Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense used as school fw

    Firewalling
    3
    3
    2762
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bushtor last edited by

      Hi,

      We have used pfsens at our school for a year now and we're very pleased with the stability and features.  However we also have some 'extra' challenges which we wonder if they are possible to solve through pfsense.  I'll list up some issues here and I hope this is not inappropriate for this forum.

      1.  Students are creating torrents via port 80.  This is difficult to stop, but crucial to avoid as they drain almost all available bandwidth.  Any possibility to stop this activity?

      2.  Some of them also create VPN tunnels to other off-campus computers to avoid our filters and rules.  Any possibility to stop that too?

      3.  We want our students to only use DHCP leased addresses, any possibility to kick off somebody having set a static IP inside the DHCP scope?

      4.  Each student has received a given computer name for their notebook.  Any possibility to kick 'non-standard' computernames off the network?

      Thanks for comments on these items, I hope it will be useful for other school admins if some of the above issues can be solved with pfsense.

      regards

      Tor

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        1. could be solvable by running snort at LAN and enabling the p2p rules. It will block the sender IP completely when such traffic is detected for some time.

        2. Depending on the kind of VPN-Tunnel they use you can try blocking protocols like ESP, AH, GRE at LAN. Additional Ports like tcp/udp 500, tcp 1723,.. (tose standardports and protocols used for VPNing). However, some smart guys will setup an openvpn or something running at web or mailports to avoid these blocks. Not sure atm if snort has detection rules for vpn too right now.

        3. Maybe checking the static ARP option at services>dhcp server might shut that down. Give it a try.

        4. I don't think that can easily be done. Maybe start asking them for registering their MACs and enable "deny unknown clients" at the dhcp server settings. MACs can be faked easily though.

        1 Reply Last reply Reply Quote 0
        • J
          jeroen234 last edited by

          block all port exept port 80
          then move the pfsense web gui from port 80 to a differend port link 10000 or so
          install squid and config it as a transparten webproxy

          now port 80 can only be used for http
          torents and messingers  can not go true port 80 now

          1 Reply Last reply Reply Quote 0
          • First post
            Last post