Blocking Android/iOS PUPG Game

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Blocking Android/iOS PUPG Game

firefuze

510 posts

Ultimate Geek

#242476 30-Oct-2018 10:01

I work for a small training organisation, and being rural we only have access to a rather slow ADSL connection.

When students are on site they are consistently playing PUPG using the school WiFi provided, however, this is saturating the ADSL connection and brings general internet use grinding to a halt when staff need to get things done. Regardless, We don't want them having access to the game using school WiFi anyway as it has become a severe study distraction as of recent.

The setup is very simple, Vigor 120, basic 24P switch and a couple Unifi AP's

I need to be able to block access to the game servers but haven't had any luck. From what I have found online, they use Amazon servers and address are dynamic, as well as the ports used. Don't want to go down the whitelisting option as its too restrictive.

Anyone able to offer some insight on how to go about blocking this game in particular? Different hardware required?

1 | 2

8499 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2116673 30-Oct-2018 10:33

Perhaps a problem that could be solved with a policy and some consequences, rather than a technical solution?

firefuze

510 posts

Ultimate Geek

#2116675 30-Oct-2018 10:38

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

Corporates and larger schools are able to block these services easily, how do they go about it?

Dolts

214 posts

Master Geek

#2116676 30-Oct-2018 10:41

Do the students have a separate SSID? Limit the bandwidth to an unplayable rate.

gehenna

8499 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2116677 30-Oct-2018 10:43

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses. If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

You've said they should not need constant monitoring from staff, but their behaviour says otherwise. What is the consequence for the policy? It needs to be severe enough to deter.

You could possibly limit Wi-Fi access to any devices you don't control. Maybe turn off DHCP and just use static IP addresses for the devices that need online access.

firefuze

510 posts

Ultimate Geek

#2116679 30-Oct-2018 10:47

Dolts:

Do the students have a separate SSID? Limit the bandwidth to an unplayable rate.

Students do have a separate SSID which is currently rate limited, however if I reduce it further it would negatively impact those students whom are using the internet for genuine reasons

Oblivian

7297 posts

Uber Geek

ID Verified

#2116682 30-Oct-2018 10:52

You may be thinking too far down the track for the cutoff.

Sure, they may use dynamic amazon servers. But the app will still reach out to a single/small range DNS point or login server to verify the user/app first and find the name resolution to go hunting for those dynamic locations.

And that's the level you need to kill. QoS/NAT the authenticator/login path. Problem be gone.

Get yourself a router and the same app, HUB (or clone the packets) on the WAN side, wireshark. Open app.. Boom.

Or as above.. adjust DHCP and static/reserve those that are permitted to a different path.

firefuze

510 posts

Ultimate Geek

#2116687 30-Oct-2018 11:00

gehenna:

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses. If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

You've said they should not need constant monitoring from staff, but their behaviour says otherwise. What is the consequence for the policy? It needs to be severe enough to deter.

You could possibly limit Wi-Fi access to any devices you don't control. Maybe turn off DHCP and just use static IP addresses for the devices that need online access.

Thanks, not ISP supplied but, yes, very simple setup. Vigor ADSL modem, non-managed switch and UAP's. No USG, Firewall etc

Their behaviour does say otherwise, but as mentioned we don't have the staffing recourses to keep tabs on them constantly. Any significant abuse will result in penalties. However the discussion of school discipline,staffing and policies isn't something to be discussed further publicly, this is managed as we see fit.

The path we want to explore now is to restrict access for all at a network level

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

Oblivian

7297 posts

Uber Geek

ID Verified

#2116690 30-Oct-2018 11:05

I'm guessing this will help? ;) ...

Worded domain of: epicgames.com and easy.ac

104.28.2.249 , 104.28.3.249 (easyanticheat.net)

54.86.141.201 , 18.205.125.105(epicgames.com)

And drop the 9000 UDPs ;)

https://www.reddit.com/r/FORTnITE/comments/8c7n6o/fornite_ips_and_outgoing_ports_for_strict/

Unless I've got my apps mixed up and its actually Player Unknown in particular.

SpartanVXL

1307 posts

Uber Geek

#2116694 30-Oct-2018 11:19

Fortnite, pubg etc. you can filter them all but in the end the students still have their phone connected and will do something else with it. On a limited connection you're going to have to rate limit harder, or drop people.

epr

260 posts

Ultimate Geek

#2116697 30-Oct-2018 11:24

firefuze:

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

Corporates and larger schools are able to block these services easily, how do they go about it?

Get in touch with linewize and see if they have a device that will suit your needs and fit your budget.

gehenna

8499 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2116699 30-Oct-2018 11:26

firefuze:

gehenna:

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses. If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

You've said they should not need constant monitoring from staff, but their behaviour says otherwise. What is the consequence for the policy? It needs to be severe enough to deter.

You could possibly limit Wi-Fi access to any devices you don't control. Maybe turn off DHCP and just use static IP addresses for the devices that need online access.

Thanks, not ISP supplied but, yes, very simple setup. Vigor ADSL modem, non-managed switch and UAP's. No USG, Firewall etc

Their behaviour does say otherwise, but as mentioned we don't have the staffing recourses to keep tabs on them constantly. Any significant abuse will result in penalties. However the discussion of school discipline,staffing and policies isn't something to be discussed further publicly, this is managed as we see fit.

The path we want to explore now is to restrict access for all at a network level

What's the make/model of router?

wellygary

8315 posts

Uber Geek

#2116709 30-Oct-2018 11:42

SpartanVXL: Fortnite, pubg etc. you can filter them all but in the end the students still have their phone connected and will do something else with it. On a limited connection you're going to have to rate limit harder, or drop people.

Probably this,

On a poor ADSL connection you are always gonna be battling Bandwidth hoggers...

hashbrown

463 posts

Ultimate Geek

#2116800 30-Oct-2018 13:08

Blocking content one site at a time just starts an endless game of whack-a-mole. Deploy a dns filtering product that lets you block games as a category.

jaymz

1133 posts

Uber Geek

#2116846 30-Oct-2018 13:27

firefuze:

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

Corporates and larger schools are able to block these services easily, how do they go about it?

Most schools have the benefit of utilizing N4L (Network 4 Learning) filtering hardware/software in the form of Cisco firewall and now rolling out Fortinet devices to all schools.

Depending on your setup, there are a number of things you can employ to block the access to the game, but it does depend on a number of factors:

Do you have a local domain to which the computers are joined?

Do the students access devices joined to a local domain, or are they using BYOD (Bring Your Own Device)?

If you do have a local domain and all the computers a joined to it, you can employ Group Policies to block the .exe's from being run on the network. You can also look to purchase software like ABTutor of LANSchool to monitor what is being done on the devices in the school.

Failing that, you can either invest in a security appliance (Fortinet, Watchguard, etc) which will have application signature detection and allow granular internet filtering (restrictive for students, less restrictive for staff)

As a final solution, you could setup a pfSense firewall to try block/limit access to the game's servers.

At the end of the day, there is no easy way to block the game with the equipment you have (firewall/router) you will need more advanced (and unfortunately more expensive) kit to achieve what you are wanting.

Does the training organisation qualify to connect with N4L by chance?

dfnt

1512 posts

Uber Geek

Lifetime subscriber

#2116853 30-Oct-2018 13:57

Given your limited setup you could look at OpenDNS, pretty sure you can block by categories/domains etc, then setup NAT to force all DNS to the router

1 | 2