how to block bad guys who is sharing internet by laptop
-
Hello everyone!
I am trying to block some clients who is sharing internet by laptop. Some persons sharing the internet by laptop and giving the password to everybody, so how to find and control it
I don't know which firewall rule i should create to block it in pfsense.
My plan is, even any laptop have internet, but should no have internet at the devices which is connected from mobile hotspot shared laptops -
Hi,
When the Internet sharing is activated on a device, it starts to act as a router.
From a pfSense point of view, all traffic comes from the sharing device. Traffic from this device will have the same IP and MAC.
So nothing can be done using a firewall - the one pfSense is using or any other firewall. -
Trying to understand why this this is an issue exactly?
Are you some sort of internet cafe where user is paying for access, and then sharing that with his friends/others so they only have to pay once?
Or are you in a work environment? And user is sharing access to other users that are not suppose to have internet - and should be working?
-
@johnpoz
we are small construction company and i am new at pfsense, i thinked that may be there have something new to solve this problem, i can create on that laptops user accounts and control them, but that laptops are their personal so need to search another way... -
There's no practical way to do that in pfSense.
You could potentially make it very painful for users doing that. Maybe limit the number of connections or rate of connection to individual IPs. Or limit bandwidth to each IP.
We have seen people using schemes such as re-writing the TTL on packets to prevent routing but that is not something pfSense does (as standard).
Steve
-
Still not understanding why this is an issue, and why are they doing it in the first place?
So you have a user that has their own device, that gets on your wifi network... And this user works for you.. Why are they sharing out the internet - and to who? Other workers that are not suppose to have it... Random people on the street?
What are they doing that you want to stop? Are they using up all your bandwidth?
Why do you not want them doing this? There not much you can do to stop it though to be honest.. Just like isp that sells you internet can not keep that person from sharing it with everyone on the block, etc. if that person wanted too..
Detecting nat and then blocking it it pretty high level stuff.. Simple way is to look for ttl that has gone through a hop already... But If you are doing that and block that, I can just make sure my nat doesn't change the ttl from default, etc.
-
The question I'd have is... what's your main concern? If it's bandwidth, then configure QoS.
Otherwise, there's no viable way to do what you're asking. Just like there's no viable way for your ISP to block the 50+ devices you have behind PFsense.
-
@stephenw10
yes i understand, need to search another way -
@johnpoz
internet speed is small (10M/bit for 50 person), it need to control users bandwitdth and internet usage, so need to make office staff can use normal speed.
If there is no way to solve i will give limit per ip, i think it will keep traffic normalThanks a lot to everybody!!!
-
@begaa said in how to block bad guys who is sharing internet by laptop:
(10M/bit for 50 person)
That is not viable - just have them hotspot off their phones for gosh sake.. That is isn't even internet..
200K that is what you would give each IP? That is like a edge connection (2g)..
I could hostspot off my phone for your 50 users and give them better speeds ;)
-
You can use dynamic Limiters to ensure the available bandwidth is shared equally. That can work quite well in these situations.
Steve
-
10mbps though... You can get that on a plane ;) while its flying.. ATG-4 does 9.8Mbps - and your normally sharing it with far fewer people than 50 ;) since not everyone is paying and using it...
And if newer plane doing 2ku
Are you in the middle of nowhere? Not sure how you thought sharing 10mbps with 50 people would be worth anything? Did you drop a zero did you mean 100? ;)
-
Ha. There are, unfortunately, still plenty of people even here in the UK who would kill for 10Mbps. I imagine there are other places in the world where far less than that is expected.
Steve
-
But to share that with 50 people? Come on - that is not realistic... Unless you were in the middle of freaking nowhere..
Fire up a 4G/LTE hotspot and you have more than 10mbps... The UK is pretty freaking small ;) What like half the size of California... Your telling me you can not get 10mbps LTE pretty much anywhere?
-
@stephenw10 said in how to block bad guys who is sharing internet by laptop:
You can use dynamic Limiters to ensure the available bandwidth is shared equally.
Or maybe throttle the users.
-
@johnpoz said in how to block bad guys who is sharing internet by laptop:
But to share that with 50 people? Come on - that is not realistic... Unless you were in the middle of freaking nowhere..
Fire up a 4G/LTE hotspot and you have more than 10mbps... The UK is pretty freaking small ;) What like half the size of California... Your telling me you can not get 10mbps LTE pretty much anywhere?It's certainly not ideal, but in certain circumstances, that's all you have. I work for a healthcare org that has 120+ sites. While our data centers have dual gigabit, several of the clinics are indeed sharing a 10 Mbit or even 5 Mbit MOE circuit. We even have a few clinics that are sharing a single T1... it's insane, but real... unfortunately.
-
@marvosa said in how to block bad guys who is sharing internet by laptop:
We even have a few clinics that are sharing a single T1
And your saying that is the only thing available - these clinics in the congo 300 miles from the nearest village? Bringing medicine to the natives?
Or company too cheap to pay for anything better.. I would think even the cheapest home internet connection in the area would be better than a freaking T1 ;)
There is no cell coverage in the area? Cradlepoint and a sim card would be faster than a any of those speeds.
-
@marvosa said in how to block bad guys who is sharing internet by laptop:
We even have a few clinics that are sharing a single T1...
A real T1? These days, those are generally emulated over Ethernet. I first did that over 10 years ago. They have also been run over SHDSL for many years. I was working with that stuff back in the early '90s.
I suppose there are still some parts of the world that rely on 2 cans and a string.