Whole bunch of questions.
-
Thanks to both of you very much.
1. Thanks I thought so just wanted a clarification to be sure.
2. Ya its mostly BitTorrent, I do not really want to block it honestly, for 2 reasons. 1. I do not care what other people do as long as it doesn't come back on me lol, and if does come back on me, then I can point to them I am happy.
I am fairly certain you can log it, and in actuality I think the ISP can and does as well. I know in extreme cases, of breaking laws the mac addresses are recorded by the ISP.
3. The main reason is there is a lot of stuff that is not illegal that runs from BitTorrent protocols. As a Avid MMO player, I know most MMOs are downloaded this way, Linux Distros are common, ECT. Also blocking only works really at blocking the legit ones like those, illegal BitTorrents are usually savvy enough to get around the blocks, been through this alot during my time as Network Admin for a college and that was 12 years ago, I am sure torrenters have gotten smarter lol.
I was doing some reading while waiting, and found a perfect solution for my needs actually. If I do user names set by Space (so persistent) and then change the password when a occupant changes, I can remove them from the mac address registry, and keep a database of old macs as per the time thing JIC.
Then for temp people (dailys/weeklys) I can set up a opt voucher system, so users will be for the long time residents. Then a Mac skip, for the residents, and they can use a Repeater and thats Mac instead of per Device, to solve Roku issues.
As for the Hardware, Thanks, I should have specified though. I already have slews of Hardware, and need the device rack mountable. Really the only thing I lack, is a CPU I have a few laying around but they are old or dual cores (few Skylake I3s, might be able to find a I5, and a bunch of Core 2 Duos (few quads) and some old servers, that I'm not sure atm what is in them)
I do have boards, DDR3 DDR4, X79, X99, On and on lol, so basically what CPU do I need :P.
Thanks for all the info :). I am not really too concerned with getting them on a different external IP, Mainly just the radius server, bandwidth throttle, and keeping them off my network so they have no access to my servers.
Good to know, and yes per interface will work just fine.
-
Really need an Edit BUTTON! LOL
Anyway I looked at that box suggested, and I think I was wayyyy over thinking the hardware required lol?
Shoot I have a Skylake Pentium that barely uses any power, throw that with 8gb ram stick, that will do, or I could do an I3 too (more power and from the suggested box I dont feel I need it, as the Pentium is already sky lake and 3.7ghz I think dual core)?
Obviously, a temp solution and will replace with a Celeron Super Micro BGA, However will that work to play with, then be able to back up the setup and restore on a SM in a couple of weeks?
-
The specs in my signature was the last BYO box I built. It never went over 25% CPU at any time, and the RAM utilization was always very low, never went to swap. I also ran a client on a P4 with 2GB of RAM with no issues. Probably about 80 users at its peak and 30 average.
pfSense doesn't need great hardware to do great work. It's very lean and optimized. If you put it on an i3 with 4GB of RAM, it'll do your entire site without breaking a sweat. But you probably want to get a decent sized hard drive for your logs and possibly some additional packages you may be interested in (pfBlocker is a good one).
Best of luck with your installation, I think you'll be very happy with pfSense's capabilities.
-
"And Edit button would be nice"
To your posts? Are you not seeing this?
Edit: See I edited it via the modify button shown in the attached pic the one says modify, the other is just the little edit icon at the bottom right of the post
Edit2: If your not seeing the modify link/buttons. Maybe because you only have 4 posts? And the ability to edit comes after you have reached a specific level?
-
Yes that one, I did not have that last night, just remove button there.
Maybe it was time based or post based, or my PC spazzing (on phone now) either way, I got the button now.
-
Just an FYI, MAC addresses can be easily faked/spoofed depending on how your Layer 1/2 network is configured.
-
Well ya I know MAC addresses can easily be spoofed, however they would have to know what Mac address to spoof to get on right?
Short of a man in the middle attack not sure how that would happen.
Also not to sound wrong, but I live in a small town (~15k), and it's a small RV park, we don't have rich folks or particularly smart ones, living here or around here lol. So I don't think hackers are too much of worry, defiantly not good ones.
