pfSense Can I monitor website traffic(URLs) from *ONE* interface?

Ok, so I have set up my squid proxy, and I just installed an configured Lightsquid. WOW, this is an awesome tool! My question is, does it have to log everything from EVERY interface? I have an insecure network on its own interface and I would love to have this feature enabled except, I kinda don't need nor do I want my own traffic being logged and put into the reports. Best thing would be to have it only log from the insecure "guest/roommate" LAN and log literally nothing on any other interface. If Lightsquid can't do it, is there an alternative that can? This feature is too awesome to not have on the guest/roommate LAN. :stuck_out_tongue:

And before anyone asks, yes, yes anyone on that network knows for sure that I am both tracking and logging their traffic and such because they are all grown children and cannot be trusted to handle their own crap themselves so I kind of have to MAKE them obey the rules for using my internet. I want really to see what sites they are going to for torrents and such so I can just block them right out of the firewall.

Too many copyright notices from COX already, they are threatening to turn off my service.

THANKS!

Don't know about the logs, but blocking torrent sites is not a good way of stopping torrents, it's just going to generate a lot of work for yourself and have little effect. If telling them not to do it doesn't work then just block everything except the ports used for web traffic and e-mail and whatever in the firewall. That'll pretty much stop torrents completely. The downside is it will also stop games but allowing ports for games manually is a lot less work than trying to block torrent sites.

4 Likes

Hey Dexter, thanks again for your great and informed replies!

Yeah, we have always had an issue with some of the roommates, I should be calling them renters actually, and their torrenting. I use torrents just like everyone else, that's my delivery method of choice for Linux isos. :wink: Thing is, there is the one guy on the network that has been a real abuser of his privilages on the internet. Funny, he is THE big reason we went and set up the pfSense box in the first place. On our consumer router, which is now just a wireless access point, we couldn't do whole interface bandwidth limiting so the guy goes out and buys the cheapest wifi adapters he can, changes his MAC or any number of other things to get past the bandwidth limiting. Just last night he chewed through over 100GB on what I can only assume are torrents.

Now, since I have your attention here. My consumer router, an Asus AC-5300, can seperate traffic in the analiser by traffic type. I know encrypted torrent traffic can't be detected but a lot of it still can. Is there a way to at least filter THAT out?

We already have all other renters on that subnet with static DHCP entries outside of the DHCP pool. They are all funneled through one pipe that is about half the internet connection. So, HIS devices eill connect to the DHCP, get an address from the pool, and get put through a different pipe with SUBSTANTIALLY lower limits. We still need to pass the web traffic through the normal pipe so anything not web based gets essentially unusable speeds. Thing is, all he needs to do is set a static IP outside the pool range and he will no longer be under the limits I imposed. Since he is willing to buy at least 15 different WIFI adapters in the last eight months to get past the limits in the AC5300 I would expect he would do a statip IP in a heartbeat too.

In an ideal world everything would be fast and responsive, like everyone else but the second he connects to a torrent it would be at a crawl, something like 56K speeds. That would tickle me quite nicely.

Any other suggestions on how I could proceed from here aside from kicking him out of the house? I mean, he still pays his rent and all that and I don't really feel like going through the courts to have him evicted. I also can't just shut off his internet for a while since it's all part of the rental agreement.

As you can see, I have much less hair now than I used to dealing with this guy. :frowning:

your in a tough spot with that guy and i feel for you. even if you throttled torrents your ISP is still picking up the traffic. What i would do is figure out someway to isolate him to a network where all traffic is pushed off to a VPN somewhere preferably a very cheap and slow one outside of the country. :sunglasses:
Then you don't have to worry about your ISP, the connection is throttled by the VPN. You will need a cusotm box to pull this off. consumer routers just wont cut it.

Maybe use a raspberry pi3 to VPN all network traffic? Iv'e used them for a VPN they are just good enough to do the job and will help throttle him down. the issue then would be getting him to connect through it.

Yeah, he supposedly uses a VPN but it's not working well or he doesn't know how to use it because he is the one who got us 4 different copyright notices from our ISP. The other guys, one uses the internet almost exclusively for twitch and the other doesn't even have a PC at all and only uses his XBOX. It's super frustrating really.

