Laptop and Wireless Tomato Router



  • Hi guys..
    I am new to pfSense.
    I have a wireless router with Shibby Tomato flashed on it. I have an Asus eee PC dual core laptop with pfsense installed (not virtual).

    I am on DSL, so I have a modem. At this point, I can only get WAN (alc0) to show up on pfSense, but cannot get LAN.. I have tried alc1, ath0, ath1, but it does not detect LAN.

    What I am trying to accomplish is to use the Tomato router as just that, a router, but I want the laptop with pfSense to filter all traffic, I guess for it to be the firewall.

    I know I need to disable DHCP on the Tomato router and I have tried that, but it does not work. Can anybody tell me the settings I need to have on both the Tomato router and pfSense?

    Also, do I connect both the pfsense and the Tomato router to the modem (F@st 1704)? - So, an ethernet cable from the modem to the ethernet port of the pfSense tablet, then anoher ethernet cable from the modem to one of the LAN ports of the Tomato router?


  • Banned

    @magdiel1975:

    So, an ethernet cable from the modem to the ethernet port of the pfSense tablet, then anoher ethernet cable from the modem to one of the LAN ports of the Tomato router?

    No. Modem => pfSense => WiFi. Considering you probably have exactly one LAN port on your laptop and none of that equipment you mentioned probably supports VLANs, you have a problem…  ::)



  • @doktornotor:

    @magdiel1975:

    So, an ethernet cable from the modem to the ethernet port of the pfSense tablet, then anoher ethernet cable from the modem to one of the LAN ports of the Tomato router?

    No. Modem => pfSense => WiFi. Considering you probably have exactly one LAN port on your laptop and none of that equipment you mentioned probably supports VLANs, you have a problem…  ::)

    The Tomato router does support vlans. I saw a few youtube videos of people setting laptops as pfSense wireless routers and that's why I wanted to try this.. so you're saying I won't be able to accomplish this?

    Well, I want the Tomato router to be the wireless router, but pfsense to take care of DHCP.



  • Before I continue  on this setup, I would like to ask this…

    Right now as I have mentioned, I am using a linksys e2000 with Tomato on it and have setup some firewall rules with iptables and for the most part it works great, BUT......

    The issue I am having is that, if any machine that connects to my network has "Avast Secure DNS" enabled, they can bypass ANY settings I have on the router including ANY firewall settings, because they are using AVAST DNS.. I even have "intercept port 53 attacks" enabled, but still, that machine completely bypasses my router.

    Will the same happen with pfSense?


  • Banned



  • @doktornotor:

    I have no idea what's "intercept port 53 attacks".

    https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    it's a feature in tomato that does not allow for users to use any other DNS other than the one set on the router.

    "Intercept DNS port (UDP 53) (Default: off): When enabled, anything going out to UDP port 53 is redirected to Dnsmasq. This prevents bypassing parental controls. It may be helpful when used with OpenDNS for parental control."


  • Rebel Alliance Global Moderator

    Its not really helpful to redirect if you ask me, a better setup is BLOCK and user doesn't get dns unless they use the dns is allowed for that network.. Not a big fan on any sort of interception and or redirection of traffic.  The traffic is either allowed or its not is better plan if you ask me.

    If you block upd and tcp 53 outbound then they have no choice to ask the valid dns server for your network, unless they are doing some sort of tunnel of dns query over some other port.  If so what is that port and dest they are going to, just block it, etc.



  • @johnpoz:

    Its not really helpful to redirect if you ask me, a better setup is BLOCK and user doesn't get dns unless they use the dns is allowed for that network.. Not a big fan on any sort of interception and or redirection of traffic.  The traffic is either allowed or its not is better plan if you ask me.

    If you block upd and tcp 53 outbound then they have no choice to ask the valid dns server for your network, unless they are doing some sort of tunnel of dns query over some other port.  If so what is that port and dest they are going to, just block it, etc.

    That's exactly the issue I am having.. that setting to block port 53 is supposed to force users to use the DNS set on the router…but Avast Secure DNS is bypassing the DNS on the router and provides them with their own DNS and they can visit ANY website they want. I have been told that the only way to stop that is to block Avast DNS IPs, but Avast will not provide those for security purposes which is understandable... they use port 53/443 but without ALL the DNS IPs, blocking those ports is useless... and I have already tried that.. does not work.


  • Banned

    So redirect does work? Or are they using some VPN? Or are they using dnscrypt? Tried blocking 443/UDP?

    They have their own forums, better discuss there.



  • @doktornotor:

    So redirect does work? Or are they using some VPN?

    redirect does not work at all. All you have to do is click enable on the Avast secure dns feature and that's it..they are free to go anywhere…very frustrating. Avast won't help..the folks at Tomato have no clue and OpenDns says Avast Dns is doing what it's supposed to be doing and there's nothing i can do.. all they say is to disable the feature, not realizing that Avast Secure DNS is part of the clients/users machines which I do not have any control of.. that's why I need to find a way to be able to block Avast DNS or ANY other DNS service provider from doing this.

    I was just asking because I thought since PfSense if a much better firewall than what Tomato can do, I though I was going to be able to stop this madness, but if I will be in the same boat, then I won't even go through the hassle of installing and setting up pfSense at all.


  • Banned

    As said - have you tried blocking outbound connection to 443/UDP?



  • @doktornotor:

    As said - have you tried blocking outbound 443/UDP?

    as I said, Yes…both 53 and 443


  • Banned

    Well, if they use 53/443 and you block all outbound connection to that, then it will be blocked, end of story. Seems like either they are using something else, or you are doing it wrong.)



  • @doktornotor:

    Well, if they use 53/443 and you block all outbound connection to that, then it will be blocked, end of story. Seems like either they are using something else, or you are doing it wrong.)

    They might be using other ports, but that's what the Avast rep said they use.. but like you say, they might be using other ones.. There's just got to be a way to completely force ALL users connected to my network to use the DNS I provide, no other, no matter which port they use.


  • Banned

    Clearly they use dnscrypt-proxy. You can block 443 both TCP and UDP and see how it goes. (And say bye to HTTPS :P) Alternatively, set up a wildcard DNS override for ff.avast.com - https://forum.pfsense.org/index.php?topic=43835.0



  • @doktornotor:

    Clearly they use dnscrypt-proxy. You can block 443 both TCP and UDP and see how it goes. (And say bye to HTTPS :P) Alternatively, set up a wildcard DNS override for ff.avast.com - https://forum.pfsense.org/index.php?topic=43835.0

    yeah, I've seen that page too.. I will try again see what happens..
    to make sure I have the iptable right.. would you by any chance know the iptable to block it?


  • Banned

    Uhm…

    https://forum.avast.com/index.php?topic=163116.0
    https://support.opendns.com/entries/57943894-Avast-2015-Security-Suite-Secure-DNS-and-OpenDNS

    Other than that - I installed the crap on a VM. Unless you block outgoing traffic to 443, this is a waste of time. It never queries regular DNS for anything. It intercepts DNS and sends out dnscrypt-ed queries via 443 to Avast, gets a list of suitable DNS servers and uses those for DNS via dnscrypt-proxy. Not to mention that you actually have been offered to be provided with the list of servers by Avast staff

    Starting the same topic on yet another forum won't get you any different answers. Please, avoid wasting other people's time. If you linked the above right in the OP, I'd save an hour of my time wasted for no good reason whatsoever.

    :(



  • @doktornotor:

    Uhm…

    https://forum.avast.com/index.php?topic=163116.0
    https://support.opendns.com/entries/57943894-Avast-2015-Security-Suite-Secure-DNS-and-OpenDNS

    Other than that - I installed the crap on a VM. Unless you block outgoing traffic to 443, this is a waste of time. It never queries regular DNS for anything. It intercepts DNS and sends out dnscrypt-ed queries via 443 to Avast DNS servers.

    Starting the same topic on yet another forum won't get you any different answers. Please, avoid wasting other people's time. If you linked the above right in the OP, I'd save an hour of my time wasted for no good reason whatsoever.

    huh? what do you mean? - I am trying to resolve an issue I am dealing with.. I thought the purpose for the forums is to ask questions. As you can see, I tried opendns first because that's the DNS I am using.. they were no help, so I went straight to the source which is Avast.. what's wrong with that?

    Not sure why so are telling me to not waste anybody's time when you can clearly see they offered no solutions to the issue.. in fact, opendns just suggests to disable the feature, which does not help me at all.

    I'm still confused by your reply.



  • And actually, the guys from Avast was the one who told me by private msg that they cannot provide the DNS IPs.. he was no help either.


  • Banned

    Dude, I have been pretty clear on what I mean. You have wasted my time which I spent investigating how the thing works. If you linked your own threads here, I of course would not bother reinventing the wheel!!! I'd frankly rather have a couple of beers in local pub.

    Go block outgoing traffic to port 443 TCP/UDP if you need such level of control. End of story.

    :( >:( >:(



  • @doktornotor:

    Dude, I have been pretty clear on what I mean. You have wasted my time which I spent investigating how the thing works. If you linked your own threads here, I of course would not bother reinventing the wheel!!! I'd frankly rather have a couple of beers in local pub.

    Go block outgoing 443 TCP/UDP if you need such level of control. End of story.

    :( >:( >:(

    well fine then.. I said I was going to try to do that again..read previous posts back.. no need to be jerk about it.
    and you're getting upset because I posted my issue on a couple of forums?….really?

    I thought this was a friendly forum.. just keep in mind NOT ALL OF US ARE PROS LIKE YOU.. some of us are just simpletons trying to figure things out.

    but anyway.. thanks for your help.. I guess.


  • Banned

    @magdiel1975:

    and you're getting upset because I posted my issue on a couple of forums?….really?

    No, I'm being upset because you did not bother listing the information here, you did not even bother with listing the real goal in your OP, instead asking about some totally unrelated router-on-a-stick and VLANs stuff. People here provide advise in their free time for free. Not interested in such games just because asking elsewhere did not solve your "issue".



  • @doktornotor:

    @magdiel1975:

    and you're getting upset because I posted my issue on a couple of forums?….really?

    No, I'm being upset because you did not bother listing the information here, you did not even bother with listing the real goal in your OP, instead asking about some totally unrelated router-on-a-stick and VLANs stuff. People here provide advise in their free time for free. Not interested in such games just because asking elsewhere did not solve your "issue".

    if you read the OP I state the reason I was planning on setting up pfSense with my current router…then my post turned into a solution to the issue or the reason for me to get pfSense in the first place.. it was not my intention to cause any frustration whatsoever.. and also, did you ask me to post the links? No.. so why whoul I think I needed to do that? - who cares what I posted on other forums when I stated exaclty what my issue is and exaclty what I needed.

    but anyway, I think you just blew this out of proportion or you might have anger issues or something, but regardless, I apologize as I did not intend to frustrate you...why would I do that when I am asking for help?.



  • Also when you said you installed the crap in VM.. did you mean Avast Internet secuirty (the paid version)?
    If not, then Secure DNS is not enabled..only paid versions of Avast Internet security has the feature enabled.


  • Banned

    @magdiel1975:

    Also when you said you installed the crap in VM.. did you mean Avast Internet secuirty (the paid version)?

    Yeah. I mean exactly that. The 2015 version.



  • @doktornotor:

    @magdiel1975:

    Also when you said you installed the crap in VM.. did you mean Avast Internet secuirty (the paid version)?

    Yeah. I mean exactly that. The 2015 version.

    Ok.. well, I have tried this iptable in Tomato's firewall..

    iptables -A INPUT -p tcp –dport 443 -j DROP

    but it does not work, even after rebooting the router.


  • Banned

    You need both TCP and UDP. Already stated multiple times.



  • @doktornotor:

    You need both TCP and UDP. Already stated multiple times.

    My bad, i forgot to also include UDP.. my mistake.

    thanks for your help.. but try to be a little more patient with others if you're going to be "helping" others :)
    if you feel frustrated by something, just don't reply and let others do it..getting angry at a dumb user like me only  makes things worse for you.


  • Rebel Alliance Global Moderator

    Or just use a proxy, and only let the proxy out.. Then they can go scratch ;)



  • I have tried inputing these in my firewall

    iptables -A INPUT -p tcp -m tcp –dport 443 -j DROP
    iptables -A INPUT -p udp -m udp --dport 443 -j DROP

    Rebooted the router.. and I still pull blocked pages on the PC with Avast DNS enabled :(

    also tried
    iptables -A OUTPUT -p tcp -m tcp --dport 443 -j DROP
    iptables -A OUTPUT -p udp -m udp --dport 443 -j DROP

    still no dice

    EDIT...
    OK I got it.. I was able to block port 443 through ACCESS RESTRICTIONS.. iptables do not work or have any effect on Avast DNS.


  • Banned

    Your iptables trouble is totally OT on this forum. Congrats on breaking HTTPS. Now they'll tunnel DNS via SSH, or via Avast Secureline (basically OpenVPN).  ::)

    @magdiel1975:

    OK I got it.. I was able to block port 443 through ACCESS RESTRICTIONS…

    Hmmm. The MAC address takes about one second to change.


  • Rebel Alliance Global Moderator

    "iptables do not work or have any effect on Avast DNS."

    What??  clearly you were no blocking the port they were using or there was a state already..  firewall has effect on ALL traffic!!



  • @doktornotor:

    Your iptables trouble is totally OT on this forum. Congrats on breaking HTTPS. Now they'll tunnel DNS via SSH, or via Avast Secureline (basically OpenVPN).  ::)

    @magdiel1975:

    OK I got it.. I was able to block port 443 through ACCESS RESTRICTIONS…

    Hmmm. The MAC address takes about one second to change.

    HTTPS works fine.. I can pull ALL HTTPS sites with no issues and changing the MAC address does nothing, it is still blocked :)



  • @johnpoz:

    "iptables do not work or have any effect on Avast DNS."

    What??  clearly you were no blocking the port they were using or there was a state already..  firewall has effect on ALL traffic!!

    I must have been using the wrong iptables or something, but as you can see on previous post, I tried all those iptables in my firewall and did not have any effect..but once I blocked port 443 in Access Restrictions it worked.

    I understand that persistent user will always go through if they dedicate some time on it, but I just did not want to make it so easy for them by just having a piece of software like Avast Secure DNS allowing them to bypass my router with little effort like that.

    If a user later uses VPN, well, I will deal wtih it then… there is ALWAYS a way and this will always be the game of cat and mouse :)



  • @magdiel1975:


    I must have been using the wrong iptables or something,
    ...

    I guess pfSense does not use IPtables… :P



  • well guys..thanks for your time and patience. I know that dealing with people that know nothing about networking and such can be a pain in the rear, but I really appreciate you guys taking the time, whether it was to help or to muck :)

    have a good one.


  • Rebel Alliance Global Moderator

    "HTTPS works fine"

    if you were blocking 443 how would https work?? So clearly your not blocking 443..



  • @johnpoz:

    "HTTPS works fine"

    if you were blocking 443 how would https work?? So clearly your not blocking 443..

    All I know is that once I added UDP port 443 in Access Restrictions and saved the settings, Avast Secure DNS stopped working.. so I did some tests.. removed UDP port 443 from the settings, Avast DNS started working…added it back, it stopped working again...so adding that to Access Restrictiosn is doing something...at least is doing what I needed it to do.


  • Rebel Alliance Global Moderator

    so your blocking only udp 443, that would explain why https works.



  • @johnpoz:

    so your blocking only udp 443, that would explain why https works.

    perhaps.. as you can tell I know very little about this… but all I know is that at this point the issue I was having with Avast DNS is corrected  8)