Hi there,
I set up a game server to be used anywhere but I have been bombarded non-stop. Is there a way to block evil access and let gamers use it?
I've seen some Firehol address lists but unfortunately Mk can't accept more than 64KB.
What I've been doing is torching them, and analyzing one by one on www.proxydocker.com to see if they're contaminated and if so, I put them in a blacklist.
The port is TCP 11451.
Re: Firewalling Game Server?
Is it a standard gaming port, or a common port for something else??
What you can do is
a. change your incoming port dyndns.name.url:56432 for example
action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
That way you make the port non-standard to gain entry.
Further what would really help is creating a source address list for all your friends.
If they have static IPs that is best or if they have dnydns names that resolve to their wanip
/ip firewall address list
add address=fixedwanip list=gamingfriends
add address=fixedwanip list=gamingfriends
add address=dyndnsname list=gaming friends.
action=dst-nat chain=dstnat in-interface-list=WAN src-address-list=gamingfriends protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
Finally I would put the game server on its own vlan with only internet access allowed.
You can post your config if desired
/export hide-sensitive file=anynameyouwish
What you can do is
a. change your incoming port dyndns.name.url:56432 for example
action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
That way you make the port non-standard to gain entry.
Further what would really help is creating a source address list for all your friends.
If they have static IPs that is best or if they have dnydns names that resolve to their wanip
/ip firewall address list
add address=fixedwanip list=gamingfriends
add address=fixedwanip list=gamingfriends
add address=dyndnsname list=gaming friends.
action=dst-nat chain=dstnat in-interface-list=WAN src-address-list=gamingfriends protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
Finally I would put the game server on its own vlan with only internet access allowed.
You can post your config if desired
/export hide-sensitive file=anynameyouwish
Re: Firewalling Game Server?
Is it a standard gaming port, or a common port for something else??
What you can do is
a. change your incoming port dyndns.name.url:56432 for example
action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
That way you make the port non-standard to gain entry.
Further what would really help is creating a source address list for all your friends.
If they have static IPs that is best or if they have dnydns names that resolve to their wanip
/ip firewall address list
add address=fixedwanip list=gamingfriends
add address=fixedwanip list=gamingfriends
add address=dyndnsname list=gaming friends.
action=dst-nat chain=dstnat in-interface-list=WAN src-address-list=gamingfriends protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
Finally I would put the game server on its own vlan with only internet access allowed.
You can post your config if desired
/export hide-sensitive file=anynameyouwish
Thanks for the advise. The server is a non-standard port recommended by https://github.com/spacemeowx2/switch-lan-play in order to make people connect through a socket. So, I understand that the server a client must match and I'm not sure if by doing as you recommend
Code: Select all
action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on the game server itself).The server is opened for for the world but focusing mostly in various neighboring countries (for the topic of latency), so it is complex to determine who is going to be connecting.
What I tried to do is to send devices connecting to 11451 to a blacklist but those who are not from coming from ports 80,443,11451 in order to isolate the real gamers from the attackers (because clients should connect by 11451 only or any other given one), but I noted that http://www.lan-play.com which is the status page for the servers, had my "uptime" getting down.
I think the webpage uses an API for measuring the responses in order to make a % ratio but due to the isolation of incoming ports, it is hard to determine which ones are being used by the API and thus, the false positive counting.
In the case of VLAN, I don't know if it is possible because I'm using a Pi and that Pi is serving DNS, so both have the same IP address.
Any other ideas?
Re: Firewalling Game Server?
One of my clients operates a gaming kiosk in Los Angeles that uses MOAB .... they have 26 gaming stations ..... The Router they use is a MikroTik PowerRouter732 ....
the LA operation since using MOAB they have zero issues .... before MOAB they has many attacks .... they have been using MOAB now for 14 months.
If your MikroTik Router Qualifies to run MOAB .... a 10 day free Trial is available so you can see for yourself.
If you are interested check my sig
the LA operation since using MOAB they have zero issues .... before MOAB they has many attacks .... they have been using MOAB now for 14 months.
If your MikroTik Router Qualifies to run MOAB .... a 10 day free Trial is available so you can see for yourself.
If you are interested check my sig
Re: Firewalling Game Server?
Hi Mozerd,
Out of curiousity what is the load on the router in that gaming situation.
More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down??
Out of curiousity what is the load on the router in that gaming situation.
More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down??
Re: Firewalling Game Server?
I appreciate the offer but right now, I am offering the server to the gaming community for free and can't afford extra expenses for this regard.One of my clients operates a gaming kiosk in Los Angeles that uses MOAB .... they have 26 gaming stations ..... The Router they use is a MikroTik PowerRouter732 ....
the LA operation since using MOAB they have zero issues .... before MOAB they has many attacks .... they have been using MOAB now for 14 months.
If your MikroTik Router Qualifies to run MOAB .... a 10 day free Trial is available so you can see for yourself.
If you are interested check my sig
I have a simple blacklist but due to the Mk limit, it is not feasible.
Re: Firewalling Game Server?
It all depends on the MikroTik Router Model .... in my prerequisites web page the following is stated:Hi Mozerd,
Out of curiousity what is the load on the router in that gaming situation.
More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down??
The above is a general statement .... if the firewall is efficient the performance is outstanding .... if the firewall is inefficient the performance can be poor ... Taking advantage of the Free Trial Period tells all on the configuration being used.Performance Hit on throughput: Regardless of which MikroTik Model that qualifies for the MOAB Blacklist Service PERFORMANCE will be excellent. Using MOAB the Bandwidth Performance hit on MikroTik Routers memory constrained models like the hEX is 12% and for the hAP ac 2 is 9% while 3% on amply provisioned MikroTik Routers containing CPU 1 GHz and minimum of 1GB of RAM.
Re: Firewalling Game Server?
I tried this one by changing the dst port (11450 > 11451) but botnets keep hitting the new one (11450) and therefore raising the CPU. What's the purpose of NATting like this?Is it a standard gaming port, or a common port for something else??
What you can do is
a. change your incoming port dyndns.name.url:56432 for example
action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to be on teh game server itself).
That way you make the port non-standard to gain entry.
Code: Select all
add action=dst-nat chain=dstnat comment=\
"Game Server" dst-port=11450 \
in-interface=WAN1 protocol=tcp src-address-list=!blacklist to-addresses=\
10.10.10.5 to-ports=11451
Re: Firewalling Game Server?
If server (with FQDN/IP and port number) is advertised on some gamers' site, then it will get hammered regardless the port ... because gamers' sites are welcome information source for (wannabe) hackers. Changing port number only works if knowledge about that port is not public.
Re: Firewalling Game Server?
That makes sense.If server (with FQDN/IP and port number) is advertised on some gamers' site, then it will get hammered regardless the port ... because gamers' sites are welcome information source for (wannabe) hackers. Changing port number only works if knowledge about that port is not public.