Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to block vpn/proxies

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 3 Posters 619 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scorpoin
      last edited by scorpoin

      Greetings to community,

      I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network 😕 . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below

      emerging-scan.rules <== ET open
      snort_indicator-scan.rules <=== ET_text
      vpn_tunnel <== appID

      Home Net : seletected the default
      and Which IP to block set to : Dst

      My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth .

      Regards

      bmeeksB 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Something like https://github.com/ejrv/VPNs ? I guess pfBlockerNG-devel could use the URL as a feed ( https://github.com/ejrv/VPNs/blob/master/vpn-ipv4.txt ).

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @scorpoin
          last edited by bmeeks

          @scorpoin said in Need to block vpn/proxies:

          Greetings to community,

          I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network 😕 . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below

          emerging-scan.rules <== ET open
          snort_indicator-scan.rules <=== ET_text
          vpn_tunnel <== appID

          Home Net : seletected the default
          and Which IP to block set to : Dst

          My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth .

          Regards

          If you are using Snort in the pfSense-2.5 DEVEL snapshots, then you have access to its Inline IPS Mode. This will work much better for OpenAppID than Legacy Blocking Mode. Legacy Blocking Mode blocks all traffic to an IP once any alert for that IP is triggered. This is not always optimal. Inline IPS Mode will selectively drop (or block) only traffic matching a DROP rule.

          So if your NIC hardware supports netmap operation, then switch to Inline IPS Mode. There is a Sticky Post at the top of this forum describing how that works. Note that when using the Inline IPS Mode you will need to use the features on the SID MGMT tab to change selected rules to DROP from their default ALERT action in order to actually block or drop traffic.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.