dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5298
share rss forum feed

posthaste

join:2001-05-20
Champaign, IL

1 edit

ZyWALL USG 200 - Blocking IP Ranges

Click for full size
Click for full size
In this BBR thread, I learned about blocking the following IP ranges for improving YouTube video streaming:

»Why Is Everyone Having YouTube Streaming Issues?

173.194.55.0/24
206.111.0.0/16

So I want to do this in the USG by creating a firewall rule.

First, I created two Address Objects with the following IP ranges:

Under Objects -> Address:
#8 (YouTube1) 173.194.55.0 - 173.194.55.255
#9 (YouTube2) 206.111.0.0 - 206.111.255.255

This is what I have under Firewall rules:

#1 Priority
From: any
To: any (excluding ZyWall)
Schedule: none
User: any
IPv4 Source: YouTube1
Ipv4 Destination: YouTube1
Service: any
Access: reject
Log: no

The #2 firewall rule is the same, except it uses YouTube2 objects for both the source and destination.

Will this work? Have I botched it? Comments please.
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Well I would do it except Wan To Lan for the lan you want to control.


posthaste

join:2001-05-20
Champaign, IL

After turning on logging for that firewall rule, I watched a bazillion YouTube videos. However, the log doesn't show that rule as being activated, or any IPs in its range, as having been blocked.

Strange. I guess it's working.



superataru

join:2004-12-07
Kearny, NJ

Hi.
Not clear to me. You are trying to stop traffic from YT1 and YT2.
They are all Public IPs.
Does this traffic pass trhu your device?


posthaste

join:2001-05-20
Champaign, IL

»mitchribar.com/2013/02/time-warn···witchtv/

»www.reddit.com/r/technology/comm···_stream/

»news.ycombinator.com/item?id=5276772

Yes, I'm trying to block all traffic from those two IP ranges. I created Address Objects for both in the ZyWALL, then created a firewall rule to block them (with logging turned on). Logs don't show that particular rule being activated or packets from those IP ranges as being blocked/rejected. Either I'm getting no traffic from them to the ZyWALL, or I futzed up the firewall rule somewhere.

BTW, I added YouTube1 and YouTube2 to an Address Group under Objects so now I need only one firewall rule to block both IP ranges. So that's a change from my first post. Anyway, logs still don't show any traffic being denied/rejected from those IP ranges.
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

2 edits
reply to posthaste

I would delete that rule and make a new one as follows.
invoke LAN to WAN rule for those IP ranges as follows:
From - LAN
to - WAN
Schedule - as required
User - any
Source - any
Destination - any
Service - You Tube group
Access- reject
Log - On

Edit: Above is wrong, destination is the youtube Group address
Service ANY.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


posthaste

join:2001-05-20
Champaign, IL

Can't do that as the Service Objects are only for port blocking, not blocking IPs (or IP ranges).



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Your either blocking ports for an IP, a range of IPs, a subnet, a LAN or all IPs in your network. There are no other options??? One way or another you will be blocking these PORTS for some IPs.

No where above am I blocking IPs from access to the internet on anything except the ports you requested???????ç

What am I missing here.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


posthaste

join:2001-05-20
Champaign, IL
reply to posthaste

Click for full size
Click for full size
Click for full size
Click for full size
It's not possible to select my custom YouTube (address) Object under the Services drop down menu - as you described above - in a new firewall rule. All those selections are for port ranges, not IP addresses.


superataru

join:2004-12-07
Kearny, NJ

2 edits
reply to Anav

.


posthaste

join:2001-05-20
Champaign, IL
reply to Anav

Click for full size
Click for full size
Click for full size
Click for full size

posthaste

join:2001-05-20
Champaign, IL
reply to posthaste

Click for full size
Maybe these screen captures will help.


superataru

join:2004-12-07
Kearny, NJ
reply to Anav

said by Anav:

