How can I restrict bittorrent bandwidth on a home network?
November 8, 2010 12:01 AM Subscribe
How can I restrict bittorrent bandwidth on a home network?
What is the best way to do this?
I am open to buying networking components, running a linux gateway, etc. Pretty much anything within reasonable cost limits for a home network (e.g. not 5000$). I have some iptables experience but last time I tried IPP2P, the results were not so good.
I do not control the end-user's computers and have exhausted the socially acceptable "hey would you mind using less bandwidth" options.
What is the best way to do this?
I am open to buying networking components, running a linux gateway, etc. Pretty much anything within reasonable cost limits for a home network (e.g. not 5000$). I have some iptables experience but last time I tried IPP2P, the results were not so good.
I do not control the end-user's computers and have exhausted the socially acceptable "hey would you mind using less bandwidth" options.
A useful term for your googling would be "Quality of Service" or Qos - if you can log into your router, this is the way to shape traffic for different types of thing (it's really useful for voice over IP stuff as well). Here is an article I found on the topic. I have extremely limited experience doing this sort of thing, but if you're up for changing the firmware on your router and all that malarkey, memail me with any questions and I can ask my more experienced partner.
posted by teraspawn at 1:06 AM on November 8, 2010
posted by teraspawn at 1:06 AM on November 8, 2010
There is no best way, and what do you mean by home network, and why wouldn't you have control over the end clients. Bittorrent is a hard thing to control at the edges, it can be configured to use random port ranges, it can be configured to encrypt traffic to prevent packet inspection.
On a simple home network, disabling UPnP IGD on the firewall will help a bit (if it's even on and working in the first place) by disallowing clients to configure inbound port forwarding on the firewall. That doesn't really help with the downloading part. You can tryp QoS and limit most bandwidth but allow certain known things to pass easily (HTTP/SSH/FTP/etc). But that way you'll also find that you eventually end up with problems with things like Skype or some of the Media services that are now using bittorrent-like protocols for their streaming purposes.
We do 'whack-a-mole' where I work. Logging netflow information from the routers and do analysis on the data to find high bandwidth, servers, large numbers of inbound/outbound connections to non-standard ports, DMCA notices, etc. Then we turn them off and send them to student council for policy violation. :P
Basically you're left with limiting everything and making exceptions for known, or just blocking everything and punching holes for allowed. There's nothing I've tested that is a magic torrent bullet, everything has been some form of QoS plus connection statistics.
posted by zengargoyle at 2:11 AM on November 8, 2010 [1 favorite]
On a simple home network, disabling UPnP IGD on the firewall will help a bit (if it's even on and working in the first place) by disallowing clients to configure inbound port forwarding on the firewall. That doesn't really help with the downloading part. You can tryp QoS and limit most bandwidth but allow certain known things to pass easily (HTTP/SSH/FTP/etc). But that way you'll also find that you eventually end up with problems with things like Skype or some of the Media services that are now using bittorrent-like protocols for their streaming purposes.
We do 'whack-a-mole' where I work. Logging netflow information from the routers and do analysis on the data to find high bandwidth, servers, large numbers of inbound/outbound connections to non-standard ports, DMCA notices, etc. Then we turn them off and send them to student council for policy violation. :P
Basically you're left with limiting everything and making exceptions for known, or just blocking everything and punching holes for allowed. There's nothing I've tested that is a magic torrent bullet, everything has been some form of QoS plus connection statistics.
posted by zengargoyle at 2:11 AM on November 8, 2010 [1 favorite]
You need a router with custom firmware between you and the internet.
Look at DDWRT, Tomato, or OpenWRT <>
Are you asking because your connection is slow, due to all the torrent traffic, or are you asking because you only get xGB/month and are running out of your monthly data allocation?>
posted by defcom1 at 3:30 AM on November 8, 2010
Look at DDWRT, Tomato, or OpenWRT <>
Are you asking because your connection is slow, due to all the torrent traffic, or are you asking because you only get xGB/month and are running out of your monthly data allocation?>
posted by defcom1 at 3:30 AM on November 8, 2010
Limit access to the router by changing the password, and putting it in a secure location. Get some bandwidth metering for any user who wants it. Lots of free sites on the web measure bandwidth, and/or surely there is some decent freeware to install if you prefer. Whenever other users have low bandwidth, log into the router, and kick off the user who's using the most by blocking their MAC address for 10 minutes.
