Author Topic: Blocking websites/ports or new router  (Read 2485 times)

0 Members and 1 Guest are viewing this topic.

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Blocking websites/ports or new router
« on: April 16, 2019, 07:54:03 pm »
I wanted to block youtube and some gaming sites for certain machines on the network. I looked up which ports they use and set a rule in my router.

outbound port 443/TCP (HTTPS) : used for authentication with the built-in providers such as YouTube Live, Facebook Live, Ustream, Livestream, and Twitch
outbound port 53/UDP (DNS) used for DNS lookups converting hostnames to IP addresses.

I swapped the source and destination IP's and inbound and outbound settings, but nothing worked. At one point, some other sites were blocked, but never YT (ironically, sites that I find that kind of info from).

My router is limited to setting this kind of rule:

inbound or outbound
source or destination IP is 0.0.0.0/0 for all IPs or the specific machine IP
port range
143 different types like TCP, UDP and others that are listed by name, or I can use a number that I do not have a lookup table for.

Then I read somewhere that I can't do it that way because Google uses https, or some other magic.

I might consider a router that can block domains or even better, not sure what to look for. Then I may go to manual IP and resort to individual MAC access.

I read about openDNS but that blocks the entire network.
 

Offline Ranayna

  • Frequent Contributor
  • **
  • Posts: 856
  • Country: de
Re: Blocking websites/ports or new router
« Reply #1 on: April 16, 2019, 08:11:17 pm »
Stuff like that is not really what a normal customer SOHO router is made for. That is something that a dedicated firewall can easily do (if you know how to configure it).
What router do you have?
Is this a private network or a company network?
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 6733
  • Country: pl
Re: Blocking websites/ports or new router
« Reply #2 on: April 16, 2019, 09:30:30 pm »
Tunnel through a VPN in China and the Great Firewall will take care of the rest ;)

My router is limited to setting this kind of rule:

inbound or outbound
source or destination IP is 0.0.0.0/0 for all IPs or the specific machine IP
port range
143 different types like TCP, UDP and others that are listed by name, or I can use a number that I do not have a lookup table for.
You can't block on ports because YouTube uses normal HTTPS over port 443 like everybody else.
IP is tricky too, Google has a zillion various IPs and they probably assign and reassign them to their various services as they please. You would need a complete list, which wouldn't be short, and somehow keep it up to date.

This leaves you with blocking the domain, which can be easily bypassed by a sufficiently knowledgeable user.
If you control the individual machines and there is only a few of them, a hosts file would do it.
If you want something centralized, dunno, perhaps there are routers or firewalls which support blocking individual stations from individual domains, but I can't help with that.

Easiest solution: don't bother, discipline your kids/employees instead.
 

Online NiHaoMike

  • Super Contributor
  • ***
  • Posts: 8973
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: Blocking websites/ports or new router
« Reply #3 on: April 16, 2019, 10:35:11 pm »
OpenWRT supports router level adblocking and you can add extra sites to block. There's also Pi-Hole.
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
Re: Blocking websites/ports or new router
« Reply #4 on: April 17, 2019, 12:03:41 am »
...
...
Easiest solution: don't bother, discipline your kids/employees instead.

In today's climate, disciplining employees is like taking a walk in a landmine zone.

As to kids... There are two kinds of kids: type (A): still breathing; type (B) not breathing, no heart beat, no brain activity.  Type B is generally not an issue but disciplining type A is exceedingly hard...
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #5 on: April 17, 2019, 01:47:22 am »
I am feeling a double deja vu on this post now. Sorry Forum.

I set the wifi session timer to 300 seconds. After hours all wifi has halted and cannot be restored at the user level, with full shutdowns and reboots. Have not rebooted router.

These controls are pitiful. I am so disappoint and confused. It is like the Max8 software has infected everything. Pull up mate! It's no use.
 

Offline 0culus

  • Super Contributor
  • ***
  • Posts: 3032
  • Country: us
  • Electronics, RF, and TEA Hobbyist
Re: Blocking websites/ports or new router
« Reply #6 on: April 17, 2019, 01:52:25 am »
Pi-hole or one of the open source router implementations if you're on a budget. An old PC with a dual port NIC will do. If you're not on a budget, consider getting one of Ubiqiti's security appliances. They are proper firewalls that hit way above their weight class in terms of features. To do better, you'd have to get a commercial solution from Cisco or the like, which is a huge nonstarter for non enterprise entities due to the costs of licensing. [edit] either way you go, you'll have way more granular control vs normal crap home routers. Once I move, I'm considering getting Ubiquiti gear. One thing I'll definitely be doing is a VLAN for IoT devices...I do love playing with them (and poking holes in their security) but it's almost required to exercise some control over their network traffic.
« Last Edit: April 17, 2019, 01:56:05 am by 0culus »
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #7 on: April 17, 2019, 02:11:03 am »
I'll have to review that later. Now I rebooted router and still no wifi. I can't find where the session timeout is. It's so convoluted. It is intentionally like this I know. They don't want you to have control.

Another thing I did was disable WPS. What is that beyond what I think it is. Is it needed, cuz I think it is a security vulnerability...
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #8 on: April 17, 2019, 02:17:35 am »
OK, session timeout is for the firewall advanced settings and would seem to affect everything. It was set at default 86400 secs.

All of the rules I implemented are checked disabled, and would apply to wired lan, which works fine. So I'm lost. Everything looks as default.

now I am in trouble for breaking the wifi.
 

Offline 0culus

  • Super Contributor
  • ***
  • Posts: 3032
  • Country: us
  • Electronics, RF, and TEA Hobbyist
Re: Blocking websites/ports or new router
« Reply #9 on: April 17, 2019, 02:23:58 am »
I'll have to review that later. Now I rebooted router and still no wifi. I can't find where the session timeout is. It's so convoluted. It is intentionally like this I know. They don't want you to have control.

Another thing I did was disable WPS. What is that beyond what I think it is. Is it needed, cuz I think it is a security vulnerability...

WPS is definitely a huge vuln. Always turn it off. It makes popping a router stupidly easy in many cases, especially with vendors who rarely issue firmware updates. All WPS does is do autonegotiation of the connection...basically WiFi for dummies.
 

Offline retiredcaps

  • Super Contributor
  • ***
  • Posts: 3575
  • Country: ca
Re: Blocking websites/ports or new router
« Reply #10 on: April 17, 2019, 05:45:58 am »
OpenWRT supports router level adblocking and you can add extra sites to block.
All my wifi routers at home are free from people who have discarded as being too old or slow.  I load openwrt on them and use simple-adblock.

Uptime is now 69 days with version 18.06.2.

https://openwrt.org/supported_devices
 

Offline JVR

  • Regular Contributor
  • *
  • Posts: 201
  • Country: be
Re: Blocking websites/ports or new router
« Reply #11 on: April 17, 2019, 10:40:28 am »
Another thing I did was disable WPS. What is that beyond what I think it is. Is it needed, cuz I think it is a security vulnerability...

If you are asking these questions, perhaps you are not the guy to be poking around in the office router, unless its just your wife screaming at you, that's part of the learning curve.
 
The following users thanked this post: newbrain

Offline MrMobodies

  • Super Contributor
  • ***
  • Posts: 1906
  • Country: gb
Re: Blocking websites/ports or new router
« Reply #12 on: April 17, 2019, 01:59:58 pm »
If you got a machine to spare you could put in a couple of Intel gigabit PT pro network cards which you can get off Ebay cheap, one for your wan and one for lan and run Pfsense on it and install squid proxy in the packages and have little experiment around with it and that's what I'd do. Of course it will take a bit power to run but you got a bit more control.
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #13 on: April 17, 2019, 02:23:53 pm »
Another thing I did was disable WPS. What is that beyond what I think it is. Is it needed, cuz I think it is a security vulnerability...

If you are asking these questions, perhaps you are not the guy to be poking around in the office router, unless its just your wife screaming at you, that's part of the learning curve.

It is for small community retail/residential. It's not Starbucks and I don't have to give bums a place to pee, free water, and free charging with unfettered internet access. It's all fine until there are abuses.

I never used WPS and just recall some security issues shortly after it was implemented. The router default is actually disabled and it has always been off.

Some of what I remember being able to do must have been on another router. It's changed a few times since I really poked around in there.

I pulled the power for a while and it rebooted back to normal operation.

I'm more interested in a hard coded and simple solution that will not require a lot of hands on maintenance. I'll look at www.ui.com

Thanks all.
 

Online Red Squirrel

  • Super Contributor
  • ***
  • Posts: 2748
  • Country: ca
Re: Blocking websites/ports or new router
« Reply #14 on: April 17, 2019, 05:58:25 pm »
Never used WPS myself but it does smell like a potential extra security attack surface to me.  I disable it.  Another thing to make sure to disable is uPNP, that is evil.  It allows applications to arbitrary open up ports.     Basically you could land on a bad website that launches code which then opens up a port to inside your network.  Super bad.
 

Online NiHaoMike

  • Super Contributor
  • ***
  • Posts: 8973
  • Country: us
  • "Don't turn it on - Take it apart!"
    • Facebook Page
Re: Blocking websites/ports or new router
« Reply #15 on: April 17, 2019, 11:25:56 pm »
It is for small community retail/residential. It's not Starbucks and I don't have to give bums a place to pee, free water, and free charging with unfettered internet access. It's all fine until there are abuses.

I never used WPS and just recall some security issues shortly after it was implemented. The router default is actually disabled and it has always been off.

Some of what I remember being able to do must have been on another router. It's changed a few times since I really poked around in there.

