|
tomdlgns
Premium Member
2012-Apr-9 9:24 am
block torrents, usenet, etc...i purchased a usg50 to setup in a bar/grill business and i dont want users taking advantage of my IP/bandwidth.
i dont want them using their laptops to download music/movies/tv shows, etc...off of my connection (using my IP).
how to i block usenet/p2p?
i am using openDNS, which does a good job of filtering by domain name, but it stops there.
thanks. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Apr-9 9:57 am
AppPatrol is designed for this. Get a free trial 2 month subscription and give it a test run. |
|
mozerdLight Will Pierce The Darkness MVM join:2004-04-23 Nepean, ON |
to tomdlgns
Download the Application Notes for the v3 firmware and under section Scenario 5 - Deploying Content Filtering to Manage Employee Browsing Behavior found under Page 27 .... the section deals with how to block torrents etc ..... The Content Filtering subscription makes it very easy ....
be aware that once you add more subscriptions service [more than one] the USG 50 if under heavy load does not have the horsepower to be effective IMO. under light loads not an issue. |
|
|
tomdlgns
Premium Member
2012-Apr-9 10:20 am
is there a way to do this w/o subscribing to a service?
for my setup/amount of guests, i don't expect to have any issues. on a larger network, do you guys recommend the USG 100?
however, a friend of mine (larger business) is looking to mirror my setup. i will make sure to let him know the USG 50 won't be enough power for his setup. |
|
mozerdLight Will Pierce The Darkness MVM join:2004-04-23 Nepean, ON |
mozerd
MVM
2012-Apr-9 10:31 am
Its much easier with subscription services .... I have not tried to do the same thing manually .... so I cannot give you any more tips -- some others may have done it manually. The USG 300, USG1000 etc. have the horsepower .... it all depends on the loads expected and that requires a proper analysis. |
|
|
tomdlgns
Premium Member
2012-Apr-9 10:39 am
i understand. thanks for your input. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2012-Apr-9 10:48 am
You can enable the trial service and then run without it after it expires. The trial service will download all current signatures for all protocols. Those are not deleted after trial expires and the AppPatrol will continue to work with the signatures that you have. Most protocols are not updated that frequently and you'll be fine without updates for some reasonable period of time (until there's a major update to certain protocol or new service that you wish to block emerges) ..then you'll need to subscribe to be able to re-download the latest signatures.
You'll always have issue blocking encrypted services. As such to conserve bandwidth AppPatrol is best combined with BWM. |
|
|
tomdlgns
Premium Member
2012-Apr-9 11:27 am
well, i guess i need to check out the services and see what they cost.
does the software know the difference between usenet SSL and gmail/facebook SSL? |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Apr-9 11:31 am
I have not tested AppPatrol in any extensive way, but I'd guess, since the USG device does not have SSL proxy, that any encrypted services will just fly by it (I may be wrong). |
|
|
tomdlgns
Premium Member
2012-Apr-9 11:32 am
that isn't good, many of these services can be configured to use SSL. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to tomdlgns
Okay people use your noggins. What is the best way to discourage p2p etc. What do most hotspot wifi type units do (specific functionality). And yes by the way I always recommend something like the N4100 in front of a USG for a setup. Makes is a plugNplay for the staff (they can hand out premade tickets for wifi etc etc......... - another thread perhaps LOL). In any case the answer is BWM your wifi guests. THe wifi hotspots allow one to rate limit per user as well as apply BWM. THat is a p2p killer. Not sure what can be done similarly on the USG....... Perhaps assign the lowest QOS to p2p type traffic and use BWM in a creative way. Note how the guard LLama is faster and more intelligent than the guard mutt. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
to tomdlgns
Yeah, encryption is a nightmare for sysadmin without cisco like budget.
That's why I'm saying BWM might be alternative. 1) Limit your guest LAN to few standard outbound ports i.e. HTTP, HTTPS, POP3, IMAP, ... 2) Limit all guest LAN connections to limited bandwidth and low priority. |
|
Brano |
to Anav
How does N4100 deal with encrypted traffic? Does it have SSL proxy or what method is used? |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2012-Apr-9 12:48 pm
Good question. The rate limiting is applied to an account, why would it matter what type of traffic it is??
Furthermore, the op could use a managed switch after the USG and use port rate limiting as well. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Apr-9 12:53 pm
You can do BWM/Rate limiting with USG too. USG has captive portal as well. The only thing that's questionable is inspection of encrypted traffic. |
|