Also while falling out of practice with alot of this stuff, I still run a few websites, so security I do know :).
Also, I will still be securing the APs with WPA2, as well as the radius, so the work required to break in and spoof a Mac, I do not think would be worth the time, unless it was some students wardriving (not that I ever did that in college :P.)
What I'm trying to say is, the Mac filtering is less for secuirty and more for tracking wrong doings on the network.
Also they can hack radius servers for fake auths pretty easily too, right? I have a degree in Cyber security from many years ago. And pretty much live by the motto, secuirty is not bulletproof period. Any secuirty can be breached, it's a matter of deterrent, if they have to jump through hoops to get through mine, it's easier to go down the street to the next one that has WEP and nothing else.
-
As others have stated pfSense is perfect for you!
Are you going to continue using your current wifi router as an AP? If not, ubiquiti AP's are a pretty good compromise of price/performance. Their customer support is outstanding. They have LR and I think outdoor models as well.
For hardware - definitely reuse the stuff you have lying around as it is more than enough for what you need.
If you don't want to block the illegal activity as you stated, and you simply don't want the legal issues coming back to you then possibly consider a VPN? I think even your Pentium could handle 100/10 without issues.Disadvantages:
Costs money - I think www.PrivateInternetAccess.com is ~$4/mo - that's probably your best bet
Will impede some of your customers online activity - netflix & hulu comes to mindAdvantages :
Don't have to worry about maintaining thorough logs & ToS agreements to protect yourself legallyMy guess is that a pure VPN solution is not for you since it will cut off access to sites that blacklist VPN.
A possible solution for you would be to have internet by default go through a VPN, then if someone has a complaint then they come to you, sign your ToS, you give them a static DHCP that's part of an alias that has non-VPN access.
-
Just so you know, downloading torrents almost never results in a DMCA claim. It's sharing them for seeding/upload that does.
An ISP cannot see MAC addresses behind a router. It's not possible.
Your best bet is probably captive portal with vouchers. Use the captive portal logs to identify the voucher to the IP/MAC address at the time. CP will at least keep access limited to paying guests and not just anybody in range.
But then you have no idea what inside user was on what outside address:port because that requires matching up outside and inside states and I know of no easy way to do that. You would certainly have to turn firewall logging on for all connections originating from the guest network. That will very likely require an external log server to keep them for any length of time.
I wouldn't hassle it too much. You are an ISP. As long as your upstream ISP knows what you're doing they should be reasonable about it. If you think about it, you are their customer, and they don't block such connections from you. And if they did, people would scream bloody murder. Why should you be any different? They do have the edge in not having to match up inside and NAT addresses/ports. Another option that would eliminate that burden is to get a /22 or so from them and use that for your guests and don't NAT at all. Or maybe stop trying to be an ISP and contract it out to someone who does that for a living and let them deal with the problems.
-
Well ya I know MAC addresses can easily be spoofed, however they would have to know what Mac address to spoof to get on right?
Depends on your network. MAC addresses are typically non-secure info and gets publicly broadcasted in many situations. Discovering MAC addresses used even with secure wifi is typically trivial. If I remember correctly, the WIFI AP discovery protocol broadcasts MAC addresses unencrypted.
Within a given broadcast domain, any connected client can see all of the traffic of any other connected client.
Just wanted to make sure you understand how it works, so when you finally do need to dig into things, you better understand the corner cases.
-
Just so you know, downloading torrents almost never results in a DMCA claim. It's sharing them for seeding/upload that does.
An ISP cannot see MAC addresses behind a router. It's not possible.
Your best bet is probably captive portal with vouchers. Use the captive portal logs to identify the voucher to the IP/MAC address at the time. CP will at least keep access limited to paying guests and not just anybody in range.
But then you have no idea what inside user was on what outside address:port because that requires matching up outside and inside states and I know of no easy way to do that. You would certainly have to turn firewall logging on for all connections originating from the guest network. That will very likely require an external log server to keep them for any length of time.
I wouldn't hassle it too much. You are an ISP. As long as your upstream ISP knows what you're doing they should be reasonable about it. If you think about it, you are their customer, and they don't block such connections from you. And if they did, people would scream bloody murder. Why should you be any different? They do have the edge in not having to match up inside and NAT addresses/ports. Another option that would eliminate that burden is to get a /22 or so from them and use that for your guests and don't NAT at all. Or maybe stop trying to be an ISP and contract it out to someone who does that for a living and let them deal with the problems.
Thanks for the tips, I did see a article earlier about the laws regarding "Hotel Wifi" and they were not very clear, I made another post about it to which you also replied.
As I have looked deeper, it seems the way the laws are structured, doing what I wanted to is exactly what I should not do. That the blind eye and a tight EULA is more protecting. However there are some other stipulations which I will handle with PFsense.
Contracting another "ISP" would be all fine and good, but the guests are not paying for anything, so that would just cost more money on top of the 400 bill we already have to give them free wifi, ya we will sooner cut them off. We are not making any money off this, its just a convenience item for them.
Also a side note about the DCMA, most of the time I agree, however all of my complaints have been downloads. Outside of this occurrence with a lot, I have mentioned it to tenants and usually they have fessed up (when it was 1 or 2 movies) and admitted to using Popcorn Time, which seems to be a common place for honey pots. It is not unusual for copyright owners to set up honey pots, and they usually only catch the less technically inclined, which happens to be my user base.
On top of that, I give them a very very small Upload amount, it would take them a very very long time to upload even 1 copy of a movie lol. My ISP doesn't give us much upload, and I need it so they are very limited, which they dont seem to complain about. Most are just browsing or watching Netflix so they dont need much upload.
Well ya I know MAC addresses can easily be spoofed, however they would have to know what Mac address to spoof to get on right?
Depends on your network. MAC addresses are typically non-secure info and gets publicly broadcasted in many situations. Discovering MAC addresses used even with secure wifi is typically trivial. If I remember correctly, the WIFI AP discovery protocol broadcasts MAC addresses unencrypted.
Within a given broadcast domain, any connected client can see all of the traffic of any other connected client.
Just wanted to make sure you understand how it works, so when you finally do need to dig into things, you better understand the corner cases.
Well ya thats what I was addressing earlier. Not to sound obtuse but the people that come to this town, or stay here, are not the brightest bunch. Its a very small town that relies pretty much solely on Tourism, 90% of which is elderly and the rest are family's, there is nothing to do but fish.
So someone spoofing there MAC is not likely. Besides that, my networking teacher always made a great point about that kind of stuff (this was 15 years ago though lol).
Anyway he use to say that Network Security is just like a Lock, any lock can be bypassed, its not a matter of keeping them out as if they want in, they will get in. Its a matter of making the house next door look more appealing.
Of which in that figurative manner, the house next door (Bar and Grill) has free completely unsecured wifi :P. Honestly, whoever was doing the downloading or uploading, has since stopped. As after that happened I immediately, enabled Mac filtering and told them pirating would be seen and they would be cut off for it. (a lot of these are longer term people, and a lot come every year) that was 3 months ago and nothing since, not 1. So the fear factor seems to have helped as well.
-
Your goal in limiting access should probably be centered around not providing access to people who are not your customers. Freeloaders.
If you are not compelled to keep logs I see no reason to keep them for any length of time. At least above and beyond what is necessary to solve actual problems - not MPAA's problems but your problems and your customers' problems.
Your upstream needs to know that you are redistributing access to others and you need to subscribe to a service that tolerates occasional abuse. This generally means business-class service. You might also just ask your upstream if they want to deal with it so you can run your business without also being an ISP.
Use limiters to make the service unappealing for torrenters while allowing decent internet access for your customers.
-
Yeah a traffic shaper to look torrent connections might help a bit.
-
As I have looked deeper, it seems the way the laws are structured, doing what I wanted to is exactly what I should not do. That the blind eye and a tight EULA is more protecting. However there are some other stipulations which I will handle with PFsense.
As someone who has to deal with audits and legal discovery, the less you have the safer you generally are. If you have capabilities that you are using to collect data and manage behavior, a decent lawyer will ask you for all of that data and go on a fishing expedition. It is for this reason that data retention policies have become very popular in large businesses. It reduces your exposure.
Just because you can do it doesn't mean you should do it. ;)
-
1. Your goal in limiting access should probably be centered around not providing access to people who are not your customers. Freeloaders.
2. If you are not compelled to keep logs I see no reason to keep them for any length of time. At least above and beyond what is necessary to solve actual problems - not MPAA's problems but your problems and your customers' problems.
3. Your upstream needs to know that you are redistributing access to others and you need to subscribe to a service that tolerates occasional abuse. This generally means business-class service. You might also just ask your upstream if they want to deal with it so you can run your business without also being an ISP.
4. Use limiters to make the service unappealing for torrenters while allowing decent internet access for your customers.
Well that is where the problems in lie.
1. I do not get what you mean by this? Let's be honest here, they are all freeloaders lol. None of them pay for this, like I said before. That is the hospitality business, you have to have free and remotely fast wifi, before when we didn't have it, we lost alot of potential business. If you mean the radius servers, 100%, going to do that.
2. Well that's all I want to do is protect ourself.
3. So, I guess I will reiterate again, I have said several times lol. They 100% know what I am doing, I pay a 400 dollar internet bill to do it. As I have said we have went above and beyond the 5 strikes rule they have for piracy and are still not cut off. However with the recent issue, they said you need to make some preemptive measures. to be clear they didnt go out of there way to tell me that. I called them for something else, and they just mentioned it on the call, did you see this, you need to put in some preemptive measures to stop that kind of stuff please. They didn't threaten us or anything, we just dont want to get sued lol.
We tried to have them do it at first. Actually we were going to have the do cable + internet for each space, they don't do that like you think. They said it would be residential rates, so that is 140 for cable and internet for there lowest internet plan, per space x36, we only charge 275 a month per space lol. Maybe in other places you get a hotel bundle they handle not here and they are a monopoly here. Most of the business relys on tourists they are not here long enough to get it connected themselves. Again this is by defition hotel WiFi.
Oh and the cable alone is 70, each we're 70, they said just do what we are doing now, and we forgoed cable lol. There is another park here that seems to have had the same issue. As I have seen their Network and it's not much off from mine, and they have 350 spaces so 10x as many lol. But again it's not the cable company routing it, as my buddy installed there APs for them.
4. Well I thought I already was doing that lol, Apparently not. They are currently limited to 8mb down, and like 256kb up. If you mean a cap, that won't work, again this is how these people watch TV, how they do there business while on vacation ECT. Hotel WIFI makes or breaks the business we are in, it is the first question I am asked, even before space rental pricing, literally in order,
"Do you have Wifi"
"How fast is it"
"Do you have cable, (To which I reply no,) that is okay we can just watch Netflix"
"How much is it per Day/Week/Month".Even with just the 36 spaces, we average around 10-25tbs of bandwidth per month (varys summer to winter, less people in the winter so closer to 10.) lol, there is a whole ton of data moving across those lines.
To make things worse, as far as offering it. This is a small town on top of a mountain, at close to 8000ft, the only phones that work is Verizon and that barely works even, we just got 4g and that doesn't even work half the time. We are 4 hours from Phoenix were is is hot, they come here to get away, in the summer and skiing and such in the winter. Most of their phones dont work here, the Wifi is there only connection to the outside world lol, they use our net heavily.
Yeah a traffic shaper to look torrent connections might help a bit.
I may give that a shot, and also blocking the torrent sites, and ports. The issue really comes back to even in 2008 when I worked IT for a College, that didn't work for us, we still had people pirating stuff on the network. Though with this user base might not have that issue.
As I have looked deeper, it seems the way the laws are structured, doing what I wanted to is exactly what I should not do. That the blind eye and a tight EULA is more protecting. However there are some other stipulations which I will handle with PFsense.
As someone who has to deal with audits and legal discovery, the less you have the safer you generally are. If you have capabilities that you are using to collect data and manage behavior, a decent lawyer will ask you for all of that data and go on a fishing expedition. It is for this reason that data retention policies have become very popular in large businesses. It reduces your exposure.
