>>
>> Amateur though I am, I've become the default manager for internet access
>> in our large home. The hardware consists of a cable modem and older model
>> WRT54G with updated firmware.
>[snip]
>> From what I gather, true hardware firewall appliances allow the use of
>> rules that can limit the number of connections and the bandwidth allotted
>> to each client IP address. This, to me, seems very attractive (although
>> more expensive) and I was wondering if interposing a firewall between the
>> cable modem and the router (or discarding the modem and using the firewall
>> with an access point) would achieve the desired end. Any specific
>> suggestions?

[woops ... I meant discarding the ROUTER]

>Since you have a WRT54G, the first thing I would try (assuming you've
>ruled out beatings and electro-shock), is to flash the *free* DD-WRT
>third party firmware onto your WRT54G. DD-WRT has a slew of Quality of
>Service settings, including the ability to limit bandwidth by MAC
>address, which sounds right up your alley.
>
>The main DD-WRT wiki page is at:
>http://www.dd-wrt.com/wiki/index.php/Main_Page
>
>The QoS settings are described here:
>http://www.dd-wrt.com/wiki/index.php/QoS
>
>and you can download DD-WRT from:
>http://www.dd-wrt.com/dd-wrtv2/downloads.php

Thanks. The WRT54G does have some QOS facility in the recent firmware but
the DD-WRT seems to be more comprehensive. Since everything is on DHCP
right now, I suppose the priorities for the two problem users could be
assigned based on MAC address, as the IP's are always changing.

Is the DD-WRT flash a one-way deal - i.e. is it possible to go back to
Linksys factory F/W afterward?

In article <emeuig$1n5$(E-Mail Removed)>, on Thu, 21 Dec 2006
21:33:04 +0000 (UTC), Mike S. wrote:

>
> Is the DD-WRT flash a one-way deal - i.e. is it possible to go back to
> Linksys factory F/W afterward?
>

You can revert at any time - just flash with the stock firmware from the
Linksys site.


--
Seth Goodman

On Thu, 21 Dec 2006 20:26:47 +0000 (UTC), (E-Mail Removed) (Mike S.)
wrote:

>Amateur though I am, I've become the default manager for internet access
>in our large home.

You have my sympathy.

>The hardware consists of a cable modem and older model
>WRT54G with updated firmware. All but my own PC (which connected via the
>local ethernet port on the router) are using wireless. This has worked
>quite well until the two college-age folks in the house started getting
>heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
>impact on net access, and I'd like to try to improve things.

Noticeable? I suspect your network comes to a complete stop when
they're serving out stolen music and movies.

>I am not in a position to prohibit these kids from using P2P, and polite
>efforts to get them to limit the number of connections, and to postpone
>heavy transfers to off-hours has not worked for very long.

Are you in a position to send them an invoice proportional to their
usage? Instead of interposing a bandwidth manager, it might be better
to simply charge them for their over-use. If you switch to
alternative firmware for your WRT54G such as DD-WRT:
<http://www.dd-wrt.com>
it will add SNMP as a feature. You can then use any of an assortment
of SNMP based traffic monitoring and measuring tools such at MRTG or
preferably RRDTool.
<http://oss.oetiker.ch/rrdtool/>
Just setup pre-assigned DHCP IP addresses to all the equipment. Then,
Just monitor the traffic for the month by IP address, calculate the
proportional usage, and send them a giant bill. Be sure to amortize
the cost of the added equipment and your time playing policeman. My
guess(tm) is that it will probably equal the cost of them getting
their own DSL or cable service.

>I understand
>that various port blocking rules within the router are largely ineffective
>because the P2P clients use port-hopping, and can even use port 80 if
>notinh else works. I was wondering if a more sophisticated hardware solution
>might help us.

Generally true. However, if you can identify the specific computers
that are consistently doing the downloading, you can also apply QoS
(Quality of Service) limits to those IP's, regardless of how many IP
ports they open. QoS options for DD-WRT:
<http://www.informatione.gmxhome.de/DDWRT/Standard/V23final/QoS.html>
Of course, if they change their MAC address, or introduce a new
computer, such QoS by IP address or MAC address is useless.

>My first understanding is that the limited CPU power and RAM in an
>inexpensive router get overwhelmed by such a large number of connections.
>Would a more robust hardware (NAT router) be likely to help? If yes, and
>specific suggestions?

That's just one problem. Most file sharing software opens a huge
number of ports and buffers. The result is that they also allocate a
huge number of buffers in the router. If the router firmware hasn't
been tested for such unusual operation, it might crash. The best way
to prevent this is to tweak the file sharing client to limit the
number of simultaneous connections, and the number of streams.

The other major problem is that file sharing that it tends to saturate
your uplink. Your cable modem may have 6MBits/sec or more of incoming
bandwidth, but if the 384k or 512kbits/sec of uplink bandwidth is
saturated, incoming bandwidth will appear useless because the outgoing
ACK's and responses will probably be lost or delayed by the
constipated uplink.

