Skype not working properly
-
Thanks for your help
I've already read the article, and I'm still stuck.
I would like to hear more about option 2 suggested by Kejianshi. I've also read on the net about using Layer 7 to resolve this, does anyone know anything about this.
-
Thanks for the update.
Kejianshi,
Option 1: Won't work since I have Skype on several computers not only one, So forwarding with NAT to one IP won't work.
Option 2: I enabled UPnP as mentioned, but no change happened, Am I doing something wrong. Any recommendation in this area would help.Option 1: does work when you have static address mappings in DHCP
Option 2: Why restrict access and then enable uPNP? -
Thanks Steve
I believe the problem is in the outgoing port and especially port 443
-
Gogol
I have Static Address mapping with MAC in DHCP. the issue is assigning port forward for around 50 users is a big hassle and maintaining it is even worse.
Still I believe the problem is with outgoing not incoming.
As I said, once I allowed 443 in outgoing everything worked perfectly.
-
Please, seriously rethink the entire setup from scratch. As you have noted:
- extreme PITA to maintain
- extreme PITA to use
Then you resort to completely absurd "solutions" such as having an overly restrictive setup and digging huge holes into it by enabling UPnP. Eh…
-
OK - My solution does work.
Slow down and take a deep breath….
I advise not blocking 443 and 80, in general. Thats just breaking the web, not filtering it.
For every skype you want to allow, and want to work well, forward a port to each one separately with a NAT rule.
I assume this won't be more than a few? Give each skype client a different port.
On a network with uPNP enabled, skype does EXACTLY this NATing automagically.
If you want, and it makes you happy, you can NAT forward individually in 40000 - 40050 range. 1 port per skype user. +80 +443.
(remember, no NAT rules for 80 and 443 though - just no blocking)
Or, since security isn't your main goal, you could just activate uPNP and forget about manual port forwards. Skype will do for you.What doktornotor lacks in subtlty, he makes up for with solid advice. He is correct. You should unblock EVERYTHING.
Just delete all your blocking rules on the LANs.
I could walk you through setting up LIMITERS, but I bet either doktornotor or stephen10 have more experience with them. Not sure.
LIMITERS will control how much bandwidth users get and can be used to shut down offenders if needed.http://doc.pfsense.org/index.php/Traffic_Shaping_Guide <<<<<< <be sure="" read.<br="">and to get a quick flavor for it:
http://skear.hubpages.com/hub/How-to-Configure-Deep-Packet-Inspection-Using-pfSense
http://www.youtube.com/watch?v=Usi195rK35I</be> -
Ok Guys, I'm taking one step back. Let's put Skype on the side for a minute.
If I'm going to un-block (Open) port 443 (HTTPS), I need help in the following:
- how to block certain websites like Facebook, YouTube, porn. especially when such sites can be accessed using HTTPS like https://www.facebook.com
- how to prevent users from accessing Proxy Application like Ultrasurf and Hotspot or any Proxy Server on the web.
I read the Traffic shaping documents, and actually I'm using it to limit the speed of users who download more than 200MB per day.
From what I see, Traffic Shaping manages the network speed, but it doesn't manage websites.
Any recommendations regarding the first 2 points would be appreciated.
-
Well - Now you are talking.
1. You can use dansguardian to block lots of stuff. (its very configurable)
2. You can augment that by using free DNS filter service provided by companys like DYNdns, OpenDNS and others + dansguardian.
This will catch HTTPS abusers.Still, use traffic shaping (LIMITERS) because options 1 and 2 will only work with the honest people or people who's computers you have locked down admin privileges on (because of ultrasurf). Doesn't sound like you have any people like that there :o (thats normal)
-
;D I agree, very few honest people.
As for option one, I already have Squid and SquidGaurd install which should do that same work as Dansguardian, but still this blocks HTTP web flow not HTTPS.
Can you explain more about option2, I didn't get it. I already have a free dynamic account with DYNdns, but how can I use it to filter HTTPS.Don't get mad or upset but till now, I don't have a solution for managing which sites to access over HTTPS, limiting the speed is not like preventing people from accessing certain sites.
-
Well - Like I said, the effectiveness of this will also depend on you getting things like "ultrasurf" off your network.
I did have a little conversation with some very smart people on that subject here:
http://forum.pfsense.org/index.php/topic,64432.msg349171.html#msg349171
Pay special attention to one post by phil.davis and how he handles port 53 with this solution.
Basically, you want to only allow access to port 53 to your pfsense box and the DNS servers at dyndns from the LAN.You can set up your DYNdns filters at https://account.dyn.com/labs/dyn-internet-guide/ (log in to dyndns first)
Then click defense plan or default defense. Modify it to block whatever you need blocked in the office)
You will need to also set up your dynamic DNS service in pfsense so that dyndns always knows your network's IP.
Then follow instruction I gave in the thread above.