I would delete that rule and make a new one as follows.
invoke LAN to WAN rule for those IP ranges as follows:
From - LAN
to - WAN
Schedule - as required
User - any
Source - any
Destination - any
Service - You Tube group
Access- reject
Log - On

This is the solution posthaste, as you can't stop traffic that does not really flows trhu your device, or can be selected by your device.
Your host maybe work as nodes, but, or there is pure routing (and i believe it's not your scenario), or your firewall could stop "wan to lan" or "lan to wan" traffic.
And, please, use Zones.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 edit
reply to posthaste

I see your problem.
Its a minor misunderstanding.
Edit. - my bad
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


posthaste

join:2001-05-20
Champaign, IL

My YouTube objects are IP address ranges.

After reading your firewall rule suggestion this morning, I thought you may have meant for me to define my YT objects as Services, but I looked at it and don't see how.

Configuration -> Object -> Service -> Add Service Rule

Under TCP, it's just port ranges
Under UDP, same
Under User Defined, it's "IP Protocol Number (Enter the number of the next-level protocol [IP protocol]. Allowed values are 1 - 255.)
--


posthaste

join:2001-05-20
Champaign, IL
reply to superataru

said by superataru:

said by Anav:

I would delete that rule and make a new one as follows.
invoke LAN to WAN rule for those IP ranges as follows:
From - LAN
to - WAN
Schedule - as required
User - any
Source - any
Destination - any
Service - You Tube group
Access- reject
Log - On

This is the solution posthaste, as you can't stop traffic that does not really flows trhu your device, or can be selected by your device.
Your host maybe work as nodes, but, or there is pure routing (and i believe it's not your scenario), or your firewall could stop "wan to lan" or "lan to wan" traffic.
And, please, use Zones.

Can you elaborate on how and why I should use Zones?
--


posthaste

join:2001-05-20
Champaign, IL

4 edits
reply to Anav

said by Anav:

I see your problem.
Its a minor misunderstanding.
You need to define your youtube groups as services and then group them under a SERVICE group. and use that group in the LAN to WAN firewall rule I gave you.
(DO not use addresses or hosts to define services-ports)

Whatever your doing will not work.

I created a new Service Rule named "YouTube"
IP Protocol: TCP
Starting Port: 1
Ending Port: 65535

OK, fine, but when creating your new Firewall Rule, how does it know on which IP ranges to block all those ports (1-65535)? It's not defined anywhere.

In the Add Firewall Rule screen cap, I have configured it as you described, including a YouTube Service Object that includes ports 1 - 65535. Now it must be necessary to select a Source or Destination (a YouTube Address group has been separately defined that includes the desired IP ranges and it can be selected under one of the highlited drop-down menus). That's what I'm missing ... hard to think I've had a migraine all day.
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to posthaste

Sorry for adding to your migraine.
I was at fault there, getting mixed up thought you were blocking ports.

Okay so same same idea.
Lan to WAN
User any
source any
Destination (you tube address group).
Service - ANY or all etc
Reject
Log

Bottom line change your current rule so it looks as follows
From: LAN
TO: WAN
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


posthaste

join:2001-05-20
Champaign, IL

This is what I have now. Look good?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to posthaste

Yup
If your still getting thru its because the tube is using different public IP ranges than you have inserted. You could also try putting in youtube as a word in url blocking/
I think there is a way to do it from not blocking the whole page.


posthaste

join:2001-05-20
Champaign, IL

It's definitely working now; the log shows all those YouTube IP ranges being blocked. Yay.

Thanks for putting up with me.

But, I've run into another problem. This now-working firewall rule is preventing all my wireless devices from playing back YouTube videos.

My configuration:

An HP ProCurve managed switch is plugged into the USG 200's LAN1 (Port 4). All my wired computers are connected to the switch. In addition, I have a router in bridge mode also connected to the switch. Up till now everything worked perfectly. The wireless devices have Internet connectivity and can playback YT videos without that particular firewall rule enabled to block YT IP ranges. With the rule activated, the wired computers can all playback YT videos just fine, but the wireless devices can't. Deactivate the rule, and the wireless devices then resume playing back YT videos.

