Laptop and Wireless Tomato Router
-
So, an ethernet cable from the modem to the ethernet port of the pfSense tablet, then anoher ethernet cable from the modem to one of the LAN ports of the Tomato router?
No. Modem => pfSense => WiFi. Considering you probably have exactly one LAN port on your laptop and none of that equipment you mentioned probably supports VLANs, you have a problem… ::)
The Tomato router does support vlans. I saw a few youtube videos of people setting laptops as pfSense wireless routers and that's why I wanted to try this.. so you're saying I won't be able to accomplish this?
Well, I want the Tomato router to be the wireless router, but pfsense to take care of DHCP.
-
Before I continue on this setup, I would like to ask this…
Right now as I have mentioned, I am using a linksys e2000 with Tomato on it and have setup some firewall rules with iptables and for the most part it works great, BUT......
The issue I am having is that, if any machine that connects to my network has "Avast Secure DNS" enabled, they can bypass ANY settings I have on the router including ANY firewall settings, because they are using AVAST DNS.. I even have "intercept port 53 attacks" enabled, but still, that machine completely bypasses my router.
Will the same happen with pfSense?
-
I have no idea what's "intercept port 53 attacks".
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense -
I have no idea what's "intercept port 53 attacks".
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSenseit's a feature in tomato that does not allow for users to use any other DNS other than the one set on the router.
"Intercept DNS port (UDP 53) (Default: off): When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. It may be helpful when used with OpenDNS for parental control."
-
Its not really helpful to redirect if you ask me, a better setup is BLOCK and user doesn't get dns unless they use the dns is allowed for that network.. Not a big fan on any sort of interception and or redirection of traffic. The traffic is either allowed or its not is better plan if you ask me.
If you block upd and tcp 53 outbound then they have no choice to ask the valid dns server for your network, unless they are doing some sort of tunnel of dns query over some other port. If so what is that port and dest they are going to, just block it, etc.
-
Its not really helpful to redirect if you ask me, a better setup is BLOCK and user doesn't get dns unless they use the dns is allowed for that network.. Not a big fan on any sort of interception and or redirection of traffic. The traffic is either allowed or its not is better plan if you ask me.
If you block upd and tcp 53 outbound then they have no choice to ask the valid dns server for your network, unless they are doing some sort of tunnel of dns query over some other port. If so what is that port and dest they are going to, just block it, etc.
That's exactly the issue I am having.. that setting to block port 53 is supposed to force users to use the DNS set on the router…but Avast Secure DNS is bypassing the DNS on the router and provides them with their own DNS and they can visit ANY website they want. I have been told that the only way to stop that is to block Avast DNS IPs, but Avast will not provide those for security purposes which is understandable... they use port 53/443 but without ALL the DNS IPs, blocking those ports is useless... and I have already tried that.. does not work.
-
So redirect does work? Or are they using some VPN? Or are they using dnscrypt? Tried blocking 443/UDP?
They have their own forums, better discuss there.
-
So redirect does work? Or are they using some VPN?
redirect does not work at all. All you have to do is click enable on the Avast secure dns feature and that's it..they are free to go anywhere…very frustrating. Avast won't help..the folks at Tomato have no clue and OpenDns says Avast Dns is doing what it's supposed to be doing and there's nothing i can do.. all they say is to disable the feature, not realizing that Avast Secure DNS is part of the clients/users machines which I do not have any control of.. that's why I need to find a way to be able to block Avast DNS or ANY other DNS service provider from doing this.
I was just asking because I thought since PfSense if a much better firewall than what Tomato can do, I though I was going to be able to stop this madness, but if I will be in the same boat, then I won't even go through the hassle of installing and setting up pfSense at all.
-
As said - have you tried blocking outbound connection to 443/UDP?
-
-
Well, if they use 53/443 and you block all outbound connection to that, then it will be blocked, end of story. Seems like either they are using something else, or you are doing it wrong.)
-
Well, if they use 53/443 and you block all outbound connection to that, then it will be blocked, end of story. Seems like either they are using something else, or you are doing it wrong.)
They might be using other ports, but that's what the Avast rep said they use.. but like you say, they might be using other ones.. There's just got to be a way to completely force ALL users connected to my network to use the DNS I provide, no other, no matter which port they use.
-
Clearly they use dnscrypt-proxy. You can block 443 both TCP and UDP and see how it goes. (And say bye to HTTPS :P) Alternatively, set up a wildcard DNS override for ff.avast.com - https://forum.pfsense.org/index.php?topic=43835.0
-
Clearly they use dnscrypt-proxy. You can block 443 both TCP and UDP and see how it goes. (And say bye to HTTPS :P) Alternatively, set up a wildcard DNS override for ff.avast.com - https://forum.pfsense.org/index.php?topic=43835.0
yeah, I've seen that page too.. I will try again see what happens..
to make sure I have the iptable right.. would you by any chance know the iptable to block it? -
Uhm…
https://forum.avast.com/index.php?topic=163116.0
https://support.opendns.com/entries/57943894-Avast-2015-Security-Suite-Secure-DNS-and-OpenDNSOther than that - I installed the crap on a VM. Unless you block outgoing traffic to 443, this is a waste of time. It never queries regular DNS for anything. It intercepts DNS and sends out dnscrypt-ed queries via 443 to Avast, gets a list of suitable DNS servers and uses those for DNS via dnscrypt-proxy. Not to mention that you actually have been offered to be provided with the list of servers by Avast staff…
Starting the same topic on yet another forum won't get you any different answers. Please, avoid wasting other people's time. If you linked the above right in the OP, I'd save an hour of my time wasted for no good reason whatsoever.
:(
-
Uhm…
https://forum.avast.com/index.php?topic=163116.0
https://support.opendns.com/entries/57943894-Avast-2015-Security-Suite-Secure-DNS-and-OpenDNSOther than that - I installed the crap on a VM. Unless you block outgoing traffic to 443, this is a waste of time. It never queries regular DNS for anything. It intercepts DNS and sends out dnscrypt-ed queries via 443 to Avast DNS servers.
Starting the same topic on yet another forum won't get you any different answers. Please, avoid wasting other people's time. If you linked the above right in the OP, I'd save an hour of my time wasted for no good reason whatsoever.
huh? what do you mean? - I am trying to resolve an issue I am dealing with.. I thought the purpose for the forums is to ask questions. As you can see, I tried opendns first because that's the DNS I am using.. they were no help, so I went straight to the source which is Avast.. what's wrong with that?
Not sure why so are telling me to not waste anybody's time when you can clearly see they offered no solutions to the issue.. in fact, opendns just suggests to disable the feature, which does not help me at all.
I'm still confused by your reply.
-
And actually, the guys from Avast was the one who told me by private msg that they cannot provide the DNS IPs.. he was no help either.
-
Dude, I have been pretty clear on what I mean. You have wasted my time which I spent investigating how the thing works. If you linked your own threads here, I of course would not bother reinventing the wheel!!! I'd frankly rather have a couple of beers in local pub.
Go block outgoing traffic to port 443 TCP/UDP if you need such level of control. End of story.
:( >:( >:(
-
Dude, I have been pretty clear on what I mean. You have wasted my time which I spent investigating how the thing works. If you linked your own threads here, I of course would not bother reinventing the wheel!!! I'd frankly rather have a couple of beers in local pub.
Go block outgoing 443 TCP/UDP if you need such level of control. End of story.
:( >:( >:(
well fine then.. I said I was going to try to do that again..read previous posts back.. no need to be jerk about it.
and you're getting upset because I posted my issue on a couple of forums?….really?I thought this was a friendly forum.. just keep in mind NOT ALL OF US ARE PROS LIKE YOU.. some of us are just simpletons trying to figure things out.
but anyway.. thanks for your help.. I guess.
-
and you're getting upset because I posted my issue on a couple of forums?….really?
No, I'm being upset because you did not bother listing the information here, you did not even bother with listing the real goal in your OP, instead asking about some totally unrelated router-on-a-stick and VLANs stuff. People here provide advise in their free time for free. Not interested in such games just because asking elsewhere did not solve your "issue".