I do appreciate your internet feels. It makes me think I am not so alone. :slight_smile:

I have the pfSense box now so that should be doable but I don't need the guy costing me yet more money! ;(

There maybe free vpn services you can add on, even TOR could work but that would just contribute to TOR misuse

For starters block everything which isn't a static ip or part of your dhcp range. That will stop him from using an ip that you haven't allowed.

Trying to block torrents by looking at the protocol is almost useless, it may stop some but it won't stop it.

What I would do is make an alias of his dhcp range or static ip or whatever he has, and block every port above 1024, that will pretty much stop torrents completely. If he complains explain to him why you have done that.

1 Like

To be more specific, leave the default allow any to any rule for now. Under that rule make something this.

(make alias for each group of IPs you have, for this example we'll have you, roommates and torrent-guy)

Allow from you to any
Reject from any to pfsense address on ports 80 443 and 22 (stops people messing with pfsense)
Allow from roommates to any
Allow from torrent-guy to any on tcp/udp ports 0 to 1024
Reject from any to any

After you have those rules then delete the default allow any to any rule but make sure you have an allow rule from you to pfsense before you delete it or you will lock yourself out.

Something like that, if you had the different subnets working the it would be a little easier but this should work fine.

Also make sure you deny upnp to this guy if you have that configured as that will get around the rules.

Won't help for this situation but I'd add a clause for future agreements saying the tenant must not carry out any illegal activity using the Internet connection provided otherwise their access may be shut-off. Also if there's data caps on the service, state that any overages will be charged to tenants based on usage, with the option of removing them from the shared Internet and requiring them to get their own service.

Yeah, the caps are BRAND new. Been living here for 20 years and using COX since the day they came out this far, back when it was almost entirely bare desert and they just now decided to put on caps so i was not prepared for this. I am getting an EIN number specifically for being able to bring in a business connection. It's a bit slower but no caps and is more expensive. I gave the whole house a choice, they could fight over 100GB out of the 1TB cap, since my wife NEEDS about 250GB of it per month because she works at home and I don't use normal TV, cut the cable over a decade ago, or they could pony up more cash per person for the uncapped but slower business internet. You can imagine what they chose. :stuck_out_tongue: The caveat being, I get to control exactly how much each person uses of the total bandwidth and when they get to use it and it will be less than a third the speed it is now. My wife needs a good 10-20Mbit/sec 100% of the 8 hour work day. VOIP, Chat, Video and a VPN right into their systems.

You KNOW I will. LOL

Unfortunately, I am well aware it wont stop it but as long as he KNOWS I am taking actions specificly against it, maybe?

The roommates and torrent-guy are all on their own subnet fully isolated. They ONLY have access to the network through WiFi since I actually covered up the ethernet floor jacks when I put in new carpet. I mean, I took them out, repaired the holes and THEN carpeted over them. The only devices I have that use the WiFi are my phone and with the caps now, I just use my data plan so that's not such a bother. I also VERY rarely if ever use my phone for anything but actual phone stuff like calling people. I am 33 years old but I have an old soul. I feel a phone should still be a phone. :smiley:

My brother and I along with my wife, her work PC and my son's laptop are all 100% hardwired. I have one switch over here at my house and then about a 75 foot trenched run over to my brother's house where he too now has a switch with his devices plugged in. Finally, that goes right into one port on the pfSense box so we are super isolated from them. With your help from that other thread, we figured out what was happening with the interfaces passing traffic to one another and now have everything all nice and cozy. Isolated and physically occupying different ports on the pfSense box with totally different subnets now. Thanks in no small part to your perseverance in helping me understand a little more about what was happening. Here is the most up to date network map of what I have going right now.

Sorry, I guess I am having too much fun with yEd right now. Making network maps is fun, people get paid to do this? Man, I am in the wrong gig, that's for sure. LOL

I will certainly make another backup of my settings and try out all of your suggestions, they are good ones.

Thanks to all of you!

Oh, and torrent-guy has been here almost a year now and shows no signs of leaving anytime soon so I have a little time to fiddle with several solutions here to find one that will work well enough. I just have to keep a level head and try to think like he does. One of those guys who knows just enough to get himself into trouble, thinks he knows it all and really knows very little. At least I know where my limitations lie, that's why I am here talking to you fine people. Just a thought I wanted to add.

It's unlikely to be noticeable. You can use something like snort to do layer 7 filtering but most torrent traffic is encrypted to get around exactly that. So it will reduce the traffic, in the sense that there will be less peers to connect to, but it probably won't make any difference to the amount of traffic being used. Whereas just blocking everything except normal web traffic will stop almost all torrents, in a very noticeable way, and the only way around it is to use a VPN which you can block very easily.