Woe is me.

Just as an aside, there may be some wondering why I didn't segregate the wireless network from the wired LAN and plug it into the USG 200's Port 5 (LAN2), for example. The problem is how the router, - an Apple AirPort Extreme - is managed. (Don't laugh, the AirPort Extreme beats the hell out of most of the other consumer brand routers in terms of range, speed, and stability... that's why I bought it over a Linksys, D-Link, Netgear, etc.).

There is no web interface for the AirPort Extreme; you must run the AirPort Utility application (in my case Windows) on a PC to configure/manage it. If I plug the AirPort Extreme into the USG 200's Port 5 (LAN2, 192.168.2.x subnet), then I'm unable to reach / access it from AirPort Utility running on a computer on LAN1 (192.168.1.x subnet). Creating firewall rules to pass all traffic from LAN1 to LAN2 and vice versa didn't work. I don't know... perhaps there's some protocol that Apple uses that isn't being passed when I tried to bridge both LAN1 & LAN2 subnets with firewall rules.

So, anyway, back to my problem, I don't understand why the YouTube firewall rule is working with the wired computers, but blocking the wireless devices from YT video playback (I can stil load and browse the site, just no playback ... black screen and endless buffering).
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to posthaste

Im confused how does anybody get access to Youtube if you have blocked it for all users.

Is the apple device hooked up to the hp procurve or this other bridged router??


posthaste

join:2001-05-20
Champaign, IL

I'm only blocking two IP ranges that are YouTube's caching servers, which are considered to be slow. Block those and YouTube videos come in from a different, faster server (supposedly).

The apple AirPort Extreme is just a regular wireless router that I put in bridge mode to act as an wireless access point.

Just now I plugged the AE into the USG 200's Port5 (LAN2, 192.168.2.x) and it can play YouTube videos. But, I still can't access the AirPort Extreme from a windows PC on LAN1 (192.168.1.x).

Now, if I create a duplicate firewall rule, identical to the one you gave me, except for LAN2 (on which the Apple AirPort Extreme router is acting as a WAP in bridge mode), then the wireless devices are blocked from loading YouTube videos.

That exact same firewall rule on LAN1 DOES NOT BLOCK my wired computers on its subnet from loading YouTube videos.

The solution, I guess, is to just keep the LAN1 firewall rule and delete the one on LAN2 that is preventing playback of YouTube vidoes on my wireless devices connected to the Apple wireless router.

My main concern has shifted to figuring out a way to get the PC on LAN1 (running the Apple AirPort Utility program) to communicate with the Apple router plugged into the USG 200's Port5 (LAN2).

Any ideas for firewall rules to get ALL traffic to flow in both directions from LAN1 to LAN2?
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Yes, preferable if you dont have separate LANs but that should be easy.

Just give the APPLE device a fixed LANIP on lan 2.

192.168.2.12 for example.

Now in fwl rules create a LAN1 to (DMZ or LAN2) rule
SOURCE any particular IP or any from LAN1 (I would narrow it down to the PC doing the admin) to 192.168.2.12 address.
ALL services. The one way should work. I dont thing you need to make a two way rule (as you dont want the other lan accessing your lan1 resources) try that see how it goes.

Ensure you enable logging to see how the attempts are handled at the router.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



superataru

join:2004-12-07
Kearny, NJ
reply to posthaste

Hi.
Sorry for delay. Low pH?

I saw in your pics you was using any | any | any | any.

In my mind, if traffic will reach clients behind zywall, and will come back to internet (or is your Device filtering Public IPs without have lan/client hosts involved?), in firewall rules you need to set something like this

From LAN to WAN source=WHATEVERYOULIKE dest=YOUTUBEX deny/reject and/or Services/Ports=Youtube-Services/Ports or what you like.

Just this, no more than to notify device the zone-pair where rule should be applied.

I saw that subsequent pics had this setting.

Sorry to have bored you.