Prohibit connection sharing



  • How to prohibit sharing of connection via machines connected to my network,
    Example:

    • a Windows 10 machine connected via an Ethernet cable can activate the mobile wifi hotspot,
    • Android smart TV connected rj45 cable can activated mobile wifi hotspot,
      usually all machines with 2 network cards
      the problem that these machines diffuse a network which escapes to the control of pfsense,


  • If those devices are sharing a connection, there is no way for pfsense to know that.  With connection sharing, NAT is normally used so that the devices sharing the connection appear to be the device that's connected to the network.



  • @JKnott:

    If those devices are sharing a connection, there is no way for pfsense to know that.  With connection sharing, NAT is normally used so that the devices sharing the connection appear to be the device that's connected to the network.

    thank you for your reply
    is there another solution that i can use in parallel with pfsense to prohibit sharing or at least a control and monitoring tool


  • LAYER 8 Global Moderator

    Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

    few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

    Its possible you could write a firewall rule to block traffic that had such ttls set..

    Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

    Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.



  • @johnpoz:

    Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

    few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

    Its possible you could write a firewall rule to block traffic that had such ttls set..

    Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

    Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.

    thank you very much
    I will follow this path that you gave me



  • @johnpoz:

    Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

    few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

    Its possible you could write a firewall rule to block traffic that had such ttls set..

    Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

    Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.

    If I understood correctly
    according to this information   I can see that there is no sharing on this machine?
    PING 10.200.4.26 (10.200.4.26): 56 data bytes
    64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms
    64 bytes from 10.200.4.26: icmp_seq = 1 ttl = 64 time = 2.817 ms
    64 bytes from 10.200.4.26: icmp_seq = 2 ttl = 64 time = 2.452 ms
    64 bytes from 10.200.4.26: icmp_seq = 3 ttl = 64 time = 2.472 ms
    64 bytes from 10.200.4.26: icmp_seq = 4 ttl = 64 time = 2.644 ms
    64 bytes from 10.200.4.26: icmp_seq = 5 ttl = 64 time = 2.505 ms
    64 bytes from 10.200.4.26: icmp_seq = 6 ttl = 64 time = 2.330 ms

    –- 10.200.4.26 ping statistics ---
    7 packets transmitted, 7 packets received, 0.0% packet loss
    round-trip min / avg / max / stddev = 2.330 / 2.556 / 2.817 / 0.151 ms


  • Galactic Empire

    Can you only allow 1 mac per switch port on your switch ?



  • @NogBadTheBad:

    Can you only allow 1 mac per switch port on your switch ?

    That wouldn't make any difference.  That would allow only one device to be connected to the port.  It would not stop other devices from connecting to the device connected to it.  Also, if another device is connected through another device, as in the WiFi hot spot, the MAC address will never appear at that port, only that of the device that's directly connected.


  • LAYER 8 Global Moderator

    according to this information  I can see that there is no sharing on this machine?
    PING 10.200.4.26 (10.200.4.26): 56 data bytes
    64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms

    No that is just you pinging something you can not tell anything from that.. as that device sharing something behind it.

    You would need to sniff on pfsense lan side interfaces and see if you see packets with no default ttls on them.. I could fire up a vm router and put something behind it to show you.

    Give me a bit and will how you what I am talking about… Might be tmrw, heading out to dinner with the wife here shortly.

    edit:
    Here I fired up a VM on a nat behind my machine.  So its IP address is 192.168.9.100

    So I pinged 1.1.1.1 from it while sniffing on pfsense lan interface.  So you see the TTL on the requests coming from the box running linux mint 18.3 is 64..  This is the default ttl for this OS..  Now I fired up a VM on this machine and put it behind a NAT on this machine.  And then pinged 1.1.1.1 as well from it.. Notice the TTL of 127 from this machine..  Which is default of 128 on windows... But nat its behind decreased the TTL by 1 as it routed the traffic...

    This is for sure not something for the beginner ;)  You have to understand how networking works at a packet level, etc.  And what a TTL for starters ;) no offense..

    What exactly are you wanting to accomplish exactly?  So you run some sort of internet cafe or something and people pay for access and your worried about them running hotspot of their device and letting other people use the connection?

    Detecting and preventing people from doing nat is pretty high level stuff.. Don't take this the wrong way but the fact here your asking pretty much says its going to be above your skill set ;)

    How about we understand the problem, and then maybe we can attack it from a simpler solution other than NAT detection and blocking, etc.




  • @johnpoz:

    according to this information  I can see that there is no sharing on this machine?
    PING 10.200.4.26 (10.200.4.26): 56 data bytes
    64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms

    No that is just you pinging something you can not tell anything from that.. as that device sharing something behind it.

    You would need to sniff on pfsense lan side interfaces and see if you see packets with no default ttls on them.. I could fire up a vm router and put something behind it to show you.

    Give me a bit and will how you what I am talking about… Might be tmrw, heading out to dinner with the wife here shortly.

    edit:
    Here I fired up a VM on a nat behind my machine.  So its IP address is 192.168.9.100

    So I pinged 1.1.1.1 from it while sniffing on pfsense lan interface.  So you see the TTL on the requests coming from the box running linux mint 18.3 is 64..  This is the default ttl for this OS..  Now I fired up a VM on this machine and put it behind a NAT on this machine.  And then pinged 1.1.1.1 as well from it.. Notice the TTL of 127 from this machine..  Which is default of 128 on windows... But nat its behind decreased the TTL by 1 as it routed the traffic...

    This is for sure not something for the beginner ;)  You have to understand how networking works at a packet level, etc.  And what a TTL for starters ;) no offense..

    What exactly are you wanting to accomplish exactly?  So you run some sort of internet cafe or something and people pay for access and your worried about them running hotspot of their device and letting other people use the connection?

    Detecting and preventing people from doing nat is pretty high level stuff.. Don't take this the wrong way but the fact here your asking pretty much says its going to be above your skill set ;)

    How about we understand the problem, and then maybe we can attack it from a simpler solution other than NAT detection and blocking, etc.

    Yes, it's frustrating because it exceeds my skills,
    Unfortunately, there is no pfsense package that fixes this problem
    we share a fiber optic subscription, but over the past few months some people have shared the connection with their neighbor who has stopped paying their monthly subscription, I fear that this will become a phenomenon
    thank you so much


  • LAYER 8 Global Moderator

    Its not a common sort of thing ;)

    But if you sniff on your lan side connection(s)  And you watch the ttls on the syn packets you could prob spot traffic from an IP that is sharing their connection and then confront them about it.

    You can also watch for differences in the sort of fingerprints and traffic, etc.  There are many ways to track this sort of thing down - none of it is just clicky clicky install this and get a report in your email or alert, etc.

    Keep in mind that also I could mask such stuff very easy.  If devices are using proxy on the device sharing the connection you wouldn't see a lower ttl.  I could on my router manipulate the ttl so it doesn't reduce the ttl by 1 as I send the traffic on, etc.  The proxy would mask OS fingerprinting..

    I could run all my traffic through a vpn connection through your connection and mask all the traffic inside the tunnel, etc.

    "we share a fiber optic subscription"

    My suggestion to this would be don't share.. Or just shape/limit the traffic so nobody gets more than their fair share.. Be it they share it out to other people they would just be limiting their own share..



  • @johnpoz:

    Its not a common sort of thing ;)

    But if you sniff on your lan side connection(s)  And you watch the ttls on the syn packets you could prob spot traffic from an IP that is sharing their connection and then confront them about it.

    You can also watch for differences in the sort of fingerprints and traffic, etc.  There are many ways to track this sort of thing down - none of it is just clicky clicky install this and get a report in your email or alert, etc.

    Keep in mind that also I could mask such stuff very easy.  If devices are using proxy on the device sharing the connection you wouldn't see a lower ttl.  I could on my router manipulate the ttl so it doesn't reduce the ttl by 1 as I send the traffic on, etc.  The proxy would mask OS fingerprinting..

    I could run all my traffic through a vpn connection through your connection and mask all the traffic inside the tunnel, etc.

    "we share a fiber optic subscription"

    My suggestion to this would be don't share.. Or just shape/limit the traffic so nobody gets more than their fair share.. Be it they share it out to other people they would just be limiting their own share..

    hello, thank you for your help
    The NMap package is what I'm looking for but I'm not trying yet on a suspicious network I'm waiting for who it connects, let's say I'm starting to understand (simple mistake beginner) haha if I abuse self-confidence

    • I look in the system -> Advanced -> Firewall & NAT
      are there masking rules to configure in this section?

    ![Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png](/public/imported_attachments/1/Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png)
    ![Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png_thumb](/public/imported_attachments/1/Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png_thumb)


  • LAYER 8 Global Moderator

    nmap is a great tool - would have zero to do with detecting downstream machines that are natting.. Zero!!!

    You can scan a network looking for devices, you can check an IP to see what ports they have open.  And sure in your scan you can even do some OS fingerprinting on what they send back..  But no I don't see how you would use nmap in discovery of people sharing their connection with tethered devices..

    What are you looking for in the advanced section?  That is not going to help you discover or block devices either.



  • @johnpoz:

    nmap is a great tool - would have zero to do with detecting downstream machines that are natting.. Zero!!!

    You can scan a network looking for devices, you can check an IP to see what ports they have open.  And sure in your scan you can even do some OS fingerprinting on what they send back..  But no I don't see how you would use nmap in discovery of people sharing their connection with tethered devices..

    What are you looking for in the advanced section?  That is not going to help you discover or block devices either.

    OK, thanks
    thanks to your help I have a good idea on the subject
    I continue to aprondondire my knowledge according to your advice
    Once again thank you


  • LAYER 8 Global Moderator

    To be honest off the top of my head I do not even think you can write a rule in pfsense to detect the different ttls that could be a downstream nat.

    I know you could edit the scrub part of the code to change the outbound ttl to something common and hide that pfsense was natting stuff behind it based on the ttl, this can also throw off os fingerprinting, etc.  None of which you would do in the gui of pfsense.

    To be honest detecting and stopping this stuff based on os fingerprinting and or ttl value of a downstream nat.. Your best bet would be Snort or Suricata packages..  I know Snort can do some ttl based rules..



  • I think a good solution would be like Johnpoz recommended, that is , bandwidth limit the connection to the other party. Does the fiber connection go directly to your Pfsense box? If so then implement this recommendation.


  • LAYER 8 Netgate

    There is no viable way for an ISP to do what you want to do.

    You decided to be an ISP. Welcome to the world of being an upstream internet provider.

    If you manage to catch someone in the act, just shut them off or throttle them down to next-to-nothing.

    All of these methods are fringe and will be anything but foolproof and be full of false positives, etc. There is nothing in pfSense that is designed to do it. Sorry.

    You should research and purchase another box to put between your customers and the edge that can do it, if it is possible to do reliably at all. I can think of nothing off the top of my head.



  • I tried the rules Open Snort Threats but many false positives
    If the paid ETPro solves the problem of false positives, it will be good for me


  • LAYER 8 Global Moderator

    Yeah there are going to be a HUGE amount of false positive on the free and or even the paid threats.  This is the very nature of IPS… It takes a lot of time to tweak it for a specific network to not show lots of noise..

    It just blows my mind how users think oh clickity clickity full blown IPS for free and zero noise or false..  Like saying hey you know which end cuts on that scalpel, sure your ready that open heart surgery then ;)

    Do you really think IT is that easy that any billy bob can push a few buttons on a gui and be all set with something like a IPS???

    How come users don't think they can tear apart their transmission and rebuild it - but any tom off the street thinks he can fire up a IPS system to block down stream natting with a click of a button? ;)


Log in to reply