IPFW firewall rule in mpd pppoe server to single pc behind router

Ian Smith smithi at nimnet.asn.au
Thu Dec 18 19:35:50 PST 2008 

On Fri, 19 Dec 2008, Gloomy Group wrote:
 > Hello Ian,
 >   
 >  I have implemented traffic shaping with dummy net pipe. But i want 
 > to strictly control the internet sharing to single pc. Is there other 
 > way of allowing like MAC address restricting to 2 pc coming from that 
 > source ip.
 > 
 > > Date: Thu, 18 Dec 2008 20:57:36 +1100
 > > From: smithi at nimnet.asn.au
 > > To: gloomygroup at hotmail.com
 > > CC: freebsd-ipfw at freebsd.org
 > > Subject: Re: IPFW firewall rule in mpd pppoe server to single pc behind router
 > > 
 > > On Thu, 18 Dec 2008, Gloomy Group wrote:
 > >  >  I have freebsd mpd pppoe server. Users connect to internet by giving 
 > >  > username and password. My problem is some users put router and share 
 > >  > internet connection with other pc. Is it possbile to disable internet 
 > >  > sharing in server by rate limiting with ipfw firewall scripts. So 
 > >  > that if users keep router or does nat in their pc to share internet 
 > >  > then only single pc can access to internet. Is is possible?
 > > 
 > > Detecting that a connection is shared using NAT?  Not that I know of.
 > > 
 > > Rate limiting per connection with dummynet pipes, easy enough.  If you 
 > > limit the bandwidth, why would you need to care how many pcs share it?

Not that I know of.

You're only going to see the MAC address of a directly connected system, 
not those of any other box connected to the first one's other interface, 
even if you are able to do ARP over PPPoE.

This is more people-policy stuff I think, unlikely to have a technical 
solution.  Some ISPs tell people they're not permitted to use NAT, but 
I've not heard of any way of actually and reliably detecting its use.

One way to block use of the particular form of NAT implemented in M$ XP 
is to give users addresses in the 192.168.0.x range, with 192.168.0.1 as 
(your end's) gateway address .. since this latter address is forcibly 
assigned to the NAT box's inside interface by XP's 'internet connection 
sharing' .. but there are other NAT systems for windows users out there.

Others may know more than I do about this, of course .. if you wish to 
pursue it further, net at freebsd.org would be the more appropriate list.

cheers, Ian

More information about the freebsd-ipfw mailing list