Then when he complains about his restricted internet access you can explain to him what the rules are and if he doesn't like it then too bad, you just keep on blocking.

This, or something very similar to it, seems to be the best course of action. I really want everything to technically work but at extremely slow speeds. Instead of blocking it outright, I may make a few traffic shaping adjustments to make that traffic sub ISDN speed. See, it's more of a game of cat and mouse with this guy and talking to him is meaningless so making him sweat it out a bit is a good thing. I mean, the darn password for the WiFi is 'torrentsarebanned' for crying out loud! :expressionless:

I did come up with a plan for the IP thing. Some of these guy's "guests" come over sometimes and they all get access to the WiFI because of course they give them the password. So, to kill two birds, so to speak, I was thinking since I have now captured all officially known devices, their MAC adresses and made static DHCP mappings for them, I could leave the DHCP on with a normal pool of addresses with limitations. I could keep this pool to a total of a shared 5Mb pipe and make it a real guests Wifi. If you live here, then you let me know you have a new device and I will make a static map outside of that pool running at the normal roommate speeds. If you don't live here and they give you the password, that's fine, you will get MUCH better speeds on your own damn data plan I can assure you of that! This would also serve the purpose of keeping torrent-guy from just buying another adapter or going outside of my static maps since if he did, he would also get what I would consider unusable speeds for torrents, assuming he could still get past my restrictions somehow.

Really, I know he would use a VPN right off the bat here. I can block VPN traffic? Easily? I thought since the VPN traffic was encrypted it was next to impossible to detect it and block it. I am very interested in this and am ready to absorb any kind of info you are willing to send my way about that. I know for a fact he uses OpenVPN with a desktop client app for his connection. This is why he thinks he is immune to being tracked or the government finding out what he is up to. Oh, did I mention he is one of those super paranoid people who thinks the men in black will come and take your last chicken to perform experiments on because the Illuminati, run by Hillary Clinton and Donald Trump, who are reptilian aliens, want to rule the planet and somehow you, yes you, are somehow important enough to care about but of course, you are too smart for them? Yeah, not really but sort of like that... :scream:

It's super easy. If you block UDP ports 443 and 1194 that will stop most VPNs as those are the most common ports. But even if they use some other port or have some sneaky stuff going on to make it hard to tell it apart from other traffic, all VPN servers use static, fixed IP addresses, and you can just block the server once you identify it. If you can figure out which service he's using you can just add all the server FQDN to an alias and block that, no more VPN.

I would also make sure you don't use a wireless access point on any network you don't want Torrent Guy to use. You would be surprised how easy it is to hack a wireless access point or wireless network. The best solution to your problem is to get rid of Torrent Guy as soon as possible. Renting to a person like Torrent Guy is like having Satan as a renter, life is to short to deal with the headaches a person like Torrent Guy provides, believe me I know from experience, I once lived with a person just like Torrent Guy.

Thing is, he stays in his room 90% of the time, he doesn't smoke anything so I don't have to worry about him bringing drugs into the house or stinking up the room with cigarettes, he actually pays his rent on time and he keeps the kitchen and bathroom clean. If you have experience then I am sure you understand why these are all good things in general that can be hard to find in a renter. I am also not so worried about him using the AP, he isn't smart enough to do anything like that I am sure. Plus, that's the main reason why I set up all the firewall rules for the pfSense box explicitly to stop him from getting into anything.

It's kind of funny, last night when he got home, I could see in the ARP table he tried 3 different IPs and since they are all going through the same pipe now, he couldn't get past the limiters so he was heard grumbling and stomping around the house, which you pretty much never hear. So to some degree, what we have done so far is working. Of course, I will kick him out if I have to and if COX hadn't started these caps shenanigans I would have left well enough along and done nothing but in reality, he is STILL better than about 50% of the renters we have had in the past. Maybe I am not charging enough to get better people? :stuck_out_tongue:

Awesome, Thanks Dexter. I will play around with that as soon as I can work up the courage to open the web configuration utility again. :slight_smile:

I have been in that thing so much lately I just have to take a day or two break.

Simply Create a different SSID for WIFI for each renter or use the captivate portal for the internet via PFsense. Then login in with a unique ID and then apply a cap to each user.