Blocking P2P on wireless

pclark
New here

Blocking P2P on wireless

We have an IDS system that keeps detecting BitTorrent on our wireless network.  The IP that comes across is an AP IP address.  I look at the AP identified on the IDS log and don't see "BitTorrent" or P2P traffic from any clients but we have a lot of clients and could be missing it. 

 

I've added P2P networks to the Application firewall for the AP's but I'm still getting notified of BitTorrent traffic on my wireless network. 

 

Can anyone think of why my firewall rule may not be working correctly? 

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you NATing clients on the AP, or bridging them to a local VLAN?  NATing will of course make them appear to come from the AP, from bridging means only the APs traffic itself will come from the AP (and you would probably be getting a false positive in this case).

 

You can create a layer 7 firewall rule for your WiFi.  Go:

Wireless/Firewall and Traffic Shaping/Add a layer 7 Firewall Rule

Add the category "Peer to Peer (P2P)" and select "All Peer-to-peer (P2P)".

 

Screenshot from 2017-10-13 07-32-08.png

pclark
New here

We are bridging the wireless clients.  I have instituted a Layer 7 firewall rule but that is why I'm asking because it doesn't seem to be working.

 

I'm confused when you say I could be getting a false positive? Are you saying that the false positive is indeed BitTorrent traffic but it's not really on my wireless LAN because of the way it's configured?  

 

                    Thanks.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are bridging, and you are see Bittorrent coming from the AP's IP address - then it is highly probable that this is a false positive.  The access point itself wont be using Bit Torrent.

 

"False positive" is when an IDS system incorrectly describes the traffic.  It means it says it is Bit Torrent traffic when in fact it is not.

pclark
New here

I wouldn't think it's not so much a false positive but rather there is a device behind/connected to the AP using bit torrent but because we are "bridging" my AP is what shows up on the IDS as the device using BitTorrent. 

 

I need to understand why the Layer 7 rules isn't blocking the device using BitTorrent/P2P once the traffic hits the AP.

PhilipDAth
Kind of a big deal
Kind of a big deal

If there is no Bit Torrent traffic because it is a false positive, then the AP has nothing to block.

 

Have you any other systems to provide evidence that Bit Torrent is being used?

pclark
New here

I don't have any other systems but the IDS is able to give me the name of the song being downloaded over the BT client so I'm pretty sure it's legit.

 

I guess I still don't see how an AP that is bridged is generating false positives that my IDS sees as outgoing Internet traffic.    The AP is sending traffic but because all the traffic of the clients is going through the AP it makes sense that my IDS would Identify the AP as the device with the BT client on it from my way of thinking.

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

It makes no sense that it is being reported as from the AP.

 

The user generates a packet using their MAC address and their IP address which is then bridged to the local network.  At no point is anything identifying the AP placed in the layer 2 frame or layer 3 packet.

DrDray
Meraki Employee
Meraki Employee

Hey! Can you verify that you don't have any SSIDs configured to use 'NAT Mode: Meraki DHCP' in the Wireless > Access Control page? If that AP is broadcasting a NAT Mode SSID, then it will NAT all of the traffic coming from the client's IP to its own IP address on the LAN.

This could explain why your IDS sees the APs IP address. If that's not the case, Philip's mention of a false positive is possible, since the AP will not pass traffic (using its own IP) on behalf of the client unless the NAT Mode SSID is configured.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels