Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
You'd have to block all DNS requests not going to the openDNS IPs, otherwise yeah, it's 100% pointless.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Need to Achieve the impossible
- Thread starter Lunas
- Start date
You'd have to block all DNS requests not going to the openDNS IPs, otherwise yeah, it's 100% pointless.
peanuthead
Supreme [H]ardness
- Joined
- Feb 1, 2006
- Messages
- 4,699
I had a similar issue with a client I consult with. I deployed an Untangle router, allowed the president and ceo open access to the Internet and they were good to go. The logs are funny to read in seeing what's being blocked. If you want more info just PM me.
Lunas
[H]F Junkie
- Joined
- Jul 22, 2001
- Messages
- 10,048
what i have read i need to make them go through a proxy that proxy forces them through the dns of my choice.
D
Deleted member 12106
Guest
Untangle will do what you want op. I set up an untangle box at a motel, well, i did the whole network. There is a private network and a guest network, you can set a rule to only allow common service ports, 80, 443, 563, 3389, etc. I don't know if they still do, but opendns used to let you block p2p. You can also disable any other services not required since all you want to do is permit internet access. You can also use the qos engine in untangle as well, I set the max speed to 1/4 of the total speed. No complaints.
I was gonna say what scotty did.
I never used it beside testing and messing about with it, but your needs sound like
Untangle's focus 100%.
The Edgerouters ~90 will for sure handle the packets, but I would recommend going all UBNT gear (AP's too) for that changeover. Not necessary, but a better overall experience will be had by you.
The AP's support paywalling too if I remember right.
I never used it beside testing and messing about with it, but your needs sound like
Untangle's focus 100%.
The Edgerouters ~90 will for sure handle the packets, but I would recommend going all UBNT gear (AP's too) for that changeover. Not necessary, but a better overall experience will be had by you.
The AP's support paywalling too if I remember right.
Lunas
[H]F Junkie
- Joined
- Jul 22, 2001
- Messages
- 10,048
i have 5 ubiquiti ap it was full ubiqiti before but the air router we had did not cooperate and was only partially functional i think the air router we had was broken but right now i use the management software with the ap and it works great just does not offer some features
That's when you use a NAT rule to direct all TCP and UDP traffic to the Open DNS servers.
Lunas
[H]F Junkie
- Joined
- Jul 22, 2001
- Messages
- 10,048
Knowing i have 5 ubiquiti air ap
which one
pfsense appliance used or
edge router poe
which one
pfsense appliance used or
edge router poe
Part of this has been mentioned, but Allow DNS to OpenDNS, then block all DNS traffic. Now people can only use OpenDNS to resolve DNS. Assuming you have multiple WAN IPs, use NAT rules to give some users different WAN IPs, then you can make some people (like yourself) unfiltered/not resolving to OpenDNS.
Also only allow out certain ports out instead of everything. I would block all outbound traffic then allow HTTP, HTTPS, SMTP, etc.
pfSense is a great appliance, it works wonderfully. The only problem I have, which is easily overcome, is that rarely people think about the spinning disks. Put in a second hard drive in RAID1 so when (not if) you have a failure the system keeps going. Then this system can be configured quickly and easily.
If you're comfortable in command line and/or want to learn the syntax, the EdgeRouter is a great solution. I run 1 at home and a couple at customer sites. They're solid pieces of equipment (for my cheap customers, we use Watchguard everywhere else).
Also only allow out certain ports out instead of everything. I would block all outbound traffic then allow HTTP, HTTPS, SMTP, etc.
pfSense is a great appliance, it works wonderfully. The only problem I have, which is easily overcome, is that rarely people think about the spinning disks. Put in a second hard drive in RAID1 so when (not if) you have a failure the system keeps going. Then this system can be configured quickly and easily.
If you're comfortable in command line and/or want to learn the syntax, the EdgeRouter is a great solution. I run 1 at home and a couple at customer sites. They're solid pieces of equipment (for my cheap customers, we use Watchguard everywhere else).
Lunas
[H]F Junkie
- Joined
- Jul 22, 2001
- Messages
- 10,048
im fine with cli but edge has a gui too cheapest i can get the 5 port edge router is 160 shipped the pfsense is 109 i dont imagine that the pfsense will lock up with 20-30 or so people all watching netflix but the edge touts 1 million packets per second
and the pfsense we are looking at uses a 4gb compact flash
Then you block all outbound packets on port 53 unless the destination IP is one of the OpenDNS servers.
peanuthead
Supreme [H]ardness
- Joined
- Feb 1, 2006
- Messages
- 4,699
I know you can build an Untangle box for $150.
Crystal Gaol
Weaksauce
- Joined
- Mar 11, 2014
- Messages
- 88
The only issue that this particular case may present is that it is a hotel environment - which means that when someone's video game doesn't connect over the internet, they're going to call down to the front desk and complain.
Is the front desk person honestly going to be qualified to write a firewall rule to accommodate the guest's need?
Lunas
[H]F Junkie
- Joined
- Jul 22, 2001
- Messages
- 10,048
only if i'm working at the time
I prefer a NAT redirect rule. They can put whatever the hell they want for DNS but it'll still only go to OpenDNS. Then it doesn't matter if they have a dynamic or static DNS server entry.