Pfsense used as school fw
We have used pfsens at our school for a year now and we're very pleased with the stability and features. However we also have some 'extra' challenges which we wonder if they are possible to solve through pfsense. I'll list up some issues here and I hope this is not inappropriate for this forum.
1. Students are creating torrents via port 80. This is difficult to stop, but crucial to avoid as they drain almost all available bandwidth. Any possibility to stop this activity?
2. Some of them also create VPN tunnels to other off-campus computers to avoid our filters and rules. Any possibility to stop that too?
3. We want our students to only use DHCP leased addresses, any possibility to kick off somebody having set a static IP inside the DHCP scope?
4. Each student has received a given computer name for their notebook. Any possibility to kick 'non-standard' computernames off the network?
Thanks for comments on these items, I hope it will be useful for other school admins if some of the above issues can be solved with pfsense.
1. could be solvable by running snort at LAN and enabling the p2p rules. It will block the sender IP completely when such traffic is detected for some time.
2. Depending on the kind of VPN-Tunnel they use you can try blocking protocols like ESP, AH, GRE at LAN. Additional Ports like tcp/udp 500, tcp 1723,.. (tose standardports and protocols used for VPNing). However, some smart guys will setup an openvpn or something running at web or mailports to avoid these blocks. Not sure atm if snort has detection rules for vpn too right now.
3. Maybe checking the static ARP option at services>dhcp server might shut that down. Give it a try.
4. I don't think that can easily be done. Maybe start asking them for registering their MACs and enable "deny unknown clients" at the dhcp server settings. MACs can be faked easily though.
block all port exept port 80
then move the pfsense web gui from port 80 to a differend port link 10000 or so
install squid and config it as a transparten webproxy
now port 80 can only be used for http
torents and messingers can not go true port 80 now