Trouble with network services filter...

[snevah admin]

Trying to experiment with blocking ports to prevent Steam / CS GO.

Tons of threads on what ports to block, but blocking them seems to have no impact.

I really only should need the ports for the destination side, but that wasn't working. Any hints?

 

[ColinTaylor]

Router model? Firmware version?

 

[snevah admin]

Sorry, thought this was a standard thing across all the asus routers. I am on an ASUS RT-N66U with Asuswrt-merlin 380.59

 

[ColinTaylor]

You're running a very old version of the firmware. There are known bugs with Network Services Filter (particularly if you have enabled Parental Control) that are fixed in later versions.

 

[snevah admin]

Updating...

 

[snevah admin]

OK, updated to the latest stable: Firmware:380.68.

Parental controls are off. Have the network services filter set as shown above, and as best I can tell from everything I have read those are the current ports needed to play CS GO. Still plays fine. Going to look to see if there is a way to test that the ports are blocked. Open to suggestions.

Thanks.

 

[ColinTaylor]

Sorry, I don't know anything about CS:GO.

You could try running the game and looking at the active connections (System Log > Connections). There will be a lot of stuff that won't be related to CS:GO but it might give you a clue what IP addresses and ports are in use.

 

[snevah admin]

well. I used wireshark to see what is going on. Here is an example of some data I sa

So, I updated my firewall to include blocking UDP port 27031 as that seems to be the port used by the source. Still, wireshark shows the traffic going through. Not sure why network service filter is not working. Here is my current settings.

 

[snevah admin]

Here is a better capture from wireshark with a focus on ports...

Looks like whenever the source is not a 192.x (my internal network) the src port is 27031. Traffic flowing great. But, best I can tell, my configuration should be blocking this.

 

[ColinTaylor]

I think you might have to reboot the router rather than just apply the blocking rules. I've seen cases where the router is still tracking an active connection and therefore still allowing it through.

I'm wondering whether the program is being "clever". i.e. It tries ports 27000 to 27030 and finds that they are blocked so it just keeps incrementing the port number and retrying? If that is the case you might have to create quite a big range before it gives up. 27000 to 27100?

 

[snevah admin]

My guess is it has something to do with the "blacklist" or "whitelist" as the instructions on the "network services filter" say:

Black List Duration : During the scheduled duration, clients in the Black List cannot use the specified network services. After the specified duration, all the clients in LAN can access the specified network services.
White List Duration : During the scheduled duration, clients in the White List can ONLY use the specified network services. After the specified duration, clients in the White List and other network clients will not be able to access the Internet or any Internet service.​

But, it doesn't say where the blacklist of clients are? I want the rule to apply to all clients. The only thing I see is the IP list in the rules section which it says to leave empty if you want it to apply to all clients... so confused.

 

[snevah admin]

Trying your adviice Colin. Rebooting router again.

 

[ColinTaylor]

But, it doesn't say where the blacklist of clients are? I want the rule to apply to all clients. The only thing I see is the IP list in the rules section which it says to leave empty if you want it to apply to all clients... so confused.

The blacklist is the table of rules you are creating at the bottom of the page, assuming Filter table type is set to "Black List" (it's a whitelist if set to "White List"). The clients are the IP addresses you specify in the "Source IP" column.

 

[snevah admin]

Thanks Colin, your understanding of the blacklist / whitelist is how I had original thought it worked.

Well, rebooted. Powered it down for a long time, then back on. Wireshark is still showing connections to ports that appear to be blocked via my settings. I am at a complete loss. Product just doesn't seem to work at all.

 

[ColinTaylor]

Very strange. Many people have this working with no problems.

Can you enable telnet or ssh access to the router, log on and issue the following command through the router's command line. That will show us what is going on.

iptables-save

Wireshark is still showing connections to ports that appear to be blocked via my settings.

What port range are you now blocking? What port does wireshark say it is using?

 

[Jack Yaz]

My guess is the Source/Destination IPs being blank. Should they not be 0.0.0.0?

 

[ColinTaylor]

My guess is the Source/Destination IPs being blank. Should they not be 0.0.0.0?

No they should be blank as it says on the instructions.

 

[Jack Yaz]

No they should be blank as it says on the instructions.

OK - don't have access to instructions here, working on my knowledge of how the VPN client works.

 

[ColinTaylor]

Doh! Just spotted the obvious mistake.

You're blocking the source ports when you should be blocking the destination ports. You also need to increase the range to something like 27000-27100 (I've read stuff here that suggests CS:GO can use a wide range of ports).

So, I updated my firewall to include blocking UDP port 27031 as that seems to be the port used by the source. Still, wireshark shows the traffic going through. Not sure why network service filter is not working. Here is my current settings.

 

[snevah admin]

Doh! Just spotted the obvious mistake.

You're blocking the source ports when you should be blocking the destination ports. You also need to increase the range to something like 27000-27100 (I've read stuff here that suggests CS:GO can use a wide range of ports).

I thought about that, so I actually decided to block both the source and destination for those ports, but it didn't seem to make a difference. Wireshark shows the source (an IP address that is not mine) using the ports I am trying to block. At any rate, I can block the ports both on the source and destination, but the traffic still comes through. Let me do that now, run iptables-save and get the output. I will do a new wireshark capture.