Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




394 posts

Ultimate Geek
+1 received by user: 55


Topic # 242476 30-Oct-2018 10:01
Send private message quote this post

I work for a small training organisation, and being rural we only have access to a rather slow ADSL connection.

 

When students are on site they are consistently playing PUPG using the school WiFi provided, however, this is saturating the ADSL connection and brings general internet use grinding to a halt when staff need to get things done. Regardless, We don't want them having access to the game using school WiFi anyway as it has become a severe study distraction as of recent.

 

The setup is very simple, Vigor 120, basic 24P switch and a couple Unifi AP's

 

I need to be able to block access to the game servers but haven't had any luck. From what I have found online, they use Amazon servers and address are dynamic, as well as the ports used. Don't want to go down the whitelisting option as its too restrictive.

 

Anyone able to offer some insight on how to go about blocking this game in particular? Different hardware required?

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
5096 posts

Uber Geek
+1 received by user: 1213

Moderator
Trusted
Lifetime subscriber

  Reply # 2116673 30-Oct-2018 10:33
Send private message quote this post

Perhaps a problem that could be solved with a policy and some consequences, rather than a technical solution?




394 posts

Ultimate Geek
+1 received by user: 55


  Reply # 2116675 30-Oct-2018 10:38
Send private message quote this post

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

 

Corporates and larger schools are able to block these services easily, how do they go about it?

 

 

 

 


 
 
 
 


174 posts

Master Geek
+1 received by user: 54


  Reply # 2116676 30-Oct-2018 10:41
2 people support this post
Send private message quote this post

Do the students have a separate SSID? Limit the bandwidth to an unplayable rate.


5096 posts

Uber Geek
+1 received by user: 1213

Moderator
Trusted
Lifetime subscriber

  Reply # 2116677 30-Oct-2018 10:43
Send private message quote this post

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses.  If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

 

You've said they should not need constant monitoring from staff, but their behaviour says otherwise.  What is the consequence for the policy?  It needs to be severe enough to deter.  

 

You could possibly limit Wi-Fi access to any devices you don't control.  Maybe turn off DHCP and just use static IP addresses for the devices that need online access.  




394 posts

Ultimate Geek
+1 received by user: 55


  Reply # 2116679 30-Oct-2018 10:47
Send private message quote this post

Dolts:

 

Do the students have a separate SSID? Limit the bandwidth to an unplayable rate.

 

 

 

 

Students do have a separate SSID which is currently rate limited, however if I reduce it further it would negatively impact those students whom are using the internet for genuine reasons


2902 posts

Uber Geek
+1 received by user: 312


  Reply # 2116682 30-Oct-2018 10:52
Send private message quote this post

You may be thinking too far down the track for the cutoff.

 

Sure, they may use dynamic amazon servers. But the app will still reach out to a single/small range DNS point or login server to verify the user/app first and find the name resolution to go hunting for those dynamic locations.

 

And that's the level you need to kill. QoS/NAT the authenticator/login path. Problem be gone.

 

Get yourself a router and the same app, HUB (or clone the packets) on the WAN side, wireshark. Open app.. Boom.

 

Or as above.. adjust DHCP and static/reserve those that are permitted to a different path.




394 posts

Ultimate Geek
+1 received by user: 55


  Reply # 2116687 30-Oct-2018 11:00
Send private message quote this post

gehenna:

 

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses.  If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

 

You've said they should not need constant monitoring from staff, but their behaviour says otherwise.  What is the consequence for the policy?  It needs to be severe enough to deter.  

 

You could possibly limit Wi-Fi access to any devices you don't control.  Maybe turn off DHCP and just use static IP addresses for the devices that need online access.  

 

 

Thanks, not ISP supplied but, yes, very simple setup. Vigor ADSL modem, non-managed switch and UAP's. No USG, Firewall etc

 

Their behaviour does say otherwise, but as mentioned we don't have the staffing recourses to keep tabs on them constantly. Any significant abuse will result in penalties. However the discussion of school discipline,staffing and policies isn't something to be discussed further publicly, this is managed as we see fit. 

 

The path we want to explore now is to restrict access for all at a network level


2902 posts

Uber Geek
+1 received by user: 312


  Reply # 2116690 30-Oct-2018 11:05
Send private message quote this post

I'm guessing this will help? ;) ...

 

 

Worded domain of: epicgames.com and easy.ac

 

104.28.2.249 , 104.28.3.249 (easyanticheat.net)

 

54.86.141.201 , 18.205.125.105(epicgames.com)

 

And drop the 9000 UDPs ;)

 

https://www.reddit.com/r/FORTnITE/comments/8c7n6o/fornite_ips_and_outgoing_ports_for_strict/

 

Unless I've got my apps mixed up and its actually Player Unknown in particular.


343 posts

Ultimate Geek
+1 received by user: 123


  Reply # 2116694 30-Oct-2018 11:19
Send private message quote this post

Fortnite, pubg etc. you can filter them all but in the end the students still have their phone connected and will do something else with it. On a limited connection you're going to have to rate limit harder, or drop people.

epr

158 posts

Master Geek
+1 received by user: 50


  Reply # 2116697 30-Oct-2018 11:24
One person supports this post
Send private message quote this post

firefuze:

 

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

 

Corporates and larger schools are able to block these services easily, how do they go about it?

 

 

 

 

 

 

 

 

Get in touch with linewize and see if they have a device that will suit your needs and fit your budget.


5096 posts

Uber Geek
+1 received by user: 1213

Moderator
Trusted
Lifetime subscriber

  Reply # 2116699 30-Oct-2018 11:26
Send private message quote this post

firefuze:

 

gehenna:

 

They likely have their network running through a firewall or proxy with the ability to granularly block traffic to ports/services/IP addresses.  If you're on ADSL this is probably not available to you - are you just using the stock ISP router or is there a dedicated firewall in the mix?

 

You've said they should not need constant monitoring from staff, but their behaviour says otherwise.  What is the consequence for the policy?  It needs to be severe enough to deter.  

 

You could possibly limit Wi-Fi access to any devices you don't control.  Maybe turn off DHCP and just use static IP addresses for the devices that need online access.  

 

 

Thanks, not ISP supplied but, yes, very simple setup. Vigor ADSL modem, non-managed switch and UAP's. No USG, Firewall etc

 

Their behaviour does say otherwise, but as mentioned we don't have the staffing recourses to keep tabs on them constantly. Any significant abuse will result in penalties. However the discussion of school discipline,staffing and policies isn't something to be discussed further publicly, this is managed as we see fit. 

 

The path we want to explore now is to restrict access for all at a network level

 

 

 

 

What's the make/model of router?


3511 posts

Uber Geek
+1 received by user: 985


  Reply # 2116709 30-Oct-2018 11:42
Send private message quote this post

SpartanVXL: Fortnite, pubg etc. you can filter them all but in the end the students still have their phone connected and will do something else with it. On a limited connection you're going to have to rate limit harder, or drop people.

 

Probably this,

 

On a poor ADSL connection you are always gonna be battling Bandwidth hoggers...


455 posts

Ultimate Geek
+1 received by user: 128


  Reply # 2116800 30-Oct-2018 13:08
One person supports this post
Send private message quote this post

Blocking content one site at a time just starts an endless game of whack-a-mole. Deploy a dns filtering product that lets you block games as a category.

1088 posts

Uber Geek
+1 received by user: 66


  Reply # 2116846 30-Oct-2018 13:27
One person supports this post
Send private message quote this post

firefuze:

 

That has been attempted with little result, plus, these are young adult students who should not need constant monitoring from staff, nor do we have the staffing resources to do so.

 

Corporates and larger schools are able to block these services easily, how do they go about it?

 

 

Most schools have the benefit of utilizing N4L (Network 4 Learning) filtering hardware/software in the form of Cisco firewall and now rolling out Fortinet devices to all schools.

 

Depending on your setup, there are a number of things you can employ to block the access to the game, but it does depend on a number of factors:

 

Do you have a local domain to which the computers are joined?

 

Do the students access devices joined to a local domain, or are they using BYOD (Bring Your Own Device)?

 

If you do have a local domain and all the computers a joined to it, you can employ Group Policies to block the .exe's from being run on the network.  You can also look to purchase software like ABTutor of LANSchool to monitor what is being done on the devices in the school.

 

 

 

Failing that, you can either invest in a security appliance (Fortinet, Watchguard, etc) which will have application signature detection and allow granular internet filtering (restrictive for students, less restrictive for staff)

 

 

 

As a final solution, you could setup a pfSense firewall to try block/limit access to the game's servers.

 

 

 

At the end of the day, there is no easy way to block the game with the equipment you have (firewall/router) you will need more advanced (and unfortunately more expensive) kit to achieve what you are wanting.

 

Does the training organisation qualify to connect with N4L by chance?


defiant
690 posts

Ultimate Geek
+1 received by user: 331

Lifetime subscriber

  Reply # 2116853 30-Oct-2018 13:57
2 people support this post
Send private message quote this post

Given your limited setup you could look at OpenDNS, pretty sure you can block by categories/domains etc, then setup NAT to force all DNS to the router


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.