Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prohibit connection sharing

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 6 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fmohcine26
      last edited by

      How to prohibit sharing of connection via machines connected to my network,
      Example:

      • a Windows 10 machine connected via an Ethernet cable can activate the mobile wifi hotspot,
      • Android smart TV connected rj45 cable can activated mobile wifi hotspot,
        usually all machines with 2 network cards
        the problem that these machines diffuse a network which escapes to the control of pfsense,
      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        If those devices are sharing a connection, there is no way for pfsense to know that.  With connection sharing, NAT is normally used so that the devices sharing the connection appear to be the device that's connected to the network.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • F
          fmohcine26
          last edited by

          @JKnott:

          If those devices are sharing a connection, there is no way for pfsense to know that.  With connection sharing, NAT is normally used so that the devices sharing the connection appear to be the device that's connected to the network.

          thank you for your reply
          is there another solution that i can use in parallel with pfsense to prohibit sharing or at least a control and monitoring tool

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

            few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

            Its possible you could write a firewall rule to block traffic that had such ttls set..

            Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

            Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              fmohcine26
              last edited by

              @johnpoz:

              Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

              few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

              Its possible you could write a firewall rule to block traffic that had such ttls set..

              Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

              Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.

              thank you very much
              I will follow this path that you gave me

              1 Reply Last reply Reply Quote 0
              • F
                fmohcine26
                last edited by

                @johnpoz:

                Yeah to detect a nat would require more indepth analysis of the traffic, more than what pfsense out of box would do.

                few methods you could use would be most devices that NAT would alter the TTL from the native default that a client would send out.  So if you exam the packets as they hit pfsense lan side interface.. Default ttl set on the packets prob going to be 64 or 128… If your seeing say 63 or 127 then that would suggest something behind a nat or a router that lowered the ttl.

                Its possible you could write a firewall rule to block traffic that had such ttls set..

                Another option would be using timestamps to determine OS values and when you see traffic coming from the same IP with different sorts of OS fingerprints points to either nat or VMs running, etc.

                Google Nat detection for some good help on this.  But yeah out of the box this is not something your going to click a check box to stop.

                If I understood correctly
                according to this information   I can see that there is no sharing on this machine?
                PING 10.200.4.26 (10.200.4.26): 56 data bytes
                64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms
                64 bytes from 10.200.4.26: icmp_seq = 1 ttl = 64 time = 2.817 ms
                64 bytes from 10.200.4.26: icmp_seq = 2 ttl = 64 time = 2.452 ms
                64 bytes from 10.200.4.26: icmp_seq = 3 ttl = 64 time = 2.472 ms
                64 bytes from 10.200.4.26: icmp_seq = 4 ttl = 64 time = 2.644 ms
                64 bytes from 10.200.4.26: icmp_seq = 5 ttl = 64 time = 2.505 ms
                64 bytes from 10.200.4.26: icmp_seq = 6 ttl = 64 time = 2.330 ms

                –- 10.200.4.26 ping statistics ---
                7 packets transmitted, 7 packets received, 0.0% packet loss
                round-trip min / avg / max / stddev = 2.330 / 2.556 / 2.817 / 0.151 ms

                1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad
                  last edited by

                  Can you only allow 1 mac per switch port on your switch ?

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    @NogBadTheBad:

                    Can you only allow 1 mac per switch port on your switch ?

                    That wouldn't make any difference.  That would allow only one device to be connected to the port.  It would not stop other devices from connecting to the device connected to it.  Also, if another device is connected through another device, as in the WiFi hot spot, the MAC address will never appear at that port, only that of the device that's directly connected.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      according to this information  I can see that there is no sharing on this machine?
                      PING 10.200.4.26 (10.200.4.26): 56 data bytes
                      64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms

                      No that is just you pinging something you can not tell anything from that.. as that device sharing something behind it.

                      You would need to sniff on pfsense lan side interfaces and see if you see packets with no default ttls on them.. I could fire up a vm router and put something behind it to show you.

                      Give me a bit and will how you what I am talking about… Might be tmrw, heading out to dinner with the wife here shortly.

                      edit:
                      Here I fired up a VM on a nat behind my machine.  So its IP address is 192.168.9.100

                      So I pinged 1.1.1.1 from it while sniffing on pfsense lan interface.  So you see the TTL on the requests coming from the box running linux mint 18.3 is 64..  This is the default ttl for this OS..  Now I fired up a VM on this machine and put it behind a NAT on this machine.  And then pinged 1.1.1.1 as well from it.. Notice the TTL of 127 from this machine..  Which is default of 128 on windows... But nat its behind decreased the TTL by 1 as it routed the traffic...

                      This is for sure not something for the beginner ;)  You have to understand how networking works at a packet level, etc.  And what a TTL for starters ;) no offense..

                      What exactly are you wanting to accomplish exactly?  So you run some sort of internet cafe or something and people pay for access and your worried about them running hotspot of their device and letting other people use the connection?

                      Detecting and preventing people from doing nat is pretty high level stuff.. Don't take this the wrong way but the fact here your asking pretty much says its going to be above your skill set ;)

                      How about we understand the problem, and then maybe we can attack it from a simpler solution other than NAT detection and blocking, etc.

                      Selection_005.png
                      Selection_005.png_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • F
                        fmohcine26
                        last edited by

                        @johnpoz:

                        according to this information  I can see that there is no sharing on this machine?
                        PING 10.200.4.26 (10.200.4.26): 56 data bytes
                        64 bytes from 10.200.4.26: icmp_seq = 0 ttl = 64 time = 2.671 ms

                        No that is just you pinging something you can not tell anything from that.. as that device sharing something behind it.

                        You would need to sniff on pfsense lan side interfaces and see if you see packets with no default ttls on them.. I could fire up a vm router and put something behind it to show you.

                        Give me a bit and will how you what I am talking about… Might be tmrw, heading out to dinner with the wife here shortly.

                        edit:
                        Here I fired up a VM on a nat behind my machine.  So its IP address is 192.168.9.100

                        So I pinged 1.1.1.1 from it while sniffing on pfsense lan interface.  So you see the TTL on the requests coming from the box running linux mint 18.3 is 64..  This is the default ttl for this OS..  Now I fired up a VM on this machine and put it behind a NAT on this machine.  And then pinged 1.1.1.1 as well from it.. Notice the TTL of 127 from this machine..  Which is default of 128 on windows... But nat its behind decreased the TTL by 1 as it routed the traffic...

                        This is for sure not something for the beginner ;)  You have to understand how networking works at a packet level, etc.  And what a TTL for starters ;) no offense..

                        What exactly are you wanting to accomplish exactly?  So you run some sort of internet cafe or something and people pay for access and your worried about them running hotspot of their device and letting other people use the connection?

                        Detecting and preventing people from doing nat is pretty high level stuff.. Don't take this the wrong way but the fact here your asking pretty much says its going to be above your skill set ;)

                        How about we understand the problem, and then maybe we can attack it from a simpler solution other than NAT detection and blocking, etc.

                        Yes, it's frustrating because it exceeds my skills,
                        Unfortunately, there is no pfsense package that fixes this problem
                        we share a fiber optic subscription, but over the past few months some people have shared the connection with their neighbor who has stopped paying their monthly subscription, I fear that this will become a phenomenon
                        thank you so much

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Its not a common sort of thing ;)

                          But if you sniff on your lan side connection(s)  And you watch the ttls on the syn packets you could prob spot traffic from an IP that is sharing their connection and then confront them about it.

                          You can also watch for differences in the sort of fingerprints and traffic, etc.  There are many ways to track this sort of thing down - none of it is just clicky clicky install this and get a report in your email or alert, etc.

                          Keep in mind that also I could mask such stuff very easy.  If devices are using proxy on the device sharing the connection you wouldn't see a lower ttl.  I could on my router manipulate the ttl so it doesn't reduce the ttl by 1 as I send the traffic on, etc.  The proxy would mask OS fingerprinting..

                          I could run all my traffic through a vpn connection through your connection and mask all the traffic inside the tunnel, etc.

                          "we share a fiber optic subscription"

                          My suggestion to this would be don't share.. Or just shape/limit the traffic so nobody gets more than their fair share.. Be it they share it out to other people they would just be limiting their own share..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • F
                            fmohcine26
                            last edited by

                            @johnpoz:

                            Its not a common sort of thing ;)

                            But if you sniff on your lan side connection(s)  And you watch the ttls on the syn packets you could prob spot traffic from an IP that is sharing their connection and then confront them about it.

