In our office we decided to create another wifi ssid, "guest" one, so our visitors can use Internet but have no access to LAN. Simple idea, so to say, and no problem to add another ssid and vlan and nat rule.
The problem is, how can I limit usage of that guest network to fair level, what's the best approach? I can devote (better to say - share) some WAN bandwidth to this network, but I don't want to see, say, torrents running over this gust network (while some visitors can have torrent client running on their notebooks), and I don't want to see any illegal activity from/to this guest network.
I can limit traffic only to 80/443 ports (weird approach), or I can implement transparent http/https proxy (not that good, too), or I can even analyze netflow to check what kind of traffic client used to use.
Any better idea? How did [b]you[/b] implemented guest network?
Re: Nice guest wifi implementation
Hello, i have a guest network and here is what is done :
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
Re: Nice guest wifi implementation
[quote=evince post_id=631020 time=1512484837 user_id=54264]
Hello, i have a guest network and here is what is done :
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
[/quote]
That's fine, and that's easy. But p2p traffic nowadays is quite sophistoicated. Skype can work over 443 and does p2p, as well as some file-share protocols. I just don't want to have my "free" network to be used against company's policy, which prohibites torrent etc.
Any idea how to deal with?
Hello, i have a guest network and here is what is done :
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
[/quote]
That's fine, and that's easy. But p2p traffic nowadays is quite sophistoicated. Skype can work over 443 and does p2p, as well as some file-share protocols. I just don't want to have my "free" network to be used against company's policy, which prohibites torrent etc.
Any idea how to deal with?
Re: Nice guest wifi implementation
[quote=evince post_id=631020 time=1512484837 user_id=54264]
Hello, i have a guest network and here is what is done :
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
[/quote]
That's fine, and that's easy. But p2p traffic nowadays is quite sophistoicated. Skype can work over 443 and does p2p, as well as some file-share protocols. I just don't want to have my "free" network to be used against company's policy, which prohibites torrent etc.
Any idea how to deal with?
P.S. And poor your users, you permited only http/https/smtp ports, only udp-based DNS (so DNSSEC almost never works?), and forget pop3, imap4, maybe sip, maybe ftp?
Hello, i have a guest network and here is what is done :
Firewall rule to allow only 80,443,25,587 TCP and 53 UDP
Setting a queue rule : upload 2Mb and download 5Mb
Regards,
[/quote]
That's fine, and that's easy. But p2p traffic nowadays is quite sophistoicated. Skype can work over 443 and does p2p, as well as some file-share protocols. I just don't want to have my "free" network to be used against company's policy, which prohibites torrent etc.
Any idea how to deal with?
P.S. And poor your users, you permited only http/https/smtp ports, only udp-based DNS (so DNSSEC almost never works?), and forget pop3, imap4, maybe sip, maybe ftp?
Re: Nice guest wifi implementation
We only limit the bandwidth. We don't bother with the activities of guests.
When your company has restrictions on network use it is better not to have a guest network because it is so difficult to control what is really happening.
We do have ip accounting running to have some way of finding out what happened when we would get a complaint, for example.
When your company has restrictions on network use it is better not to have a guest network because it is so difficult to control what is really happening.
We do have ip accounting running to have some way of finding out what happened when we would get a complaint, for example.
Re: Nice guest wifi implementation
[quote=pe1chl post_id=631029 time=1512487226 user_id=80589]
We do have ip accounting running to have some way of finding out what happened when we would get a complaint, for example.
[/quote]
Looks like this is the only way not to bother user too much, to accumulate accounting or netflow and deal with complains. But in fact I can't "punish" users afterwards, I'm not a police officer in any way. So I can "prevent abuse just in time" or simple leave it in chaos.
We do have ip accounting running to have some way of finding out what happened when we would get a complaint, for example.
[/quote]
Looks like this is the only way not to bother user too much, to accumulate accounting or netflow and deal with complains. But in fact I can't "punish" users afterwards, I'm not a police officer in any way. So I can "prevent abuse just in time" or simple leave it in chaos.
Re: Nice guest wifi implementation
We just keep the interface traffic graph and occasionally look at it to detect some ongoing abuse (like saturated bandwidth for a long time).
If that would be the case I would look at the connections to see if it is some torrent or similar, and try to find the abuser.
But we normally do not bother, and the logs are only there in case we get some abuse report like copyright violation because of torrent.
When chaos occurs, just post a notice "guest network no longer available, you know why" and be done with it...
If that would be the case I would look at the connections to see if it is some torrent or similar, and try to find the abuser.
But we normally do not bother, and the logs are only there in case we get some abuse report like copyright violation because of torrent.
When chaos occurs, just post a notice "guest network no longer available, you know why" and be done with it...
Re: Nice guest wifi implementation
As an e-mail admin I would advise against allowing traffic outbound to port 25. Users should never connect to 25 but use 587 instead. If some guests have old or badly configured mail clients they can send their mails later from some other network. Do allow POP3 (110 and 995) and IMAP (143 and 993) to enable mailbox access.
Guests infected with malware will try to send spam to mail servers on port 25 and will give your IP address bad reputation (if you have a fixed IP). Usually your ISP will also interfere if you allow spamming from your network. The ISP has a fixed IP block and their reputation will suffer.
Encrypted peer-to-peer disguised as https is virtually impossible to detect. The best approach is to limit bandwidth.
Guests infected with malware will try to send spam to mail servers on port 25 and will give your IP address bad reputation (if you have a fixed IP). Usually your ISP will also interfere if you allow spamming from your network. The ISP has a fixed IP block and their reputation will suffer.
Encrypted peer-to-peer disguised as https is virtually impossible to detect. The best approach is to limit bandwidth.