Meraki

Community

Blocking P2P on wireless

pclark
New here
‎Oct 12 2017 7:38 AM
‎Oct 12 2017 7:38 AM

Blocking P2P on wireless

We have an IDS system that keeps detecting BitTorrent on our wireless network.  The IP that comes across is an AP IP address.  I look at the AP identified on the IDS log and don't see "BitTorrent" or P2P traffic from any clients but we have a lot of clients and could be missing it. 

 

I've added P2P networks to the Application firewall for the AP's but I'm still getting notified of BitTorrent traffic on my wireless network. 

 

Can anyone think of why my firewall rule may not be working correctly? 

0 Kudos
8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2017 11:32 AM
‎Oct 12 2017 11:32 AM

Are you NATing clients on the AP, or bridging them to a local VLAN?  NATing will of course make them appear to come from the AP, from bridging means only the APs traffic itself will come from the AP (and you would probably be getting a false positive in this case).

 

You can create a layer 7 firewall rule for your WiFi.  Go:

Wireless/Firewall and Traffic Shaping/Add a layer 7 Firewall Rule

Add the category "Peer to Peer (P2P)" and select "All Peer-to-peer (P2P)".

 

Screenshot from 2017-10-13 07-32-08.png

In response to PhilipDAth
pclark
New here
‎Oct 12 2017 12:00 PM
‎Oct 12 2017 12:00 PM

We are bridging the wireless clients.  I have instituted a Layer 7 firewall rule but that is why I'm asking because it doesn't seem to be working.

 

I'm confused when you say I could be getting a false positive? Are you saying that the false positive is indeed BitTorrent traffic but it's not really on my wireless LAN because of the way it's configured?  

 

                    Thanks.

0 Kudos
In response to pclark
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2017 12:02 PM
‎Oct 12 2017 12:02 PM

If you are bridging, and you are see Bittorrent coming from the AP's IP address - then it is highly probable that this is a false positive.  The access point itself wont be using Bit Torrent.

 

"False positive" is when an IDS system incorrectly describes the traffic.  It means it says it is Bit Torrent traffic when in fact it is not.

0 Kudos
In response to PhilipDAth
pclark
New here
‎Oct 12 2017 12:07 PM
‎Oct 12 2017 12:07 PM

I wouldn't think it's not so much a false positive but rather there is a device behind/connected to the AP using bit torrent but because we are "bridging" my AP is what shows up on the IDS as the device using BitTorrent. 

 

I need to understand why the Layer 7 rules isn't blocking the device using BitTorrent/P2P once the traffic hits the AP.

0 Kudos
In response to pclark
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2017 12:10 PM
‎Oct 12 2017 12:10 PM

If there is no Bit Torrent traffic because it is a false positive, then the AP has nothing to block.

 

Have you any other systems to provide evidence that Bit Torrent is being used?

0 Kudos
In response to PhilipDAth
pclark
New here
‎Oct 12 2017 12:15 PM
‎Oct 12 2017 12:15 PM

I don't have any other systems but the IDS is able to give me the name of the song being downloaded over the BT client so I'm pretty sure it's legit.

 

I guess I still don't see how an AP that is bridged is generating false positives that my IDS sees as outgoing Internet traffic.    The AP is sending traffic but because all the traffic of the clients is going through the AP it makes sense that my IDS would Identify the AP as the device with the BT client on it from my way of thinking.

 

 

0 Kudos
In response to pclark
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 12 2017 12:17 PM
‎Oct 12 2017 12:17 PM

It makes no sense that it is being reported as from the AP.

 

The user generates a packet using their MAC address and their IP address which is then bridged to the local network.  At no point is anything identifying the AP placed in the layer 2 frame or layer 3 packet.

0 Kudos
In response to pclark
DrDray
Meraki Employee
Meraki Employee
‎Oct 12 2017 12:37 PM
‎Oct 12 2017 12:37 PM

Hey! Can you verify that you don't have any SSIDs configured to use 'NAT Mode: Meraki DHCP' in the Wireless > Access Control page? If that AP is broadcasting a NAT Mode SSID, then it will NAT all of the traffic coming from the client's IP to its own IP address on the LAN.

This could explain why your IDS sees the APs IP address. If that's not the case, Philip's mention of a false positive is possible, since the AP will not pass traffic (using its own IP) on behalf of the client unless the NAT Mode SSID is configured.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.