                            You can also watch for differences in the sort of fingerprints and traffic, etc.  There are many ways to track this sort of thing down - none of it is just clicky clicky install this and get a report in your email or alert, etc.

                            Keep in mind that also I could mask such stuff very easy.  If devices are using proxy on the device sharing the connection you wouldn't see a lower ttl.  I could on my router manipulate the ttl so it doesn't reduce the ttl by 1 as I send the traffic on, etc.  The proxy would mask OS fingerprinting..

                            I could run all my traffic through a vpn connection through your connection and mask all the traffic inside the tunnel, etc.

                            "we share a fiber optic subscription"

                            My suggestion to this would be don't share.. Or just shape/limit the traffic so nobody gets more than their fair share.. Be it they share it out to other people they would just be limiting their own share..

                            hello, thank you for your help
                            The NMap package is what I'm looking for but I'm not trying yet on a suspicious network I'm waiting for who it connects, let's say I'm starting to understand (simple mistake beginner) haha if I abuse self-confidence

                            • I look in the system -> Advanced -> Firewall & NAT
                              are there masking rules to configure in this section?

                            ![Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png](/public/imported_attachments/1/Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png)
                            ![Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png_thumb](/public/imported_attachments/1/Screenshot-2018-4-8 pro4545 electropro4545 click - System Advanced Firewall NAT.png_thumb)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              nmap is a great tool - would have zero to do with detecting downstream machines that are natting.. Zero!!!

                              You can scan a network looking for devices, you can check an IP to see what ports they have open.  And sure in your scan you can even do some OS fingerprinting on what they send back..  But no I don't see how you would use nmap in discovery of people sharing their connection with tethered devices..

                              What are you looking for in the advanced section?  That is not going to help you discover or block devices either.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • F
                                fmohcine26
                                last edited by

                                @johnpoz:

                                nmap is a great tool - would have zero to do with detecting downstream machines that are natting.. Zero!!!

                                You can scan a network looking for devices, you can check an IP to see what ports they have open.  And sure in your scan you can even do some OS fingerprinting on what they send back..  But no I don't see how you would use nmap in discovery of people sharing their connection with tethered devices..

                                What are you looking for in the advanced section?  That is not going to help you discover or block devices either.

                                OK, thanks
                                thanks to your help I have a good idea on the subject
                                I continue to aprondondire my knowledge according to your advice
                                Once again thank you

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  To be honest off the top of my head I do not even think you can write a rule in pfsense to detect the different ttls that could be a downstream nat.

                                  I know you could edit the scrub part of the code to change the outbound ttl to something common and hide that pfsense was natting stuff behind it based on the ttl, this can also throw off os fingerprinting, etc.  None of which you would do in the gui of pfsense.

                                  To be honest detecting and stopping this stuff based on os fingerprinting and or ttl value of a downstream nat.. Your best bet would be Snort or Suricata packages..  I know Snort can do some ttl based rules..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cenriq
                                    last edited by

                                    I think a good solution would be like Johnpoz recommended, that is , bandwidth limit the connection to the other party. Does the fiber connection go directly to your Pfsense box? If so then implement this recommendation.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      There is no viable way for an ISP to do what you want to do.

                                      You decided to be an ISP. Welcome to the world of being an upstream internet provider.

                                      If you manage to catch someone in the act, just shut them off or throttle them down to next-to-nothing.

                                      All of these methods are fringe and will be anything but foolproof and be full of false positives, etc. There is nothing in pfSense that is designed to do it. Sorry.

                                      You should research and purchase another box to put between your customers and the edge that can do it, if it is possible to do reliably at all. I can think of nothing off the top of my head.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        fmohcine26
                                        last edited by

                                        I tried the rules Open Snort Threats but many false positives
                                        If the paid ETPro solves the problem of false positives, it will be good for me

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Yeah there are going to be a HUGE amount of false positive on the free and or even the paid threats.  This is the very nature of IPS… It takes a lot of time to tweak it for a specific network to not show lots of noise..

                                          It just blows my mind how users think oh clickity clickity full blown IPS for free and zero noise or false..  Like saying hey you know which end cuts on that scalpel, sure your ready that open heart surgery then ;)

                                          Do you really think IT is that easy that any billy bob can push a few buttons on a gui and be all set with something like a IPS???

                                          How come users don't think they can tear apart their transmission and rebuild it - but any tom off the street thinks he can fire up a IPS system to block down stream natting with a click of a button? ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.