I pulled the power for a while and it rebooted back to normal operation.

I'm more interested in a hard coded and simple solution that will not require a lot of hands on maintenance. I'll look at www.ui.com

Thanks all.
Could you just limit the bandwidth per user to something like 1.5Mbps? Or would that interfere with the intended uses?
Cryptocurrency has taught me to love math and at the same time be baffled by it.

Cryptocurrency lesson 0: Altcoins and Bitcoin are not the same thing.
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #16 on: April 17, 2019, 11:39:56 pm »
If I could limit to certain devices. Most are fine. This is ATT free router and very limited. I've read some routers are not compatible. I could talk to their service dept too and see if they have options. I was hoping the port limiting would work. I don't know enough about why not.
 

Offline 0culus

  • Super Contributor
  • ***
  • Posts: 3032
  • Country: us
  • Electronics, RF, and TEA Hobbyist
Re: Blocking websites/ports or new router
« Reply #17 on: April 18, 2019, 04:49:01 am »
Is it a modem/router combo or just a router? If the latter you can trash the router and put whatever you want on there. If the former, you can still do that, but set up the modem/router (even the shit ActionTec modem/routers CenturyLink rents or sells for DSL can do this) in bridged mode and then hang whatever router and/or security appliance you want to on your side of the network.
 

Offline legacy

  • Super Contributor
  • ***
  • !
  • Posts: 4415
  • Country: ch
Re: Blocking websites/ports or new router
« Reply #18 on: April 18, 2019, 11:59:16 am »
In order to block YouTube, the router should be able to look at the kind of incoming information at the application level.

is it possible?

with a sort of "agent" running in the userspace, and checking at the incoming data on the HTTP/HTTPS port?

it would be a sort of "superset" "/usr/bin/file" utility, which is ablet to understand a file

Code: [Select]
file hackaday.php
hackaday.php: PHP script text

so in a similar way, an HTTP-file (it doesn't exist, I am describing an idea), applied to a TCP/IP stream, should be able to respond

Code: [Select]
http-file /dev/http/socket/243
YouTube

is it possible?  :-//
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3632
  • Country: us
Re: Blocking websites/ports or new router
« Reply #19 on: April 18, 2019, 12:26:04 pm »
That is what Level 7 Filtering or Deep Packet Inspection does using compiled regular expressions.
 

Offline metrologistTopic starter

  • Super Contributor
  • ***
  • Posts: 2199
  • Country: 00
Re: Blocking websites/ports or new router
« Reply #20 on: April 18, 2019, 02:10:06 pm »
This is a combo modem/router/wifi. I forget the term modem, modulator demodulator. Under the hood, I wouldn't be surprised if all this functionality is on a single chip.

I won't have access to user's machines, but I'm sure you mean this scripting would be in the router. That's too complicated for me and should be the role of the device mfg. and part of the routers OS. I can't design that.

The port blocking that I did enable once actually did block some websites. Maybe I do not have the correct port numbers for what youtube is using. I don't know enough about that or about the comment I read somewhere that stated port blocking will not work because youtube uses https... Maybe they are using a port that is common for many websites and it would shut too much off.

It's mostly the random out of control lan parties that sprout up and they are using the steam platform for that activity. To me it all looks the same, some kind of data streaming.
 

Offline 0culus

  • Super Contributor
  • ***
  • Posts: 3032
  • Country: us
  • Electronics, RF, and TEA Hobbyist
Re: Blocking websites/ports or new router
« Reply #21 on: April 18, 2019, 06:39:50 pm »
TLS works over port 443 by default, so you'd be breaking every site that uses it. If you need to control TLS traffic, you'll need a MITM proxy like squid...but you have to be careful and make sure you have a user agreement that covers exactly what you're doing. I wouldn't recommend doing that unless this is a corporate network.
 

Offline orion242

  • Supporter
  • ****
  • Posts: 746
  • Country: us
Re: Blocking websites/ports or new router
« Reply #22 on: April 18, 2019, 07:57:36 pm »
TLS works over port 443 by default, so you'd be breaking every site that uses it. If you need to control TLS traffic, you'll need a MITM proxy like squid...

Exactly.  A huge red flag when I run into this and should be for anyone running into TLS nonsense like this.  That's when I switch to VPN, my phone hotspot, or simply do without.
« Last Edit: April 18, 2019, 07:59:19 pm by orion242 »
 

Offline 0culus

  • Super Contributor
  • ***
  • Posts: 3032
  • Country: us
  • Electronics, RF, and TEA Hobbyist
Re: Blocking websites/ports or new router
« Reply #23 on: April 19, 2019, 01:41:34 am »
Yeah, with squid you'll have your own self signed certificate that most any sane computer or mobile device will throw up big warning flags about when users try to connect. Just don't go there. Unless you are running a company network where the users have no expectation of privacy, you should not be MITMing them.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf