cancel
Showing results for 
Search instead for 
Did you mean: 

Blocking P2P on wireless

New here

Blocking P2P on wireless

We have an IDS system that keeps detecting BitTorrent on our wireless network.  The IP that comes across is an AP IP address.  I look at the AP identified on the IDS log and don't see "BitTorrent" or P2P traffic from any clients but we have a lot of clients and could be missing it. 

 

I've added P2P networks to the Application firewall for the AP's but I'm still getting notified of BitTorrent traffic on my wireless network. 

 

Can anyone think of why my firewall rule may not be working correctly? 

8 REPLIES
Head in the Cloud

Re: Blocking P2P on wireless

Are you NATing clients on the AP, or bridging them to a local VLAN?  NATing will of course make them appear to come from the AP, from bridging means only the APs traffic itself will come from the AP (and you would probably be getting a false positive in this case).

 

You can create a layer 7 firewall rule for your WiFi.  Go:

Wireless/Firewall and Traffic Shaping/Add a layer 7 Firewall Rule

Add the category "Peer to Peer (P2P)" and select "All Peer-to-peer (P2P)".

 

Screenshot from 2017-10-13 07-32-08.png

New here

Re: Blocking P2P on wireless

We are bridging the wireless clients.  I have instituted a Layer 7 firewall rule but that is why I'm asking because it doesn't seem to be working.

 

I'm confused when you say I could be getting a false positive? Are you saying that the false positive is indeed BitTorrent traffic but it's not really on my wireless LAN because of the way it's configured?  

 

                    Thanks.

Head in the Cloud

Re: Blocking P2P on wireless

If you are bridging, and you are see Bittorrent coming from the AP's IP address - then it is highly probable that this is a false positive.  The access point itself wont be using Bit Torrent.

 

"False positive" is when an IDS system incorrectly describes the traffic.  It means it says it is Bit Torrent traffic when in fact it is not.

New here

Re: Blocking P2P on wireless

I wouldn't think it's not so much a false positive but rather there is a device behind/connected to the AP using bit torrent but because we are "bridging" my AP is what shows up on the IDS as the device using BitTorrent. 

 

I need to understand why the Layer 7 rules isn't blocking the device using BitTorrent/P2P once the traffic hits the AP.

Head in the Cloud

Re: Blocking P2P on wireless

If there is no Bit Torrent traffic because it is a false positive, then the AP has nothing to block.

 

Have you any other systems to provide evidence that Bit Torrent is being used?

New here

Re: Blocking P2P on wireless

I don't have any other systems but the IDS is able to give me the name of the song being downloaded over the BT client so I'm pretty sure it's legit.

 

I guess I still don't see how an AP that is bridged is generating false positives that my IDS sees as outgoing Internet traffic.    The AP is sending traffic but because all the traffic of the clients is going through the AP it makes sense that my IDS would Identify the AP as the device with the BT client on it from my way of thinking.

 

 

Head in the Cloud

Re: Blocking P2P on wireless

It makes no sense that it is being reported as from the AP.

 

The user generates a packet using their MAC address and their IP address which is then bridged to the local network.  At no point is anything identifying the AP placed in the layer 2 frame or layer 3 packet.

Highlighted
Meraki Employee

Re: Blocking P2P on wireless

Hey! Can you verify that you don't have any SSIDs configured to use 'NAT Mode: Meraki DHCP' in the Wireless > Access Control page? If that AP is broadcasting a NAT Mode SSID, then it will NAT all of the traffic coming from the client's IP to its own IP address on the LAN.

This could explain why your IDS sees the APs IP address. If that's not the case, Philip's mention of a false positive is possible, since the AP will not pass traffic (using its own IP) on behalf of the client unless the NAT Mode SSID is configured.