Nintendo WFC traffic only

Discussion in 'NDS - Nintendo Wi-Fi Connection' started by kaymm2, Jul 27, 2006.

  1. kaymm2
    OP

    kaymm2 Advanced Member

    Newcomer
    52
    0
    Oct 2, 2005
    Canada
    I'm trying to setup a little Nintendo WFC hotspot for some of the kids in the area but only want them to be able use my net connection for Nintendo WFC traffic only. I'd like to make the router be open as well without WEP. I don't care that anyone can join because, it would be restricted to only allow WFC traffic. So no one should be able to use it for internet/downloading. etc.

    I figure I'd have to block all except certain ports or domains on my router, anyone knwo where I can look to do this? I know a hotspot provider, FatPort, in my area does this because they allow WFC traffic through for free but in order to use your laptop for internet browsing/email/etc, you have to buy credits and login.

    Thanks.
     
  2. bryehn

    bryehn GBAtemp Advanced Fan

    Member
    861
    0
    Oct 26, 2004
    Canada
    Fatport is actually who does Nintendo's hotspots in Canada.

    it all depends on your router as to what you need to do. I'm really not sure how you could filter it though. Each DS would have its own MAC/IP on your network, I know that much. And I tried leaving my router wide open to test that program that allows you to control your PC with your DS. 2 hours later, I had every wireless device in the neighborhood listed as DHCP clients. Maybe it's my meds talking, but I really can't think of a way to restrict it to DS ttraffic only.
     
  3. Glacius0

    Glacius0 GBAtemp Advanced Fan

    Member
    604
    0
    Nov 27, 2005
    Netherlands
    The Netherlands
    Only way I can think of is setting it to allow the mac-adresses of the DS users you want to give access to your network. That would require every kid to give you their DS mac adress though and would be a bit of a hassle.
     
  4. kaymm2
    OP

    kaymm2 Advanced Member

    Newcomer
    52
    0
    Oct 2, 2005
    Canada
    I don't want mac filtering though. Plus, they would be able to use their laptop/pc's to connect to my router and use it for regular internet usage. I want it open for WFC only. So if they associate to my router without a DS (a computer), they can't go anywhere.

    I'm really interested in how Fatport did it. Their AP is open, in that anyone can associate to it however you are brought to the fatport.com website everytime you try to go somewhere. It's a captive portal. When you login to get authenticated, it lets you go where ever you want. However, WFC traffic is unrestricted. No login is nessary, just associate and play.

    I'm thinking fatport knows the exact servers/IP's/ports that WFC needs and opened them. But I don't have access to that info.
     
  5. djprotoss

    djprotoss Member

    Newcomer
    10
    0
    Jul 5, 2006
    presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem. The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

    Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

    1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
    This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).


    2. IP address filtering - setup packet logging on your firewall box, connect to WFC and then look at the ports and ip's it connects to. On the plus side its pretty easy to do, but the downside is you need to be careful that you don't over filter (tip: once you have an ip, look up what size block it belongs too and allow the block)

    3. layer7 filtering - this refers to OSI model layer 7 - the application layer. The only implementation I am aware of of this is l7proto for iptables, but it does work rather well - effectively it does stateful regexps on the packet headers to classify the application that generated the packets. if there is a classifier availiable, this should be a simple drop in and go, however its quite possible that you will only be able to find a stub implementation and need to write your own. An alternative is to use l7 filters to block p2p, ftp, email, irc. messaging, usenet and web traffic (that should block out most everybody else)

    hope that gives you a few ideas
     
  6. kaymm2
    OP

    kaymm2 Advanced Member

    Newcomer
    52
    0
    Oct 2, 2005
    Canada
    Thanks, that gives me some ideas. I have a WRT54G with a linux distro firmware on it, OpenWrt. I guess I have to run ethereal to find out all the ports and IP's it's using and then using the builtin IPtables to restrict.
     
  7. kaymm2
    OP

    kaymm2 Advanced Member

    Newcomer
    52
    0
    Oct 2, 2005
    Canada
    I need some ideas for packet sniffing. Do you think it would be easier to use kismet and capture the data that my DS sends through the air and then using ethereal to analyze it?
     
