Results 1 to 9 of 9
  1. #1
    Untanglit
    Join Date
    Sep 2017
    Posts
    18

    Default avoid Shared Internet Thru clients

    Good day.

    Is it possible to disable internet sharing of the connected client to other devices? Example, PC shares internet or Android shares internet thru bluetooth or wifi.

    If a bypassed PC client shares internet, all devices connected to that PC are also bypassed. Can this be avoided? How?

    Thank you

  2. #2
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    I only advise this solution if you're the administrator / owner of the network in question:
    Unplug the power of the PC sharing the internet. Wait for someone to come to you and complain. Slap them.

    So the control point wouldn't be the firewall as your network is being bypassed. A solution would be influenced on the type of network you run. If everything is controlled by a domain controller, you could create group policies that prohibit joining other networks. Another suggestion would be to restrict local user accounts and prohibit network changes/configuration. Some third party local applications that operate sort of like a net nanny could work. (I believe Symantec has solutions like that where changes to network configurations are password protected).

    If you're trying to prevent phone A to not tether with phone B, that's a little trickier and the solution is different between phone manufacturers. Apple phones have a managed phone option. This method is used in the company I work for in a byod environment and only allowed network access if you allow their control. I'm not familiar on how to manage and install this type of solution. Androids, I have no idea how to pull this off. Both the client and the server phones can be anywhere at any time.

    That's about the only suggestions I have for you. I'm sure there's 100 more out there. In the end tho, if you need an iron clad solution, you will never find one as long as the end user has physical access to the device in question.

  3. #3
    Untanglit
    Join Date
    Sep 2017
    Posts
    18

    Default

    Thank you on this.

    On mikrotik, I can block tethering, but since I have changed to Untangle, anyone can share and tether their connection on my network.

    Any solution on this other the idea mentioned by propellherhead333?

    Thank you

  4. #4
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,045

    Default

    Just as a thought off the top of my head, maybe this could be done in Untangle with a little experimenting to collect sessions data, the Events system, and Filter Rules. I don't know the situation you have and what sorts of users you're trying to manage, but here's my thought.

    Here's the basic sequence, again off the top of my head. I've done no testing of this idea. Using Alert Rules, identify "Tethering Activity" as an unusually high number of HTTP and HTTPS sessions (so two rules). Then using Trigger Rules, tag any device that falls under the "Tethering Activity" description as "tethering." Then using a Filter Rule, block all sessions of any device tagged as "tethering." I think this will work even with bypassed devices, but I'm not completely sure.

    The real trick will be deciding the thresholds of the Alert rules. Any given webpage can generate a lot of HTTP/S sessions, but it would seem like it would be possible to gather enough data to fairly accurately catch people sharing their connection.

    Again, I know you're looking for some reliable method here and I'm not at all sure that what I've just suggested will work at all let alone for your situation, but maybe it'll spark a better idea from someone else.

  5. #5
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Quote Originally Posted by alexusbas View Post
    Thank you on this.

    On mikrotik, I can block tethering, but since I have changed to Untangle, anyone can share and tether their connection on my network.

    Any solution on this other the idea mentioned by propellherhead333?

    Thank you
    I see what you mean re: Microtik. I did a little searching. The solution they have involves finer control to the filter rules. Basically the solution I found is the following:

    "You set TTL to 1 for packets going from your router to client. The idea is that if client connects another router to share the connection, packets' TTL will expire (it decreases by 1 with each hop) while going through their router and those packets will be dropped. So devices connected behind that router won't be able to establish any connection.

    What will happen in reality, is that client will increase the TTL on their router, exactly the same way as you decreased it in yours and sharing will work just one. So it's mostly waste of time, you'll stop only few newbies by this."


    Source

    Sam Graf / anyone know if there's a way to get more defined rule conditions in Untangle like pfSense and Microtik to do something like the above? Would need something like the following:

    /ip firewall mangle
    add chain=postrouting action=change-ttl new-ttl=set:1 out-interface=<to-client>



    Another thing you can try short of that is some layer two filtering via the MAC addresses. If you have a smart kid, they will know about macchanger but might be worth experimenting. The only thing is if the client is NAT'd and not bridged behind the sharing device, then this is kinda useless.

  6. #6
    Untanglit
    Join Date
    Sep 2017
    Posts
    18

    Default

    Quote Originally Posted by propellherhead333 View Post
    I see what you mean re: Microtik. I did a little searching. The solution they have involves finer control to the filter rules. Basically the solution I found is the following:

    "You set TTL to 1 for packets going from your router to client. The idea is that if client connects another router to share the connection, packets' TTL will expire (it decreases by 1 with each hop) while going through their router and those packets will be dropped. So devices connected behind that router won't be able to establish any connection.

    What will happen in reality, is that client will increase the TTL on their router, exactly the same way as you decreased it in yours and sharing will work just one. So it's mostly waste of time, you'll stop only few newbies by this."


    Source

    Sam Graf / anyone know if there's a way to get more defined rule conditions in Untangle like pfSense and Microtik to do something like the above? Would need something like the following:

    /ip firewall mangle
    add chain=postrouting action=change-ttl new-ttl=set:1 out-interface=<to-client>



    Another thing you can try short of that is some layer two filtering via the MAC addresses. If you have a smart kid, they will know about macchanger but might be worth experimenting. The only thing is if the client is NAT'd and not bridged behind the sharing device, then this is kinda useless.
    Thank you very much on this.

    I think I need to change my AP's to mikrotik.

  7. #7
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,045

    Default

    Quote Originally Posted by propellherhead333 View Post
    Sam Graf / anyone know if there's a way to get more defined rule conditions in Untangle like pfSense and Microtik to do something like the above? Would need something like the following:

    /ip firewall mangle
    add chain=postrouting action=change-ttl new-ttl=set:1 out-interface=<to-client>
    No, I don't. Not through the UI in any case.

  8. #8
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,045

    Default

    Quote Originally Posted by alexusbas View Post
    Thank you very much on this.

    I think I need to change my AP's to mikrotik.
    You're welcome. I'm sorry we couldn't come up with a friendly solution using Untangle. But thank you for bringing this up. I'm not sure where I'd have a bypassed device that could then share it's connection with other devices, yet that is an interesting thought in terms of network security. Untangle does provide the tools to throttle bandwidth abusers, which would include connection sharers, but that's about as far as we can get.

  9. #9
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495

    Default

    Seriously, do we really not understand the risks of 'un-manage devices'?
    It's in the name people, and when such are allowed within a protected domain, your realm is no longer secured. D'oh!
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2