Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Get me pointed in the right direction please...

  • Please log in to reply
3 replies to this topic

#1 LayerIIX


  • Members
  • 5 posts
  • Local time:06:08 PM

Posted 12 July 2014 - 06:16 PM

Hello everyone, and thanks for taking the time to read over my post and provide any potential advise.  I have kind of a weird setup and have never had to do what I want to do, and can't even figure out the proper terms to use to do a full complete internet search like I normally would.  So here's my situation and if someone could get me pointed in the right direction I'd appreciate it.


I have several pc's and other wireless devices in my personal household.  Recently I've noticed that a wireless device (can't figure out which device because my current router sucks... provided by my ISP) is hitting my internet connection so hard that it's downing the internet for the rest of my devices.  The only reason I can tell it's a wireless device is because I watch the wireless light and the internet light flash like crazy when this is happening.  As soon as I kill the wireless connection on my router the internet pops back up and I'm able to use it like I normally should.  And yes, I know that I could go gather all my wireless devices and hard power them down one at a time till I get my internet back, but I've always wanted to take this project on, just never had the motivation, so here I go.


This is what I want to do:  I have a box running Windows Server 2012 standard edition (I use it as a test box for web apps I write as well as backup and file share services.  I also have it running DHCP/DNS, active directory and a couple other minor services.  Nothing real heavy hitting. And yes, it is legally licensed) and it has dual Gigabit Network ports.  I would like to set it up so that my computer sits in between the internet connection and the rest of my home network so that **ALL** internet traffic passes through this computer so I can track internet usage, and figure out EXACTLY what websites are being accessed by the individual devices and what not.  I do have multiple routers, including other's that provide Wireless access, so I can make sure that they are downstream from the server.  Although I'm pretty savvy with the consumer editions of Windows, and I have some experience with Windows Server (I did set up my own domain after all) I certainly don't have any professional training or certification on Windows Server functionality.  


I already have the DHCP / DNS services running on my server, so I can see there when a device taps my server for DNS/DHCP, but I also know how easy it is to bypass that by running a static I.P. address and custom DNS addresses (whether they be Comodo secure DNS or whatever else free DNS on the internet) that I can in no way monitor or track with my current set up.  I want a setup that I can monitor ALL traffic coming in and out of the house, whether they be "sanctioned" devices, or possible rogue devices (or if my 15 year old gets smart and tries to circumvent any restrictions on his personal devices...).  I'm not looking to record all incoming/outgoing content, just log stuff like "ip address xxx.xxx.xxx.xxx accessed website www.bleepingcomputer.com @ 16:53 on 07/12/2014" and "ip address xxx.xxx.xxx.xxx downloaded file blah.exe from website blah.blah.com @ 02:43 on 07/12/2014".  I'd also like to be able to see maybe a graph of which devices are using how much of my bandwidth and what not, preferably both real time and month to date, daily, hourly or whatever else.  Not a hard requirement, but certainly a "live picture" of which devices are using up how much bandwidth would be great.


Also being able to block access by ip or mac would be interesting....


Does this make sense?  I don't have money to buy additional hardware or software, so I'm hoping for free-ware/open-source type solutions (I'm COMPLETELY open to Linux solutions in virtual box or whatever).  I do also have some old "donor" hardware that I could turn into a dedicated box if there's a reason running virtual-box with Linux on top of WS2012 wouldn't be the best idea.  (However the wiff (read wife) already doesn't like how many computers I have set up and running to begin with.. so.. lol)  I don't necessarily require a detailed step by step how-to guide (although one would be appreciated if there was one out there) because I'm pretty savvy at researching and figuring things out on my own, but I'm kinda lost on where to get started here since I don't know what the official terms would be called.  So, again, thanks for your time and I look forward seeing what you all come up with.


Also, would this require my server (or whatever hardware system I end up using) to acquire the public IP address, or would it be possible to have the server keep it's internal NAT address.


Thanks again for your time.



PC / Network Masochist Extraordinaire.

BC AdBot (Login to Remove)


#2 wing987


  • Members
  • 177 posts
  • Gender:Male
  • Location:Payette, ID
  • Local time:06:08 PM

Posted 15 July 2014 - 10:36 AM

What you are looking for is more of a UTM process. I have made a few posts where I recommend the software, but again I will fall back to my normal recommendation.  Invest in hardware, cheap is around $250, and expensive is however powerful you wish to make it (but you generally do not need much). This hardware will be your in line line firewall and UTM software. If you are willing to "lose" your server the hardware in that would be perfect....


Go to sophos.com and apply for a free home license while you still can.  Even if you dont use it, having the license can open you up to enterprise level security and device management. Sophos home license give you control of 50 ip's, licensed.  You can set your range to whatever so no worries. This is enterprise software made available for FREE for home use. You have full granular control, or broad range application of internet policies....it all depends on what you want. This is not a user friendly software if you do not know what you are doing so play around with it before you implement, but for those with security experience this is a piece of cake!


The hardware you need to use this on MUST be dedicated to the UTM, it cannot run both the server and the UTM.  Sophos UTM is a linux based system that is configured via web gui ONLY after initial installation. It can act as your DHCP server if you wish, but has the ability to link to a designated DHCP server, AD server, NPT server, proxy, etc....this is a full enterprise system and it functions as such.


That being said, since it is provided for free there are some functions that are disabled. None of these functions are really heavily used in a home environment (but one I wanted to use....sad that I couldnt).  Mainly the stuff that is used ONLY in an enterprise environment is not available, for example if someone gets a blocked web page it shows the block to the offending user....for the home license that is it. For the enterprise license they can add their own statement and even their company logo. Home license allows you to VPN into the network, enterprise license allows the use of their "RED" system which is a remote network/location that is permanently vpn'd in with their dedicated and "easy to use" system (I never tested this, as I only have a home license). Lastly there is a management software package that you can install on your computer so you can manage the UTM from your computer via the software instead of the web interface (this is enterprise only, not home license), this is great if you accidently make a mistake and block access to the router (uh...yeah...i did that.....dont ask, I am embarassed about that!) but otherwise it is the same as the web gui. Other then those few minor things you have a full threat management package with the ability to control devices and access on a granular level (AP's included....with all basic functions considered).....down to what software is allowed at what time from what computer and what user....and still throttle that use to the level you want, only using given ports while blocking ad's and scanning all packets for malware and virus' and continuing remote support with the antivirus and firewall on the device which allows remote control, all while enforcing computer password policies if this is not already handled by AD.....or you can just leave it all whide open. And any level in between.


Toss this in front of your sever and any DOCSIS 3.0 system is legally bound to STOP and they cannot legally look past this device (look up the DOCSIS 3.0 regulations if you are confused at what I mean). So your UTM will obtain the public IP, everything behind it can be managed on the network via this device or a combination of devices based on the level of management desired.


As for virtual boxes, i love them. Just...dont use them for your edge....your public facing device should be firm hardware and not virtual (from a security standpoint, this prevent possible issues and backdoors/loopholes in virtual systems sharing a NIC)


Lastly...the sophos website provides a "test envrironment" so you can play around with the software.  This will be set up with their names and styles, but you can play with it and make it yours...see what it can do before you decide to commit to it.  I actively use this on my home network (much to my wifes dismay...and happiness when she gets stopped from malware) and I swear by it.

-- Windows 7 Ultimate on custom built system, Windows 10 on under powered laptop. Sophos UTM 9, Ubuntu Server and Windows Server 2008 R2. HyperV Virtualization --


"The hottest places in hell are reserved for those who in a period of moral crisis maintain their neutrality," John F. Kennedy

#3 daveydoom


  • Security Colleague
  • 108 posts
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:07:08 PM

Posted 15 July 2014 - 11:36 AM

If you have some old hardware lying around you may be able to use something like Smoothwall Express on a dedicated PC to do as you wish.


Feature list   .   

"A computer beat me in chess, but it was no match when it came to kickboxing"
-Emo Philips


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • Gender:Male
  • Local time:01:08 AM

Posted 15 July 2014 - 03:40 PM

The kind of information you want is collected by Cisco Netflow. It is a feature of several of their network devices.

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users