In the US, the owner of the wired/wifi router has been held liable for copyright violations, having to pay large fines or face a costly court battle.
posted by theora55 at 4:07 AM on November 8, 2010
In the US, the owner of the wired/wifi router has been held liable for copyright violations, having to pay large fines or face a costly court battle.
posted by theora55 at 4:07 AM on November 8, 2010
Trying to rate-limit Bittorent specifically is going to be a pain, because modern torrent clients are designed to evade it. If it's possible for you to simply limit bandwidth based on the end-user's MAC -- i.e. to apply a per-computer restriction rather than an application restriction, that would simplify your problem a lot, and most cable/wireless routers these days offer some sort of rudimentary QoS at that level.
posted by tyllwin at 6:39 AM on November 8, 2010
posted by tyllwin at 6:39 AM on November 8, 2010
Response by poster: what do you mean by home network, and why wouldn't you have control over the end clients
Home network means "me and my roommates", "not having control" means "roommates who don't understand that they negatively affect others by having uncapped BT traffic" and/or "roommates who choose to ignore the stern 'you're fucking up my internets' talk i give them" for whatever reason.
Are you asking because your connection is slow, due to all the torrent traffic, or...
I'm asking because my SSH and quake3 is slow. Data allocation isn't a problem.
Limit access to the router by changing the password
These are legitimate users who don't understand the network implications of their actions.
If it's possible for you to simply limit bandwidth based on the end-user's MAC
This sounds good, what would work well for this?
posted by beerbajay at 6:50 AM on November 8, 2010
Home network means "me and my roommates", "not having control" means "roommates who don't understand that they negatively affect others by having uncapped BT traffic" and/or "roommates who choose to ignore the stern 'you're fucking up my internets' talk i give them" for whatever reason.
Are you asking because your connection is slow, due to all the torrent traffic, or...
I'm asking because my SSH and quake3 is slow. Data allocation isn't a problem.
Limit access to the router by changing the password
These are legitimate users who don't understand the network implications of their actions.
If it's possible for you to simply limit bandwidth based on the end-user's MAC
This sounds good, what would work well for this?
posted by beerbajay at 6:50 AM on November 8, 2010
Have a look at pfSense, which can be installed either on an old PC with a couple of network cards, or ready to run on cheap hardware. It's really the next step up from re-flashing a home-router with DD or Tomato as mentioned elsewhere. Extensive help is available in the forums.
posted by dirm at 6:57 AM on November 8, 2010
posted by dirm at 6:57 AM on November 8, 2010
FreeBSD + Dummynet is your friend here. Pay special attention to the second example, "...for each host," which tells you how restrict your friends to bandwidth limits. You can even configure it for proportions, so that people will have full bandwidth if nobody else is using the network and reduces to everybody only ever getting 1/n of the bandwidth.
Get a cheap-ass (or tiny & silent) Intel box, throw FBSD on there and follow the directions. Apparently it's a loadable module now rather than having to recompile the kernel (which is not a huge deal but makes my contribution here shorter), so you should be able to get up and running with the instructions just on that page.
posted by rhizome at 9:17 AM on November 8, 2010
Get a cheap-ass (or tiny & silent) Intel box, throw FBSD on there and follow the directions. Apparently it's a loadable module now rather than having to recompile the kernel (which is not a huge deal but makes my contribution here shorter), so you should be able to get up and running with the instructions just on that page.
posted by rhizome at 9:17 AM on November 8, 2010
Tomato loaded up on my old WRT54G has a built in option that prioritizes traffic. Torrent traffic is below regular web traffic. Since Ive installed and turned that feature on, I barely can tell when my torrent is running when I browse.
posted by edman at 9:36 AM on November 8, 2010
posted by edman at 9:36 AM on November 8, 2010
I think your easiest solution is to get a router that has reflashable firmware (WRT54GL is what I use, although it's b/g only; if you want something a little newer, maybe a Netgear WNDR3700? It seems to be a favorite) and then load OpenWRT or similar onto it. That will let you set up QoS.
There are many ways to do QoS. Easiest is just to set bandwidth per IP or per MAC address and then let people decide how they want to spend their allocation. In some ways I think this is the "fairest" way of doing it. You just divide out your downstream and break it up so that everybody has a hard cap. Of course it's not very efficient... there's no sense in limiting bandwidth to a particular user when there's no contention.
So then you get into more subtle methods, like having the router guess at the protocol (typically based on ports but also sometimes based on packet headers) and prioritize things that way. In theory, you can give services that require low latency but low bandwidth (SSH, gaming) priority over high-bandwidth latency-tolerant protocols like P2P.
But that falls apart if your users get aggressive/greedy, and start doing things to fool the QoS like enabling encryption in their client, randomizing ports, etc. (Many P2P clients enable these by default, since they're done to get around ISP QoS...)
So I'd suggest doing some combination; set up service-based QoS but then also do IP or MAC address QoS with a suitably high maximum to keep a single user from ever chewing up more than 80% or so of either the upstream or downstream.
