• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Need to block vpn/proxies

IDS/IPS
3
3
558
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    scorpoin
    last edited by scorpoin Jun 26, 2020, 4:41 AM Jun 26, 2020, 4:41 AM

    Greetings to community,

    I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network 😕 . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below

    emerging-scan.rules <== ET open
    snort_indicator-scan.rules <=== ET_text
    vpn_tunnel <== appID

    Home Net : seletected the default
    and Which IP to block set to : Dst

    My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth .

    Regards

    B 1 Reply Last reply Jun 26, 2020, 1:45 PM Reply Quote 0
    • G
      Gertjan
      last edited by Jun 26, 2020, 7:52 AM

      Something like https://github.com/ejrv/VPNs ? I guess pfBlockerNG-devel could use the URL as a feed ( https://github.com/ejrv/VPNs/blob/master/vpn-ipv4.txt ).

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • B
        bmeeks @scorpoin
        last edited by bmeeks Jun 26, 2020, 1:46 PM Jun 26, 2020, 1:45 PM

        @scorpoin said in Need to block vpn/proxies:

        Greetings to community,

        I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network 😕 . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below

        emerging-scan.rules <== ET open
        snort_indicator-scan.rules <=== ET_text
        vpn_tunnel <== appID

        Home Net : seletected the default
        and Which IP to block set to : Dst

        My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth .

        Regards

        If you are using Snort in the pfSense-2.5 DEVEL snapshots, then you have access to its Inline IPS Mode. This will work much better for OpenAppID than Legacy Blocking Mode. Legacy Blocking Mode blocks all traffic to an IP once any alert for that IP is triggered. This is not always optimal. Inline IPS Mode will selectively drop (or block) only traffic matching a DROP rule.

        So if your NIC hardware supports netmap operation, then switch to Inline IPS Mode. There is a Sticky Post at the top of this forum describing how that works. Note that when using the Inline IPS Mode you will need to use the features on the SID MGMT tab to change selected rules to DROP from their default ALERT action in order to actually block or drop traffic.

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.