dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5333
share rss forum feed

posthaste

join:2001-05-20
Champaign, IL
reply to Anav

Re: ZyWALL USG 200 - Blocking IP Ranges

It's definitely working now; the log shows all those YouTube IP ranges being blocked. Yay.

Thanks for putting up with me.

But, I've run into another problem. This now-working firewall rule is preventing all my wireless devices from playing back YouTube videos.

My configuration:

An HP ProCurve managed switch is plugged into the USG 200's LAN1 (Port 4). All my wired computers are connected to the switch. In addition, I have a router in bridge mode also connected to the switch. Up till now everything worked perfectly. The wireless devices have Internet connectivity and can playback YT videos without that particular firewall rule enabled to block YT IP ranges. With the rule activated, the wired computers can all playback YT videos just fine, but the wireless devices can't. Deactivate the rule, and the wireless devices then resume playing back YT videos.

Woe is me.

Just as an aside, there may be some wondering why I didn't segregate the wireless network from the wired LAN and plug it into the USG 200's Port 5 (LAN2), for example. The problem is how the router, - an Apple AirPort Extreme - is managed. (Don't laugh, the AirPort Extreme beats the hell out of most of the other consumer brand routers in terms of range, speed, and stability... that's why I bought it over a Linksys, D-Link, Netgear, etc.).

There is no web interface for the AirPort Extreme; you must run the AirPort Utility application (in my case Windows) on a PC to configure/manage it. If I plug the AirPort Extreme into the USG 200's Port 5 (LAN2, 192.168.2.x subnet), then I'm unable to reach / access it from AirPort Utility running on a computer on LAN1 (192.168.1.x subnet). Creating firewall rules to pass all traffic from LAN1 to LAN2 and vice versa didn't work. I don't know... perhaps there's some protocol that Apple uses that isn't being passed when I tried to bridge both LAN1 & LAN2 subnets with firewall rules.

So, anyway, back to my problem, I don't understand why the YouTube firewall rule is working with the wired computers, but blocking the wireless devices from YT video playback (I can stil load and browse the site, just no playback ... black screen and endless buffering).
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to posthaste

Im confused how does anybody get access to Youtube if you have blocked it for all users.

Is the apple device hooked up to the hp procurve or this other bridged router??


posthaste

join:2001-05-20
Champaign, IL

I'm only blocking two IP ranges that are YouTube's caching servers, which are considered to be slow. Block those and YouTube videos come in from a different, faster server (supposedly).

The apple AirPort Extreme is just a regular wireless router that I put in bridge mode to act as an wireless access point.

Just now I plugged the AE into the USG 200's Port5 (LAN2, 192.168.2.x) and it can play YouTube videos. But, I still can't access the AirPort Extreme from a windows PC on LAN1 (192.168.1.x).

Now, if I create a duplicate firewall rule, identical to the one you gave me, except for LAN2 (on which the Apple AirPort Extreme router is acting as a WAP in bridge mode), then the wireless devices are blocked from loading YouTube videos.

That exact same firewall rule on LAN1 DOES NOT BLOCK my wired computers on its subnet from loading YouTube videos.

The solution, I guess, is to just keep the LAN1 firewall rule and delete the one on LAN2 that is preventing playback of YouTube vidoes on my wireless devices connected to the Apple wireless router.

My main concern has shifted to figuring out a way to get the PC on LAN1 (running the Apple AirPort Utility program) to communicate with the Apple router plugged into the USG 200's Port5 (LAN2).

Any ideas for firewall rules to get ALL traffic to flow in both directions from LAN1 to LAN2?
--



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Yes, preferable if you dont have separate LANs but that should be easy.

Just give the APPLE device a fixed LANIP on lan 2.

192.168.2.12 for example.

Now in fwl rules create a LAN1 to (DMZ or LAN2) rule
SOURCE any particular IP or any from LAN1 (I would narrow it down to the PC doing the admin) to 192.168.2.12 address.
ALL services. The one way should work. I dont thing you need to make a two way rule (as you dont want the other lan accessing your lan1 resources) try that see how it goes.

Ensure you enable logging to see how the attempts are handled at the router.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



superataru

join:2004-12-07
Kearny, NJ
reply to posthaste

Hi.
Sorry for delay. Low pH?

I saw in your pics you was using any | any | any | any.

In my mind, if traffic will reach clients behind zywall, and will come back to internet (or is your Device filtering Public IPs without have lan/client hosts involved?), in firewall rules you need to set something like this

From LAN to WAN source=WHATEVERYOULIKE dest=YOUTUBEX deny/reject and/or Services/Ports=Youtube-Services/Ports or what you like.

Just this, no more than to notify device the zone-pair where rule should be applied.

I saw that subsequent pics had this setting.

Sorry to have bored you.