Saturday, June 20, 2015

pfSense rate limiting, egress filtering, opendns filtering for wifi hotspot

One of the experiments that I'm running with the new network is running an open / unsecured WiFi hotspot for the neighbors.

Some of the protections that I'm using:

  • Uses OpenDNS servers with some categories of websites blocked.  I'm using the "OpenDNS Home" service which lets me pick and choose which categories are blocked by default.  In addition, the OpenDNS server will display a "blocked content" page for regular HTTP traffic where users can request an unblock.  Unfortunately, this feature does not work well for HTTPS (SSL) sites, but it still blocks the site.
  • Access to other DNS servers is blocked, clients can only access the two OpenDNS server IP addresses.
  • All rules on the interface are rate-limited to 3Mbps down and 1Mbps up.  This limits bandwidth abuse and slows down file sharing.
  • Heavy egress filtering.  All outbound traffic is blocked by default except for the whitelisted ports/protocols.

Now, this is not 100% foolproof.  But I at least want to limit the possible damage and take at least some steps against abuse.  I'll probably use this setup at a company that I'm consulting for where they want to offer open WiFi in their waiting area.

One thing I would like to do is setup a "Captive Portal" on the interface which forces the user to enter their cell phone number and receive a voucher code via SMS that is good for 3 or 7 days.  I have to figure out how to do that with pfSense and see how it works in practice.

The other thing I plan on doing is setting up a similar SSID/VLAN, but with higher bandwidth limits, more ports and no OpenDNS filtering for authenticated guests.  That would probably be a 20Mbps down / 5Mbps up setup protected by WPA2/PSK.  Think along the lines of "neighbors" or "friends" who you want to allow use of the internet pipe, but do not want to allow onto your interior network.  This would also be a good setup to use in an office environment for BYODs that only need internet access (such as clients).

No comments: