how to prevent users for wifi tethering/sharing

Reply to how to prevent users for wifi tethering/sharing on Mon, 05 Aug 2024 10:57:11 GMT

johnpoz — Mon, 05 Aug 2024 10:57:11 GMT

@colleytech you could use say snort for example

As i said 2 years ago.

Other option might be doing something with IPS package..

https://docs.snort.org/rules/options/non_payload/ttl

But different OSes can use different default TTLs, so you would most likely need multiple rules with different values. Unless you knew all the devices on your network used a specific ttl. Which is unlikely in a scenario where such detection would make sense. I could see it as a way to detect users using multiple devices behind another device to circumvent a captive portal for example.

Where they have to pay for access or something. Keep in mind - that it is possible for the natting device to manipulate the traffic so the drop in ttl is not done.. Which would defeat this detection method.

Reply to how to prevent users for wifi tethering/sharing on Mon, 05 Aug 2024 07:00:23 GMT

Gertjan — Mon, 05 Aug 2024 07:00:23 GMT

@colleytech

Manipulating the TTL ? Not that I know of.

Reply to how to prevent users for wifi tethering/sharing on Sat, 03 Aug 2024 09:08:48 GMT

colleytech — Sat, 03 Aug 2024 09:08:48 GMT

@Gertjan anything on this yet?

Reply to how to prevent users for wifi tethering/sharing on Thu, 23 Jun 2022 11:22:53 GMT

Gertjan — Thu, 23 Jun 2022 11:22:53 GMT

@maherg

Se also https://forum.netgate.com/topic/172355/block-wi-fi-sharing-through-mobile-hotspot/7.

A soon as it becomes 'easy' to write and maintain firewall rules that take in account ttl header values, it will also become easy to pre-set these ttl to 65 129 and 257 on the other, lower side router, the one that shares the connection.
So, pf, the pfSense firewall, will see 64, 128 or 256 and thus detects nothing special.
And for that matter also iptables,or any other firewall you use.

Reply to how to prevent users for wifi tethering/sharing on Tue, 17 May 2022 11:29:07 GMT

johnpoz — Tue, 17 May 2022 11:29:07 GMT

@maherg while its possible to detect a nat via the ttl being lower than default 64, 128, etc. different OSes would/could use a different standard ttl value. When you go through a router this ttl is lowered by 1.

So it is in theory possible to detect a connection that has gone through a router and not directly connected to "your" router.. It is also possible to circumvent that by having the router your using to say share the connection to not lower the ttl of the traffic it sends on.

I am not aware of any built in function to filter on non standard ttls.. I would have to look through the advanced options available to see if doing something like that is possible on a firewall rule. But you have to also be aware of different OSes using different standard ttl values and account for all of those that might be seen with different clients behind your pfsense.

edit: from a quick look at the advanced options in firewall rules, I do not see a way to do this by looking at the ttl value. But you might be able to do it with

https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#source-os

It is "possible" that maybe the finger print that identifies os XYZ would look at the ttl, and if its not the standard for that OS, say it dropped by 1 because of a downstream router handling the traffic (sharing internet).. It might not match and could be filtered.

Other option might be doing something with IPS package..

Might be a good feature request for future version of pfsense.