Just because you can do it doesn't mean you should do it. ;)
Well said, may just have to block what I can, have a good EULA drawn up, and let our insurance deal with it, if a suit does ever come.
-
getting sued sounds really crappy, but i dont think you have to worry about it. i dont know of a single case where someone actually went to court or even settled over downloading pirated material. distributing sure, but not downloading. i'm not syaing it hasn't happenned but if it has its not common.
your real issue is the potential of getting cut off by your isp, which i also doubt they will do but they may and it would affect your business obviously.
Give the traffic shaper and/or port blocking a shot. It might stop them but there's probably plenty of pirating software out there that can automatically circumvent port based blocking. Again, i don't know for sure but i'm betting there is.
If that doesn't work then i would recommend just putting your entire customer network behind a VPN. It will shut down netflix and some other stuff, but you can tell your users they'll have to sign a EULA if they want that stuff when they sign in at the counter or something.
It's a pain in the ass but its better than getting your internet shut off completely.Hopefully port blocking and shapers deals with it well enough.
Another option is traffic inspection. The free ET & Snort rules include torrent/pirating rules. I don't know how effective they are but might be worth a shot. I'm not sure if HTTP/S traffic creates an issue with that though? I would ONLY enable blocking of the pirating rules and even then do some test runs with alerting only to avoid shutting down good traffic with false positive.s
Yet another option is pfBlockerNG w/ DNSBL + Shallalist, it has pirating lists that would help.
Ultimately you can do a lot to limit pirating on your network with pfsense, but you can't eliminate it. If it comes down to the last straw with your ISP then the only way you can hide it from them completely is with a VPN, but then your customers suffer which means you suffer so that's a last resort IMO.
-
Well said, may just have to block what I can, have a good EULA drawn up, and let our insurance deal with it, if a suit does ever come.
Not to derail the technical conversation any further, but you have an absolutely defensible position. You are technically an ISP, and you are not liable for the conduct of your customers. You could put a $1 Internet Fee into every rental agreement, and that would further the position that you are an ISP by actually charging for Internet usage.
DMCA has a provision in it that protects (limited, not absolute) ISPs from the illegal behavior of their customers.
Your position should be: You provide Internet access to all renters as part of their rental agreement. You do not manage, log, or otherwise influence their access to or ability to connect to the Internet. And as an ISP, you are not liable for their activities.
I would also make this clear to your upstream ISP, and they should keep on file a letter from your business stating the above position. Clear it with a lawyer first. It won't stop the notices, but it will significantly limit your liability.
I would also put a notice in the rental agreement, something that you can circle and show the renters, a clause that states you can immediately revoke their Internet access if they are torrenting or using software for illegal activities. That might make them think twice, and it's fair warning.
-
tim.mcmanus brings up some good points but you should really talk to a lawyer on this subject. Technical issues are much easier than political issues.
-
Has an ISP or even an individual ever been successfully sued for.downloading (not distributing) copyrighted media?
If so is certainly the exception not the rule.
Realistically he has to worry about getting his internet throttled or cut off which would affect his business.
-
Has an ISP or even an individual ever been successfully sued for.downloading (not distributing) copyrighted media?
If so is certainly the exception not the rule.
Realistically he has to worry about getting his internet throttled or cut off which would affect his business.
I dont think so, the laws are just very convoluted on the matter, and confusing lol.
So Big ISPs do not give out info, unless there is a court order, for them to do so. So Like was said I think the notice is the worst that ever happens.
There is a clause for "Hotel Wifi" and that states, that as long as the guests use a completely different Public IP (took care of that today they gave me a bridged modem and a /29, so I am directly routed.)
I also cannot monitor or have the ability to monitor setup, what sites they visit, or keep logs on it. Easy lol.
So in those regards I am clear, now, I was not before (we used the same Public IP).
The true ISP way to do it, would be to get a /26 and give each user an IP, that is tied directly to them, and while that would work for long term guests, that ability is slightly hampered by short termers needing a bridge to my network.
I also, have been configuring the guest lan with some pretty strict firewall rules, to help somewhat I hope. I am slowly opening on anticipated need, and locking them down hard.
