I host short-term-rentals next door (on a guest wifi). About once a year I get a nastygram from my internet provider complaining that one of my guests has downloaded something via bit torrent.
Aside from telling guests not to do that in the welcome instructions, what are my best options for blocking such things with firewalla?
So far, all I’ve done is 1) tell guests not to, 2) block outgoing connections to ports 6881-6889, and 3) (for superseding reasons) block all incoming connections other than to the wireguard vpn server.
From what I can tell, there’s no real way to completely torrent-proof my network, and I don’t really want to go to extreme lengths.
I know I could route all guest traffic over a VPN, but I’d really rather not enable such activity. I also don’t really have a problem with guests using their own VPNs for torrenting, unless maybe they start using huge amounts of bandwidth.
My main issue is I just don’t like getting yelled at by my ISP and threatened with being cut off.
Is there some way that p2p traffic can be detected and blocked more directly?
This answer doesn’t solve the issue of your guests using P2P activity, but if the notices are really the biggest issue you could subscribe to a VPN and then route the whole guest network’s traffic over the VPN. Your ISP would only see it as VPN traffic. I’d use something other than your ISP’s DNS as well.
I do this at my house for my guest network as I don’t want notices if a guest is doing something naughty.
Have you tried creating a block rule for p2p sites? There is an option when you select block followed by matching category P2P sites. Won’t stop them using a VPN though.
Adding the block rule would be about all you could do. I see you are worried of extreme data usage. You will want to turn on notifications of large download or bandwidth usage. I don’t think that there is a way to limit data usage, but if you have a separate vlan for your guest network you can limit bandwidth and have specific rules just for that network. Maybe @firewalla can speak on if (on maybe in the future) device/network level data caps might work.
Does this stay working if they change ports? I don’t see blocking thepiratebay as a complete solution. Otherwise they’re going to be locking down all the ports and only allowing basically http/s…
The best way to keep the ISP out of what any of the users are doing is to just VPN all the traffic on that network.
I don’t believe it’s port based blocking. I think it’s a kind of target list probably with tons of P2P site domains and their proxies (not 100% sure in that theory tho). So it should work so long as it’s not circumvented via VPN. I believe the OP doesn’t care if they do that. Sounds like he just doesn’t want to be responsible to his ISP for others’use of the P2P downloads while using his connection.
I don’t think blocking sites is enough though. Like if someone had saved torrent or magnet files, or had paused downloads on their computer, and restarted them. Resuming those transfers wouldn’t stop torrenting. A managed target list like you have in mind might limit the amount of available trackers if they’re included in the list.
But just like a blacklist file it’s possible to still have a download from a peer that will trigger a violation. So you’d still find trackers and peers to download from. To me the only way that they can prevent the isp from monitoring traffic and receiving violation emails is with using a vpn on the guest wifi.
That said, I vpn all my traffic because I’ve gotten torrenting notifications for downloading linux distros.
Yeah, and not to mention there’s too many sites to account for. It’s also probably just some of the sites, and like you said, doesn’t account for the actual port and traffic blocking, which could be changed anyway.