>From what I gather, true hardware firewall appliances allow the use of
>rules that can limit the number of connections and the bandwidth allotted
>to each client IP address. This, to me, seems very attractive (although
>more expensive) and I was wondering if interposing a firewall between the
>cable modem and the router (or discarding the modem and using the firewall
>with an access point) would achieve the desired end. Any specific
>suggestions?

If you like spending money, there are several dedicated bandwidth
managers on the market. All will require a dedicated PC to run the
software:
<http://www.softperfect.com/products/bandwidth/>
<http://www.etinc.com/index.php?page=bwmgr.htm>
<http://info.iet.unipi.it/~luigi/ip_dummynet/>
<http://www.bandwidthcontroller.com/>
(Lots more. Search Google for "bandwidth manager").

Otherwise, you already have a router that can do QoS. I suggest that
you:
1. Replace WRT54G firmware with DD-WRT v23 SP2.
2. Setup fixed MAC to IP address DHCP mapping in WRT54G.
3. Implement QoS by IP address or MAC address.
4. Setup monitoring so you can document abuse and bill accordingly.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
Liebermann <(E-Mail Removed)> wrote:

>Of course, if they change their MAC address, or introduce a new
>computer, such QoS by IP address or MAC address is useless.

This is one of the few places where MAC-address based permissioning on
the router is useful.

--
Mark McIntyre

On Thu, 21 Dec 2006 22:19:08 +0000, Mark McIntyre
<(E-Mail Removed)> wrote:

>On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
>Liebermann <(E-Mail Removed)> wrote:
>
>>Of course, if they change their MAC address, or introduce a new
>>computer, such QoS by IP address or MAC address is useless.
>
>This is one of the few places where MAC-address based permissioning on
>the router is useful.

Yep. However, it's easy enough for a user to change their MAC
address, making this a rather awkward method of monitoring. I've
recently been installing arpwatch into DD-WRT to detect any "unusual"
new users:
<http://www.dd-wrt.com/wiki/index.php/Using_ipkg_to_install_OpenWRT_packages>
<http://www.dd-wrt.com/wiki/index.php/Quick_list_of_Optware_packages>
<http://www.dd-wrt.com/wiki/index.php/Ipkg>

Make sure to first enable JFFS2 support on the:
Admin -> Management
page. It won't stop the users for changing their MAC address, but it
will detect them when they try.

Argh.... "ipkg update" doesn't seem to be working for me today. Now,
what did I do wrong this time? Oh, no flash space. It's full.






--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

Obviously a large home to you is quite different than a large home to me. I can't
use a wireless router my main house is too big.

"Mike S." wrote:

> Amateur though I am, I've become the default manager for internet access
> in our large home. The hardware consists of a cable modem and older model
> WRT54G with updated firmware. All but my own PC (which connected via the
> local ethernet port on the router) are using wireless. This has worked
> quite well until the two college-age folks in the house started getting
> heavy into P2P (Limewire and Sharezaa). This has had a noticeable performance
> impact on net access, and I'd like to try to improve things.
>
> I am not in a position to prohibit these kids from using P2P, and polite
> efforts to get them to limit the number of connections, and to postpone
> heavy transfers to off-hours has not worked for very long. I understand
> that various port blocking rules within the router are largely ineffective
> because the P2P clients use port-hopping, and can even use port 80 if
> notinh else works. I was wondering if a more sophisticated hardware solution
> might help us.
>
> My first understanding is that the limited CPU power and RAM in an
> inexpensive router get overwhelmed by such a large number of connections.
> Would a more robust hardware (NAT router) be likely to help? If yes, and
> specific suggestions?
>
> From what I gather, true hardware firewall appliances allow the use of
> rules that can limit the number of connections and the bandwidth allotted
> to each client IP address. This, to me, seems very attractive (although
> more expensive) and I was wondering if interposing a firewall between the
> cable modem and the router (or discarding the modem and using the firewall
> with an access point) would achieve the desired end. Any specific
> suggestions?

Mark McIntyre <(E-Mail Removed)> wrote:

> On Thu, 21 Dec 2006 21:53:05 GMT, in alt.internet.wireless , Jeff
> Liebermann <(E-Mail Removed)> wrote:
>
> >Of course, if they change their MAC address, or introduce a new
> >computer, such QoS by IP address or MAC address is useless.
>
> This is one of the few places where MAC-address based permissioning on
> the router is useful.

If they are smart enough, they can find out what MAC addresses other
users equipment have and "borrow" one of these.

Jeff Liebermann <(E-Mail Removed)> wrote:

> Be sure to amortize the cost of the added equipment and your time playing
> policeman.

And he might also ask them to sign an agreement indemnifying him and the
other residents of the house for any fines, settlements, legal fees, or
other expenses incurred in case the RIAA et al should come knocking at
the door.