how to prevent users for wifi tethering/sharing

maherg

hi,
please any one have any idea how to prevent users to share their internet via wifi tethering.

is their any way to do this in pfsense like in mikrotik it can done via TTL but i can't find this kind of option in pfsense but we need this to prevent users to share their internet with other users.

please help me on this

johnpoz

@maherg while its possible to detect a nat via the ttl being lower than default 64, 128, etc. different OSes would/could use a different standard ttl value. When you go through a router this ttl is lowered by 1.

So it is in theory possible to detect a connection that has gone through a router and not directly connected to "your" router.. It is also possible to circumvent that by having the router your using to say share the connection to not lower the ttl of the traffic it sends on.

I am not aware of any built in function to filter on non standard ttls.. I would have to look through the advanced options available to see if doing something like that is possible on a firewall rule. But you have to also be aware of different OSes using different standard ttl values and account for all of those that might be seen with different clients behind your pfsense.

edit: from a quick look at the advanced options in firewall rules, I do not see a way to do this by looking at the ttl value. But you might be able to do it with

https://docs.netgate.com/pfsense/en/latest/firewall/configure.html#source-os

It is "possible" that maybe the finger print that identifies os XYZ would look at the ttl, and if its not the standard for that OS, say it dropped by 1 because of a downstream router handling the traffic (sharing internet).. It might not match and could be filtered.

Other option might be doing something with IPS package..

Might be a good feature request for future version of pfsense.

Gertjan

@maherg

Se also https://forum.netgate.com/topic/172355/block-wi-fi-sharing-through-mobile-hotspot/7.

A soon as it becomes 'easy' to write and maintain firewall rules that take in account ttl header values, it will also become easy to pre-set these ttl to 65 129 and 257 on the other, lower side router, the one that shares the connection.
So, pf, the pfSense firewall, will see 64, 128 or 256 and thus detects nothing special.
And for that matter also iptables,or any other firewall you use.

colleytech

@Gertjan anything on this yet?

Gertjan

@colleytech

Manipulating the TTL ? Not that I know of.

johnpoz

@colleytech you could use say snort for example

As i said 2 years ago.

Other option might be doing something with IPS package..

https://docs.snort.org/rules/options/non_payload/ttl

But different OSes can use different default TTLs, so you would most likely need multiple rules with different values. Unless you knew all the devices on your network used a specific ttl. Which is unlikely in a scenario where such detection would make sense. I could see it as a way to detect users using multiple devices behind another device to circumvent a captive portal for example.

Where they have to pay for access or something. Keep in mind - that it is possible for the natting device to manipulate the traffic so the drop in ttl is not done.. Which would defeat this detection method.