But the big thing to keep in mind here is that you're unlikely to get a "fire and forget" solution, at least not one that's going to work on the first try. It's going to be a process, not something you can just install and forget about. There are lots of recommendations around for default settings, but you'll probably want to customize things based on your and your roommates' usage patterns, and as those patterns change you'll want to tweak the rules.
posted by Kadin2048 at 10:05 AM on November 8, 2010
There are many ways to do QoS. Easiest is just to set bandwidth per IP or per MAC address and then let people decide how they want to spend their allocation. In some ways I think this is the "fairest" way of doing it. You just divide out your downstream and break it up so that everybody has a hard cap. Of course it's not very efficient... there's no sense in limiting bandwidth to a particular user when there's no contention.
So then you get into more subtle methods, like having the router guess at the protocol (typically based on ports but also sometimes based on packet headers) and prioritize things that way. In theory, you can give services that require low latency but low bandwidth (SSH, gaming) priority over high-bandwidth latency-tolerant protocols like P2P.
But that falls apart if your users get aggressive/greedy, and start doing things to fool the QoS like enabling encryption in their client, randomizing ports, etc. (Many P2P clients enable these by default, since they're done to get around ISP QoS...)
So I'd suggest doing some combination; set up service-based QoS but then also do IP or MAC address QoS with a suitably high maximum to keep a single user from ever chewing up more than 80% or so of either the upstream or downstream.
But the big thing to keep in mind here is that you're unlikely to get a "fire and forget" solution, at least not one that's going to work on the first try. It's going to be a process, not something you can just install and forget about. There are lots of recommendations around for default settings, but you'll probably want to customize things based on your and your roommates' usage patterns, and as those patterns change you'll want to tweak the rules.
posted by Kadin2048 at 10:05 AM on November 8, 2010
I also have a WRT54GL router running Tomato. I use the built in QoS to set torrent traffic to be the worst priority.
It's probably my configuration, but it doesn't entirely work. HTTP traffic works perfect while torrenting, so browsing / youtube, etc, is all fine. However, I still need to turn off the torrents to play games. I have the QoS set to prioritize xbox live and WoW, but it doesn't seem to work quite right, and I wish I knew why.
posted by utsutsu at 10:15 AM on November 8, 2010
It's probably my configuration, but it doesn't entirely work. HTTP traffic works perfect while torrenting, so browsing / youtube, etc, is all fine. However, I still need to turn off the torrents to play games. I have the QoS set to prioritize xbox live and WoW, but it doesn't seem to work quite right, and I wish I knew why.
posted by utsutsu at 10:15 AM on November 8, 2010
If it's possible for you to simply limit bandwidth based on the end-user's MAC
This sounds good, what would work well for this?
I'd first off see if your existing Router will do this -- have you looked at what it has for Qos?
Then I'd try to find reflashable Router like an old WRT54* and run something like DDWRT, Tomato, or OpenWRT, as defcom1 and kadin2048 suggested. That, I think, is you best solution. But finding a reflashable one can be a bit of a pain. The newer linksys ones don't allow it.
There are certainly routers meant for open-source packages you can buy, and that, I'd guess is the second best.
If that isn't workable for you, rhizomes's solution is the "nuke it from orbit" approach.
posted by tyllwin at 11:56 AM on November 8, 2010
This sounds good, what would work well for this?
I'd first off see if your existing Router will do this -- have you looked at what it has for Qos?
Then I'd try to find reflashable Router like an old WRT54* and run something like DDWRT, Tomato, or OpenWRT, as defcom1 and kadin2048 suggested. That, I think, is you best solution. But finding a reflashable one can be a bit of a pain. The newer linksys ones don't allow it.
There are certainly routers meant for open-source packages you can buy, and that, I'd guess is the second best.
If that isn't workable for you, rhizomes's solution is the "nuke it from orbit" approach.
posted by tyllwin at 11:56 AM on November 8, 2010
More like set-it-and-forget-it. Can the WRT-oriented solutions handle DHCP or do people have to have static IPs (that can be changed) and the QoS hardset on those, or MACs, which can also be changed? There's a difference between running buckets for an office or household and having a device that only prioritizes one's own traffic.
posted by rhizome at 3:11 PM on November 8, 2010
posted by rhizome at 3:11 PM on November 8, 2010
"Nuke it from orbit" was just meant as "a final and certain solution."
posted by tyllwin at 4:08 PM on November 8, 2010
posted by tyllwin at 4:08 PM on November 8, 2010
This thread is closed to new comments.
There's no authentication involved though, so it's possible to set a static IP and attempt to bypass the restriction. It kind of depends on whether they're actively trying to subvert your network, or if they just need some help because they forget.
If they do just need some help then a communal web-based torrent frontend might be best.
posted by holloway at 12:41 AM on November 8, 2010