Need to Achieve the impossible

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
humm found an issue for the open dns solution it is easy to bypass all you do to fix that is assign your own dns to your pc.

You'd have to block all DNS requests not going to the openDNS IPs, otherwise yeah, it's 100% pointless.
 

peanuthead

Supreme [H]ardness
Joined
Feb 1, 2006
Messages
4,701
I had a similar issue with a client I consult with. I deployed an Untangle router, allowed the president and ceo open access to the Internet and they were good to go. The logs are funny to read in seeing what's being blocked. If you want more info just PM me.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,008
You'd have to block all DNS requests not going to the openDNS IPs, otherwise yeah, it's 100% pointless.

what i have read i need to make them go through a proxy that proxy forces them through the dns of my choice.
 
D

Deleted member 12106

Guest
Untangle will do what you want op. I set up an untangle box at a motel, well, i did the whole network. There is a private network and a guest network, you can set a rule to only allow common service ports, 80, 443, 563, 3389, etc. I don't know if they still do, but opendns used to let you block p2p. You can also disable any other services not required since all you want to do is permit internet access. You can also use the qos engine in untangle as well, I set the max speed to 1/4 of the total speed. No complaints.
 

stiltner

[H]F Junkie
Joined
Mar 16, 2000
Messages
10,686
I was gonna say what scotty did.

I never used it beside testing and messing about with it, but your needs sound like
Untangle's focus 100%.

The Edgerouters ~90 will for sure handle the packets, but I would recommend going all UBNT gear (AP's too) for that changeover. Not necessary, but a better overall experience will be had by you.
The AP's support paywalling too if I remember right.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,008
I was gonna say what scotty did.

I never used it beside testing and messing about with it, but your needs sound like
Untangle's focus 100%.

The Edgerouters ~90 will for sure handle the packets, but I would recommend going all UBNT gear (AP's too) for that changeover. Not necessary, but a better overall experience will be had by you.
The AP's support paywalling too if I remember right.
i have 5 ubiquiti ap it was full ubiqiti before but the air router we had did not cooperate and was only partially functional i think the air router we had was broken but right now i use the management software with the ap and it works great just does not offer some features
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
humm found an issue for the open dns solution it is easy to bypass all you do to fix that is assign your own dns to your pc.

That's when you use a NAT rule to direct all TCP and UDP traffic to the Open DNS servers.
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,008
Knowing i have 5 ubiquiti air ap

which one
pfsense appliance used or
edge router poe
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
161
Part of this has been mentioned, but Allow DNS to OpenDNS, then block all DNS traffic. Now people can only use OpenDNS to resolve DNS. Assuming you have multiple WAN IPs, use NAT rules to give some users different WAN IPs, then you can make some people (like yourself) unfiltered/not resolving to OpenDNS.

Also only allow out certain ports out instead of everything. I would block all outbound traffic then allow HTTP, HTTPS, SMTP, etc.

pfSense is a great appliance, it works wonderfully. The only problem I have, which is easily overcome, is that rarely people think about the spinning disks. Put in a second hard drive in RAID1 so when (not if) you have a failure the system keeps going. Then this system can be configured quickly and easily.

If you're comfortable in command line and/or want to learn the syntax, the EdgeRouter is a great solution. I run 1 at home and a couple at customer sites. They're solid pieces of equipment (for my cheap customers, we use Watchguard everywhere else).
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,008
Part of this has been mentioned, but Allow DNS to OpenDNS, then block all DNS traffic. Now people can only use OpenDNS to resolve DNS. Assuming you have multiple WAN IPs, use NAT rules to give some users different WAN IPs, then you can make some people (like yourself) unfiltered/not resolving to OpenDNS.

Also only allow out certain ports out instead of everything. I would block all outbound traffic then allow HTTP, HTTPS, SMTP, etc.

pfSense is a great appliance, it works wonderfully. The only problem I have, which is easily overcome, is that rarely people think about the spinning disks. Put in a second hard drive in RAID1 so when (not if) you have a failure the system keeps going. Then this system can be configured quickly and easily.

If you're comfortable in command line and/or want to learn the syntax, the EdgeRouter is a great solution. I run 1 at home and a couple at customer sites. They're solid pieces of equipment (for my cheap customers, we use Watchguard everywhere else).
im fine with cli but edge has a gui too cheapest i can get the 5 port edge router is 160 shipped the pfsense is 109 i dont imagine that the pfsense will lock up with 20-30 or so people all watching netflix but the edge touts 1 million packets per second

and the pfsense we are looking at uses a 4gb compact flash
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
humm found an issue for the open dns solution it is easy to bypass all you do to fix that is assign your own dns to your pc.

Then you block all outbound packets on port 53 unless the destination IP is one of the OpenDNS servers.
 

peanuthead

Supreme [H]ardness
Joined
Feb 1, 2006
Messages
4,701
im fine with cli but edge has a gui too cheapest i can get the 5 port edge router is 160 shipped the pfsense is 109 i dont imagine that the pfsense will lock up

I know you can build an Untangle box for $150.
 

Crystal Gaol

Weaksauce
Joined
Mar 11, 2014
Messages
88
Also only allow out certain ports out instead of everything. I would block all outbound traffic then allow HTTP, HTTPS, SMTP, etc.

The only issue that this particular case may present is that it is a hotel environment - which means that when someone's video game doesn't connect over the internet, they're going to call down to the front desk and complain.

Is the front desk person honestly going to be qualified to write a firewall rule to accommodate the guest's need?
 

Lunas

[H]F Junkie
Joined
Jul 22, 2001
Messages
10,008
The only issue that this particular case may present is that it is a hotel environment - which means that when someone's video game doesn't connect over the internet, they're going to call down to the front desk and complain.

Is the front desk person honestly going to be qualified to write a firewall rule to accommodate the guest's need?

only if i'm working at the time
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Then you block all outbound packets on port 53 unless the destination IP is one of the OpenDNS servers.

I prefer a NAT redirect rule. They can put whatever the hell they want for DNS but it'll still only go to OpenDNS. Then it doesn't matter if they have a dynamic or static DNS server entry.
 
Top