Running PA on a network behind a firewall?

Discussion in 'Support!' started by jeez, August 26, 2014.

  1. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    I recently moved, and am stuck using a network that is behind a firewall that has ports closed off, preventing me to connect to a game.
    Opening up any ports whatsoever is a no-go, as is any access to the firewall or router.
    I can run the Uber launcher, connect to the servers that way, I get a list of open games, but actually starting a game (mp or versus AI) freezes the program for a while and then gives me a message stating "Connection to server failed"

    Is there any workaround? Or is my favorite game of all time closed off until I move again so I can set up my own damn network again?

    I'd appreciate any help
  2. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    PA don't open any ports on client-side. Even when you play versus AI game still hosted on remote server so you don't have to open any ports on your side.

    Though to work successfully game need ability to connect TCP ports in 9000-9050 range.

    VPN
    jeez likes this.
  3. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    I'm a bit fuzzy on what tcp and udp ports are exactly, and how they don't need to be open in the firewall but you can still connect to those ports on a server.
    That aside, I found this thread:
    http://steamcommunity.com/app/233250/discussions/2/558749824546560141/
    I can open this link (mentioned in the thread) https://uberent.com/user/linksteam

    It opens a page without any graphics, and lists what steam account is linked to my UberNet account.

    The thing is, I also can't connect to other games (tried Battlefield Bad Company 2, quake live, Steam client).
    I know my PC is set up correctly, I simply moved it to a new location. In my old location it worked fine and dandy, but that was just a simple network with only one modem/router, 1 pc and 1 NAS.

    This network is a lot more complicated. All I know about it is that the main line is split up into a business network and a guest network. I am however lucky that I have a wired connection.

    If I know the admin well enough, then he has denied connections to every single port apart from the ones he knows he actually uses.

    Am I correct in thinking that a VPN like VyprVPN could tunnel any and all online gaming data over a secured line?
    My best bet to work this out is to provide the admin with a solution that doesn't jeopardize the security of his network (overly protective person, imho).
  4. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    No, it looks like he blocked outgoing connections to unknown destination ports. That's a really weird way to manage a network intended for personal use.

    VPN won't help you. You won't even be able to establish a connection to the VPN server since he is blocking that too.

    There is no way any of us could help you. Only your network admin can lift these unreasonable restrictions.
    jeez likes this.
  5. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    This mean your firewall drop connections to many UDP and TCP ports.

    Correct, but it's going to increase latency. Though for PA it's not that important.
    Also keep in mind that PA need 2Mbps download speed to work properly so VPN should be fast enough.

    There is many VPN services that have servers working on 443 TCP port and with such server it's going to work just fine because there is no way admin of network banned SSL bandwidth.

    PS: There is some extremely low chance that firewall have protocol filtering, but mostly nobody using such solutions.
    jeez likes this.
  6. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    That means the admin is also blocking IP ranges, not only remote ports. In this case the Cloudfront network (where the background image is hosted) is also blocked.

    Don't you think that the admin will then also have known VPN gateways blocked?
    jeez likes this.
  7. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    Do you seriously think anyone banning Amazon EC2 network for example? :eek:
    Most of VPN services use cloud servers especially for IP rotation.
    jeez likes this.
  8. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    Yes. And you listed also the reason why.
    jeez likes this.
  9. SXX

    SXX Post Master General

    Messages:
    6,896
    Likes Received:
    1,812
    Not in OP case anyway because this forum and Uber website hosted on EC2.
    Protocol filtering it's more likely to see, but still isn't used ofen.
    jeez likes this.
  10. Clopse

    Clopse Post Master General

    Messages:
    2,535
    Likes Received:
    2,865
    Have you tried a port sniffer/scanner to be 100% he is blocking ports.

    Long shot but connect to the router and try the default admin/ password for it. Many people forget to change these as it's only possible when already connected to the network.
    jeez likes this.
  11. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    Cloudfront is blocked nonetheless, even though blocking the entire IP range seems unlikely. Possibly a probe request is made on the base directory for the vHost, so if https://d166gm1pjiynxy.cloudfront.net/ failed to return a status 200, the IPS system assumed a malware domain.

    So if VPN was desired, it had to be on a non-blocked port and the same port had probably to respond well formed to a regular http/https request.

    Protocol filter is rather unlikely, there is no way of telling what is actually going on inside a TLS tunnel. The IPS can only see the DNS request, the handshake, destination IP and port.
    jeez likes this.
  12. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    I know. Overly concerned person about internet threats. I very much would expect him to do it that way. Close everything off, and then open up only that what you need so that you don't have any back doors.

    I might be able to persuade him to get a VPN connection for myself, since he does use them to log in at work.

    Unreasonable is correct. However, he is open to valid arguments, as long as safety of the network is pretty much guaranteed.


    Correct.

    Speed won't be an issue, it's 100Mb/s both up and down. I'll make sure to get a VPN targeted at gaming (if I actually end up needing one). Latency would be a bummer, but BC2 has lost most of it's value for me because there are barely any worthy opponents anymore. PA is where my mind is getting the challenge (and fun) it needs :)

    I'll find a moment when he's in a good mood to discuss the matter. I hope I can argue that the safety of the network won't be an issue when I'm gaming over VPN.

    I expect him to use any and every filtering method known to man. Even Whatsapp messages on my phone are delayed up to four hours on this network.


    Have not tried a port sniffer (don't think he'd appreciate me using one of those, simply because of the name itself, and would only generate trust issues at this point.)
    Default passwords and user names get changed practically when the router isn't even out of the packaging yet :p

    Thanks for all the quick replies guys! Wasn't expecting it on such a complex (many variables) issue.
    I guess I'll frequent these forums more often, put something back in the community :)
  13. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    Just had a chat with the admin. All ports are blocked apart from the ones actually needed, and there will be no opening of ports whatsoever.
    Also, VPN is out of the question because even though there is a 100Mbit line, he fears that the QoS will suffer. This he based on the fact that the VPN connection he uses to remote desktop a few streets away is maxing out at 6Mbit (couldn't get him to explain how this was relevant, but the general thought was that the extra layer on top of the data would choke the rare open ports available).

    It seems that online gaming has been pulled right from under my feet, and I'm at a loss on how to deal with this. It has been the major part in my social life, my hobby, passion and method of venting steam when I needed to. I don't even want to think about the fact that this dry spell is going to last years
  14. exterminans

    exterminans Post Master General

    Messages:
    1,881
    Likes Received:
    986
    Well, you could always switch to a different ISP, your landlord can't deny you that.
  15. cola_colin

    cola_colin Moderator Alumni

    Messages:
    12,074
    Likes Received:
    16,221
    If you can't change the ISP, maybe you can rent some little virtual server and setup your own VPN over some port that has to be free? That has to be possible as ports like 443 have to be open and there have to be hosting providers that are not blocked and can be reached with 100mbit/s
    That would be what I'd try.
    jeez likes this.
  16. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    Changing ISP can't happen. There's one line (glass fiber) and one person maintaining the network. Getting a second line put in is going to take council work and such, and I'm no rich man.
    A VPN would be a solution, or at least I could try, but as I mentioned before: hard to reason with the man, and doing it without his consent would end in problems I don't feel like dealing with.
    I guess I'll have to appeal to some sympathy, but my attempt today was not well received.
    For now, I'll stick to watching matches via youtube, figure out unbeatable strats and come back to the game ready to kick *** :)
    For now, this will be my football on TV, I guess :p
  17. cola_colin

    cola_colin Moderator Alumni

    Messages:
    12,074
    Likes Received:
    16,221
    If you don't touch the firewall settings and work around his "security" I can't see how that would create problems. Though situation... I'd do everything I technically can do get around it. If the man is insane enough to detect it and trouble me for circumventing his stupidity I'd try to leave the place altogether. A place without fully usable internet .... might as well turn of the power and water as well.
    jeez and Planktum like this.
  18. Planktum

    Planktum Post Master General

    Messages:
    1,060
    Likes Received:
    510
    @jeez

    Colin is right. I'd try to find a VPN service provider that offers connections over ports already open in your firewall (443). It's not hard to do so there must be providers who cater to customers in the same situation as you.

    http://www.vpntutorials.com/tutorials/openvpn-sharing-a-port-with-a-webserver-on-port-80-443/

    QoS won't suffer in any way at all. You will be sending packets over port 443 just like any other user using port 443 for normal web browsing. This is just for normal layer 3 routing purposes and is no different to any other packets going to any other web server. It just happens that the server you are communicating with is listening on port 443 for a different layer 3 protocol. All the network admin will see on the router (if he actually has something like Wireshark setup with port mirroring, which I very much doubt he would) is traffic going to port 443.

    I work for an ISP and have my CCNA and MCITP and believe me, this network admin guy thinks he is smarter than he actually is. I've come across people like him and half the time they don't even have a valid reason for the things they are doing and the explanations they give you have no grounding in reality.
    Last edited: August 27, 2014
    jeez likes this.
  19. Planktum

    Planktum Post Master General

    Messages:
    1,060
    Likes Received:
    510
    @jeez

    Try this....
    http://freesstpvpn.com/

    Or this...
    https://airvpn.org/whyus/

    The network admin guy won't know you are using these services and even if he did then it's up to him as the network admin to block this at the network/router level. You can never fully control your users and that's why there are network control methodologies. If there is no way to block your VPN connection at the router level then there is no explanation he can give you for why you shouldn't be doing it.

    We are taking about an established outbound connection between your computer and the VPN provider. There is no security risk there, otherwise public networks wouldn't allow you to connect to VPNs and this would go against the very reason for why VPNs exist. Its a Virtual "Private" Network which goes over an open/public network. And once again the router doesn't have to do anything fancy with this traffic as it's just a normal packet like any other going over port 443 which will have the same QoS priority as normal web traffic.
    Last edited: August 27, 2014
    jeez likes this.
  20. jeez

    jeez Member

    Messages:
    32
    Likes Received:
    30
    Unfortunately, while this issue primarily exists because of a disproportional fear of anything connected to the internet compromising the network or data within that network, there is also the lack of trust which is a problem. If I were to circumvent his precautions against his wishes or without his knowledge, and he were to find out that I went and did it my way anyway, I'd have a bigger problem than not being able to play online games (or use other software like Winamp Remote on my phone).

    I'm saving all these links, however. When I find the right way to explain what it is I want, why I want it and how his network and QoS are not in jeopardy (and for that matter, neither are my health, my mind, my money and my time wasted. Yes, those were also arguments used), I can set things up easily and safely.

    Thanks, I really appreciate the background info!
    One question though, as I'm not yet quite sure I understand what a VPN actually brings to the table (safety-wise).
    If I were to go online over VPN, all my data is encrypted and tunneled over one port to a server. From that server on, the data gets decrypted and sent to the destinations and ports it is intended for.
    How is this safer than directly connecting to the destination and port intended? Couldn't a virus or hacker piggyback through the VPN?
    Last edited: August 31, 2014

Share This Page