How to block mobile teethering in pfsense

Bipin

Hello. I am newbie to pfsense. I successfully installed pfsense and voucher system. It is working perfectly. But main issue is after using code i can share internet using mobile teethering from my mobile. How can i stop it. It is my major problem. Please suggest how to block it.
Thanks in advance.

JKnott

@Bipin

You could give it a fixed DHCP address and then block it. However, that would only work for IPv4.

Bipin

@JKnott Thanks for reply.
By blocking person will be able to use internet for him? or he will be blocked as well. I don't want to block main person who has purchased voucher. I don't want to share internet with others by teethering.

Pippin

Not sure pfSense/captive portal can do this would it not be possible to detect the numbers of hops (TTL) and block the traffic based on that.

JKnott

@Bipin

You would block the IP address assigned to the phone. It would not stop the user from using another device that wasn't blocked.

viktor_g

@Pippin said in How to block mobile teethering in pfsense:

Not sure pfSense/captive portal can do this would it not be possible to detect the numbers of hops (TTL) and block the traffic based on that.

Snort/Suricata can do that,
see http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node33.html#SECTION00462000000000000000
and https://suricata.readthedocs.io/en/suricata-5.0.3/rules/header-keywords.html

Bipin

@viktor_g Thanks for reply.
I will take look into that.

JKnott

@Pippin said in How to block mobile teethering in pfsense:

Not sure pfSense/captive portal can do this would it not be possible to detect the numbers of hops (TTL) and block the traffic based on that.

Wouldn't that affect all devices? Also, the original question appears to be going the other way as he mentions tethering through his phone. If that is the case, it wouldn't be a pfSense issue, unless he was using the tethering to share the network access. If that is indeed the case, where someone is tethering to his phone, the question becomes why is he even connected to the phone? In that case, just change the password. Perhaps the OP had better describe the problem he's trying to solve.

bmeeks

@JKnott:
Sounds like the OP's problem is he runs some kind of Internet cafe setup and has paid vouchers for customers to have Internet access. What it sounds like is one paid customer is then turning around and letting other users "tether" to his phone and thus get a "two for one" deal ... .

I think the OP wants to shutdown the "two for one" operation.

I've never researched the "under the covers" of how tethering actually is implemented. Is it a type of NAT where your phone becomes essentially a router for the tethered device or devices?

Pippin

@bmeeks said in How to block mobile teethering in pfsense:

Is it a type of NAT where your phone becomes essentially a router for the tethered device or devices?

Exactly.

bmeeks

@Pippin said in How to block mobile teethering in pfsense:

@bmeeks said in How to block mobile teethering in pfsense:

Is it a type of NAT where your phone becomes essentially a router for the tethered device or devices?

Exactly.

Thanks. Just finished up some Google "foo" to teach myself and learned the same thing. Detecting tethering is possible, but it is subject to false positives if done too aggressively. The most reliable method would be seeing TTL values coming from the parent device that are periodically off by 1. So pfSense would see packets coming from lets say the phone with a TTL of 64, then it sees a packet coming from the phone with a TTL of 63 (because of the pass through the tethering router). That second packet with the 63 TTL is likely a tethered device.

mcury

I'm not sure if that is possible to accomplish, maybe using the TTL option inside Snort as mentioned earlier.
If that doesn't work, I would set a data limit in the voucher.

In case people share their voucher by creating a new wifi network through their phones, they would reach this data limit pretty fast.

bmeeks

I guess I would approach the problem from this angle. Is it really costing me a lot of revenue when someone tethers, or is it mostly just pissing me off? If it is really costing me a lot of money, then I fight it with aggressive detection and blocking. If it is more an annoyance, I would put my efforts elsewhere and just suffer it.

Some folks just can't seem to be ethical about things, and think "stealing" some free Internet access is just fine.

JKnott

@bmeeks said in How to block mobile teethering in pfsense:

Is it a type of NAT where your phone becomes essentially a router for the tethered device or devices?

On IPv4, yes. On IPv6, an entire GUA /64 prefix is routed to the tethered devices.

JKnott

@bmeeks

That would depend on whether you're paying for the amount of data used. These days, Internet connections are often unlimited.

Gertjan

@Bipin said in How to block mobile teethering in pfsense:

But main issue is after using code i can share internet using mobile teethering from my mobile. How can i stop it. It is my major problem. Please suggest how to block it.

This is not a technical issue.
Up to you to mention your usage conditions - up to you two to agree, or not.
If agreed, and you detect abuse, up to you to stop the agreement.

Btw : how did you detect the connection sharing ?

And true : your ISP can't see equipment your use, how many devices you have, as these are hiden by your ISP router.
Guess what : pfSense is a router, which leans : same conditions, same rules.

There are some thoughts about modifying the return traffic, setting the max hop counter in the data packets to 1 - which means the next router, the device of the person that is sharing his connection discards the traffic.
Dono if some one actually managed to do so. It will be needing full control often the firewall, something the GUI (pfSense) lacks.

bmeeks

@JKnott said in How to block mobile teethering in pfsense:

@bmeeks

That would depend on whether you're paying for the amount of data used. These days, Internet connections are often unlimited.

Understood, but if I have say 500 customers a week that follow my rules and 1 or 2 per week that disregard my policy and tether a friend or maybe 2 friends to give the friends free access, how much time and effort do I want to put into going after and stopping that? Now if 25% or more of my paying customers are sharing illicitly, then I have a much larger problem.

On pure principle, yes the improper tethering should be stopped. But there is also a cost to stopping it. And if you get really aggessive with the "stopping" and get false positives that impact the service provided to your honest, paying customers, then that's a very high cost indeed. Hence my suggestion for the OP to basically do a cost-benefit ratio determination.

Bipin

@Gertjan @bmeeks @JKnott @Pippin @viktor_g @mcury
Thank you to all for inputs. I am from Sharjah, UAE. I am intending to use pfsense in our company’s labour accommodation to replace our exiting router. I had two major issue a) sharing of password, b) tethering. Out of that sharing of password is solved by using pfsense. Now I am struggling to solve mobile tethering over wifi.

Situation is as follows.
In our labour accommodation there are about 180-200 worker. Internet facility is not free. One person has to subscribe it from ISP and then others contribute every month to pay its bill. There are three (3) internet connections. Each connection has about 30+ members. We provide Wifi connection to mobiles only. It was good until new generation Android mobile came into market. With availability of new generation of Android mobile which has facility of sharing of password by QR Code and mobile tethering over WiFi connection has created issues. There are about 20 genuine users who pay their monthly contribution regularly. But some are doing cheating they subscribe and pay but they share password to others, so genuine user face slow or no internet. Main usage of Internet is daily evening and weekends when all workers are back from work.

Yes my problem is to stop as JKnott said I want to stop "two for one" deal (Mobile tethering over WiFi).

JKnott

@Bipin

Perhaps you could set up a policy where anyone caught sharing would be suspended. You can run WiFi scanner apps on a phone or tablet to see what SSIDs are visible. With WiFi Analyzer, there's even a signal strength meter, so that you can determine where a signal is coming from.