Posted: Sat Apr 17, 2021 0:39 Post subject: Some help with connection filtering
I play a game that uses peer to peer servers. You use to be able to que into your friends by monitoring the ip addresses on wireshark or setting a geo filter on netduma os. They added an update that routes the traffic through the steam relay servers now. This made it so the only ip addresses you see are from the steam relay server now instead of individual players.
What i am basically trying to setup now is a way to block connections to my pcs on my LAN on ports 27000-27200 and 3097 by any pcs outside the network but allow the pcs on the LAN to communicate with each other through the steam relay servers and each other on those ports.
So when i click to que up on two of my PCs they need to be able to connect to the steam relay servers and see each other through those ports while also actively blocking all other connections on those ports from everyone else outside my LAN that the match making is attempting to match us with.
Some people seem to have this working and are claiming its through dd-wrt. Any help would be greatly appreciated with this.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sat Apr 17, 2021 13:05 Post subject:
Without telling us, your router model/brand we cannot proceed with much help...
yep in DDWRT you can use WAN to LAN rules and or opposite via Netfilter/iptables/IPset...
however rules do not apply LAN to LAN.... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
make sure to turn off any auto configuration in the router...
By default WAN-to-LAN connections are blocked due to NAT traversal, so all you would need to do is add some iptables rules to filter LAN-to-WAN to ensure that your PCs are not initializing the connections thus allowing the WAN-to-LAN to be related/established...
Without telling us, your router model/brand we cannot proceed with much help...
yep in DDWRT you can use WAN to LAN rules and or opposite via Netfilter/iptables/IPset...
however rules do not apply LAN to LAN....
Sorry im using a d-link dir890.
It's hard to explain in text how it works but ill try. Both of my PCs will connect to a match making server and then it compares latency n such to decide who you match up with. It's kind of weighted to keep people on the same connection from getting matched together so it usually matches you with other people first. I want to block those other peoples incoming connections so it has to match my two pcs together.
Prior to this SDR(steam data relay) update you could just watch ip addresses in wireshark or setup firewall rules to block others based on ip address. The problem now is the only ip addresses you see are the SDR servers. There could be 10 different people connecting to you but its all coming from that servers ip address now instead of their own.
I have tested and blocking ports 27000-27200 will completely block any match making at all. You will sit there infinitely trying to find someone. I am trying to sort out a way to only allow my other pc to get through and connect to the other one but without being able to identify it from the ip address im stuck.
I imagine with all the tools dd-wrt offers there is some way to do this but beyond port forwarding n such i don't have a ton of experience with the firmware. There are people still doing this but they of course won't exactly say how. One of them i saw first hand do it. It blocks every other connection and only allows his other pc through.
make sure to turn off any auto configuration in the router...
By default WAN-to-LAN connections are blocked due to NAT traversal, so all you would need to do is add some iptables rules to filter LAN-to-WAN to ensure that your PCs are not initializing the connections thus allowing the WAN-to-LAN to be related/established...
How would i go about filtering connections when the only ip address i can see is the SDR servers ip and not individuals ips. Even when my 1st PC on the lan would communicate with the 2nd pc all they see is the SDRs ip address.
make sure to turn off any auto configuration in the router...
By default WAN-to-LAN connections are blocked due to NAT traversal, so all you would need to do is add some iptables rules to filter LAN-to-WAN to ensure that your PCs are not initializing the connections thus allowing the WAN-to-LAN to be related/established...
How would i go about filtering connections when the only ip address i can see is the SDR servers ip and not individuals ips. Even when my 1st PC on the lan would communicate with the 2nd pc all they see is the SDRs ip address.
Based on your own description, I don't see any way to make known the actual source IP of the other players if everything is being routed through a common/shared game server.
It's no different than you using a VPN to disguise your own public IP from the sites you visit. That's the whole point! And there's nothing magical the router can do to get around the fact that someone is accessing it through a proxy, be it a VPN or game server.
The only possibility is if perhaps the game server is *leaking* this information in some other fashion. That has sometimes been a problem w/ VPNs. The target site is sometimes able to see the actual public IP of the user because of information leaking through WebRTC.
make sure to turn off any auto configuration in the router...
By default WAN-to-LAN connections are blocked due to NAT traversal, so all you would need to do is add some iptables rules to filter LAN-to-WAN to ensure that your PCs are not initializing the connections thus allowing the WAN-to-LAN to be related/established...
How would i go about filtering connections when the only ip address i can see is the SDR servers ip and not individuals ips. Even when my 1st PC on the lan would communicate with the 2nd pc all they see is the SDRs ip address.
Based on your own description, I don't see any way to make known the actual source IP of the other players if everything is being routed through a common/shared game server.
It's no different than you using a VPN to disguise your own public IP from the sites you visit. That's the whole point! And there's nothing magical the router can do to get around the fact that someone is accessing it through a proxy, be it a VPN or game server.
The only possibility is if perhaps the game server is *leaking* this information in some other fashion. That has sometimes been a problem w/ VPNs. The target site is sometimes able to see the actual public IP of the user because of information leaking through WebRTC.
Whether this is the kind of thing these other links might have been referring to, only you can determine since you didn't provide those links.
What links didn't i provide? The game is destiny 2. I am not sure how people are doing it but its 100% possible. I tried to join the guy that does it and it told me i had a NAT error, which is usually what happens if ports are blocked in games. Yet his PCs somehow see each other and are able to connect while no one else is able to connect to them during the match making process.
It's not dedicated servers, it's still peer to peer so there is some way people are identifying their own connection(other than ip address) and allowing it through.
I don't think steam is leaking ip addresses in any way either. Their entire SDR service is setup to prevent peoples ips from leaking. This game had a problem with DDOSing and it was the solution. Unfortunately it also broke being able to que into your friends.
"Some people seem to have this working and are claiming its through dd-wrt."
Fine, but how 'bout providing some links to those discussions so we can have more than just your description of the problem, and perhaps some idea of what their doing and how it could possibly be implemented on the router.
"Some people seem to have this working and are claiming its through dd-wrt."
Fine, but how 'bout providing some links to those discussions so we can have more than just your description of the problem, and perhaps some idea of what their doing and how it could possibly be implemented on the router.
You just keep saying others have it working, they claim this or that will fix it, and leave it at that. This forum is NOT dedicated to gaming, nor does everyone have experience w/ this specific issue. We are providing general purpose information, specifically related to dd-wrt. And once you start getting into narrow, specific problems, it gets a lot tougher to provide good information unless we too can become more familiar w/ these issues.
I would gladly provide more information if i could. These people that have it working don't share it. They try to charge people money for it and refuse to share how its done. When i say i know its possible its because i have been in the guys group while he does it. You see it say "evaluating" which means its testing connection speed n such multiple times as it tries to match you to people then it stops and moves onto the next one since the connection is blocked. Then when it gets to match making his two PCs together it lets it through and the game begins.
People use to do this with the net duma geo map filter but since everyone traffic is routed through servers now all you can really do is force a server in your region which does nothing to stop others in the area from match making with you.
Posted: Sat May 22, 2021 8:23 Post subject: PS4 or PS5
Ok I can understand where you're coming from because I have exactly the same problem but it is on a PlayStation 4 or 5.2 playstation in the same household one account on each so your friends can join both PlayStations.
2 on one 2 on another. From the UK use NordVPN to go to a far country where no one is then it used to link the two PlayStations together. Destiny 2 have obviously done a patch because it has stopped working (still works on destiny 1) I have tried in different countries with no luck.I have occasionally joined the two PlayStations together so it's not impossible but like you said doesn't stop people joining you now so it's not a guaranteed match up. He's also right people say they want £400 before they even give out information.
(https://destinytrialsreport.com/report/2/4611686018474539755)
See linked so you can see it still possible to do.
He believes he's got the setup which will work on any writable router.If anyone does know how to do this setup I would also appreciate the help.I have a linksys wrt3200acm router.Firmware: DD-WRT v3.0-r45993 std (03/12/21)
It has been suggested that they have stopped you connecting in a foreign country with a very high ping and that is the way they have patched the vpns.
Many Thanks
Moderator note 05.22.21: Attached images are limited to 768 pixels wide per the forum rules. If you need higher resolution images, use an image hosting site and link the image properly.