  8. Kossan

    Kossan Member

    Newcomer
    15
    0
    Jun 19, 2005
    Sweden
    My DS only acess

    [ALLOW: conntest.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:26
    [ALLOW: gamestats.gs.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:41

    What i can see from my router, while playing tetris.
    If you allow to acess those from all ip's?
     
  9. nl255

    nl255 GBAtemp Addict

    Member
    2,563
    360
    Apr 9, 2004
    You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EF:DE:AD' and I doubt it is much harder on Windows.
     
  10. Kossan

    Kossan Member

    Newcomer
    15
    0
    Jun 19, 2005
    Sweden

    The hard thing is to know what mac adresses are allowed.
     
  11. nl255

    nl255 GBAtemp Addict

    Member
    2,563
    360
    Apr 9, 2004
    Just use a mac address vendor finder to see what mac address ranges are for Nintendo (there are only two).
     
  12. Cyan

    Cyan GBATemp's lurking knight

    Global Moderator
    18,029
    8,551
    Oct 27, 2002
    France
    Engine room, learning
    When using PeerGuardians I cannot connect to WFC.
    I had to allow some IPs from Gamespy server (peerguardian said it were Gamespy range IPs) .
    the range may not be full as it is only the IP that were blocked, there may be more or less IPs needed, I don't know.

    I had to allow 2 ranges :
    207.38.8.16 - 207.38.8.27
    207.38.11.11 - 207.38.11.49


    The most common IP and ports are
    207.38.11.34 : 27900 and 29900
    81.49.402.102 : 59832


    You will have to allow the provider DNS IP too.
    Mine are on ports 53, I don't know if it's the same for everyone.

    And the Nintendo authentications servers I think
    192.195.204.40:443
    192.195.204.216:80
    205.166.76.177:80
     
  13. vinsm

    vinsm Member

    Newcomer
    39
    0
    Oct 12, 2004
    New Zealand
    Sorry to get off topic but what programme is this and does it work ok? [​IMG]
     
  14. djprotoss

    djprotoss Member

    Newcomer
    10
    0
    Jul 5, 2006
    heh, well I did say it was the least effective of all the methods...

    Still, you can always combine it with one of the other methods for increased security (no it won't keep a determined hacker out. But then again, the only really secure option when dealing with one of those is to run an ipsec or similar based vpn over the top of your wireless (and I know some people who say the only properly secure way of doing wireless is to use wires) - the point is that you can't fully lock down your network - you just do what you can, and hope you make your self a sufficiently unappealing target that you get left alone.
     
  15. Peter Hacke

    Peter Hacke Member

    Newcomer
    18
    0
    May 25, 2006
    hi!

    these are the nintendo-wfc ip-ranges :
    WIFI_RANGE_1="205.166.76.0/255.255.255.0"
    WIFI_RANGE_2="192.195.204.0/255.255.255.0"

    nintendo installs/adds new wfc-servers frequently. i know, because at first i only had 1 server in the list and after about 3 weeks wfc-connection failure messages came up upon connecting to wfc.

    the other question was, which are the ports that are used by wfc. i've been a bit lazy trying to figure them out, so i simply blocked all "important" ports like SMB,SSH,HTTP,HTTPS,FTP etc. . it's a small list of ports/port-ranges and eventually the wifi-connection is pretty much useless for "normal" internet usage [​IMG]. i did a tcpdump check some time ago and as far as i can remember the default protocol for datatransfer was UDP and the ports which showed up were way above 40.000. so it might be even save to say BLOCK ALL, but >45.000 & PROT=UDP.

    i've also added MAC and IP checks, but as you stated before thats not an option.

    some games also connect to GAMESPY for whatever reason. the only gamespy server i could find in my logs was : 207.38.11.49

    ...hope i could help you a bit [​IMG]

    game on [​IMG]
     
  16. Kaphis

    Kaphis GBAtemp Regular

    Member
    271
    0
    Aug 20, 2006
    Canada
    Richmond
    so ...um O.o..what is it? XD I tried to read thorugh most of it but is ther a summary..what is the ip address that has to be allowed?~..and another thing is....if I Have a laptop that I use on the same wireless network...would that still work?