Block Router access to internet, but not the devices.

Berzerk

I've got a Chinese brand router, that I'm not sure I trust.
I wish to put a block, so that no traffic can pass through to the internet, but allow devices connected to the router to access the internet. Is this possible with firewall rules in pfSense?

Please don't ask why I am trying to do this.
Let's just assume I'm on an island, and any other config isn't possible.

JKnott

@berzerk

If you don't trust the router, why are you using it?

Berzerk

@jknott "Please don't ask why I am trying to do this.
Let's just assume I'm on an island, and any other config isn't possible."

hieroglyph

@berzerk If the non-pfsense router can be configured to allow traffic to pass thru without NAT then this is possible. But if the non-pfsense router cannot be configured to bypass NAT then I do not see how this is possible.

johnpoz

^ as stated..

Unless you can disable nat - there is really no way to determine what is traffic is natting to its own traffic.

Now one trick you could try.. Is since traffic through the router should have its TTL reduced by 1, you "could" filter on the TTL, common ttls are 64, 128, etc. as it passes through a router its ttl should be lowered by 1 so 63 and 127.. So you would allow that traffic - but not allow full ttl traffic 64,128, 254, etc.

That is if the router is actually doing that.. And if there was someway to filter that in pfsense - have never looked to see if could be done..

This is actually a common way to detect for NAT.. But different OSes might use different TTL values.. Its a bit dated but here is a listing

https://subinsb.com/default-device-ttl-values/

Notice here on a linux box

PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.086 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.090 ms

Using 64 as its ttl..

While windows

$ ping localhost

Pinging I5-Win.local.lan [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

See here - this is pfsense monitoring its gateway with ping

20:46:50.003218 00:08:a2:0c:e6:25 > 00:01:5c:b9:06:46, ethertype IPv4 (0x0800), length 43: (tos 0x0, ttl 64, id 21174, offset 0, flags [none], proto ICMP (1), length 29)
    64.53.x.x > 64.53.x.x: ICMP echo request, id 15585, seq 24375, length 9

Notice the ttl of 64..

But if I ping say 8.8.8.8 from behind pfsense.. From my linux box

20:48:35.288767 00:08:a2:0c:e6:25 > 00:01:5c:b9:06:46, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 41878, offset 0, flags [DF], proto ICMP (1), length 84)
    64.53.x.x > 8.8.8.8: ICMP echo request, id 1500, seq 1, length 64

Notice how the ttl is now 63

Same thing from my windows machine

20:50:06.740581 00:08:a2:0c:e6:25 > 00:01:5c:b9:06:46, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 127, id 35663, offset 0, flags [none], proto ICMP (1), length 60)
    64.53.x.x > 8.8.8.8: ICMP echo request, id 9961, seq 36, length 40

Notice the 128 ttl got reduced to 127..

Off the top though - I do not know if pfsense has anyway to look for specific TTL, and then either allow or block..

edit: I looked at the advanced firewall options - don't see anyway to look for TTL.. Its possible the source OS type might be helpful.. But not exactly sure what its looking at to determine OS, and since your clients are behind the router.. That might not work at all..

Best idea might be to not have any clients behind it, and monitor it - does it create any traffic that you do not like? If so you could block that traffic. Based on destination, port, etc..