Nintendo WFC traffic only

Discussion in 'NDS - Nintendo Wi-Fi Connection' started by kaymm2, Jul 27, 2006.

Jul 27, 2006

Nintendo WFC traffic only by kaymm2 at 3:16 PM (2,232 Views / 0 Likes) 15 replies

  1. kaymm2
    OP

    Newcomer kaymm2 Advanced Member

    Joined:
    Oct 2, 2005
    Messages:
    52
    Country:
    Canada
    I'm trying to setup a little Nintendo WFC hotspot for some of the kids in the area but only want them to be able use my net connection for Nintendo WFC traffic only. I'd like to make the router be open as well without WEP. I don't care that anyone can join because, it would be restricted to only allow WFC traffic. So no one should be able to use it for internet/downloading. etc.

    I figure I'd have to block all except certain ports or domains on my router, anyone knwo where I can look to do this? I know a hotspot provider, FatPort, in my area does this because they allow WFC traffic through for free but in order to use your laptop for internet browsing/email/etc, you have to buy credits and login.

    Thanks.
     
  2. bryehn

    Member bryehn GBAtemp Advanced Fan

    Joined:
    Oct 26, 2004
    Messages:
    861
    Country:
    Canada
    Fatport is actually who does Nintendo's hotspots in Canada.

    it all depends on your router as to what you need to do. I'm really not sure how you could filter it though. Each DS would have its own MAC/IP on your network, I know that much. And I tried leaving my router wide open to test that program that allows you to control your PC with your DS. 2 hours later, I had every wireless device in the neighborhood listed as DHCP clients. Maybe it's my meds talking, but I really can't think of a way to restrict it to DS ttraffic only.
     
  3. Glacius0

    Member Glacius0 GBAtemp Advanced Fan

    Joined:
    Nov 27, 2005
    Messages:
    604
    Location:
    The Netherlands
    Country:
    Netherlands
    Only way I can think of is setting it to allow the mac-adresses of the DS users you want to give access to your network. That would require every kid to give you their DS mac adress though and would be a bit of a hassle.
     
  4. kaymm2
    OP

    Newcomer kaymm2 Advanced Member

    Joined:
    Oct 2, 2005
    Messages:
    52
    Country:
    Canada
    I don't want mac filtering though. Plus, they would be able to use their laptop/pc's to connect to my router and use it for regular internet usage. I want it open for WFC only. So if they associate to my router without a DS (a computer), they can't go anywhere.

    I'm really interested in how Fatport did it. Their AP is open, in that anyone can associate to it however you are brought to the fatport.com website everytime you try to go somewhere. It's a captive portal. When you login to get authenticated, it lets you go where ever you want. However, WFC traffic is unrestricted. No login is nessary, just associate and play.

    I'm thinking fatport knows the exact servers/IP's/ports that WFC needs and opened them. But I don't have access to that info.
     
  5. djprotoss

    Newcomer djprotoss Member

    Joined:
    Jul 5, 2006
    Messages:
    10
    Country:
    United Kingdom
    presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem. The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

    Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

    1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
    This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).


    2. IP address filtering - setup packet logging on your firewall box, connect to WFC and then look at the ports and ip's it connects to. On the plus side its pretty easy to do, but the downside is you need to be careful that you don't over filter (tip: once you have an ip, look up what size block it belongs too and allow the block)

    3. layer7 filtering - this refers to OSI model layer 7 - the application layer. The only implementation I am aware of of this is l7proto for iptables, but it does work rather well - effectively it does stateful regexps on the packet headers to classify the application that generated the packets. if there is a classifier availiable, this should be a simple drop in and go, however its quite possible that you will only be able to find a stub implementation and need to write your own. An alternative is to use l7 filters to block p2p, ftp, email, irc. messaging, usenet and web traffic (that should block out most everybody else)

    hope that gives you a few ideas
     
  6. kaymm2
    OP

    Newcomer kaymm2 Advanced Member

    Joined:
    Oct 2, 2005
    Messages:
    52
    Country:
    Canada
    Thanks, that gives me some ideas. I have a WRT54G with a linux distro firmware on it, OpenWrt. I guess I have to run ethereal to find out all the ports and IP's it's using and then using the builtin IPtables to restrict.
     
  7. kaymm2
    OP

    Newcomer kaymm2 Advanced Member

    Joined:
    Oct 2, 2005
    Messages:
    52
    Country:
    Canada
    I need some ideas for packet sniffing. Do you think it would be easier to use kismet and capture the data that my DS sends through the air and then using ethereal to analyze it?
     
  8. Kossan

    Newcomer Kossan Member

    Joined:
    Jun 19, 2005
    Messages:
    15
    Location:
    Sweden
    Country:
    Sweden
    My DS only acess

    [ALLOW: conntest.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:26
    [ALLOW: gamestats.gs.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:41

    What i can see from my router, while playing tetris.
    If you allow to acess those from all ip's?
     
  9. nl255

    Member nl255 GBAtemp Advanced Maniac

    Joined:
    Apr 9, 2004
    Messages:
    1,998
    Country:
    You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EF:DE:AD' and I doubt it is much harder on Windows.
     
  10. Kossan

    Newcomer Kossan Member

    Joined:
    Jun 19, 2005
    Messages:
    15
    Location:
    Sweden
    Country:
    Sweden

    The hard thing is to know what mac adresses are allowed.
     
  11. nl255

    Member nl255 GBAtemp Advanced Maniac

    Joined:
    Apr 9, 2004
    Messages:
    1,998
    Country:
    Just use a mac address vendor finder to see what mac address ranges are for Nintendo (there are only two).
     
  12. Cyan

    Global Moderator Cyan GBATemp's lurking knight

    Joined:
    Oct 27, 2002
    Messages:
    16,455
    Location:
    Engine room, learning
    Country:
    France
    When using PeerGuardians I cannot connect to WFC.
    I had to allow some IPs from Gamespy server (peerguardian said it were Gamespy range IPs) .
    the range may not be full as it is only the IP that were blocked, there may be more or less IPs needed, I don't know.

    I had to allow 2 ranges :
    207.38.8.16 - 207.38.8.27
    207.38.11.11 - 207.38.11.49


    The most common IP and ports are
    207.38.11.34 : 27900 and 29900
    81.49.402.102 : 59832


    You will have to allow the provider DNS IP too.
    Mine are on ports 53, I don't know if it's the same for everyone.

    And the Nintendo authentications servers I think
    192.195.204.40:443
    192.195.204.216:80
    205.166.76.177:80
     
  13. vinsm

    Newcomer vinsm Member

    Joined:
    Oct 12, 2004
    Messages:
    39
    Country:
    New Zealand
    Sorry to get off topic but what programme is this and does it work ok? [​IMG]
     
  14. djprotoss

    Newcomer djprotoss Member

    Joined:
    Jul 5, 2006
    Messages:
    10
    Country:
    United Kingdom
    heh, well I did say it was the least effective of all the methods...

    Still, you can always combine it with one of the other methods for increased security (no it won't keep a determined hacker out. But then again, the only really secure option when dealing with one of those is to run an ipsec or similar based vpn over the top of your wireless (and I know some people who say the only properly secure way of doing wireless is to use wires) - the point is that you can't fully lock down your network - you just do what you can, and hope you make your self a sufficiently unappealing target that you get left alone.
     
  15. Peter Hacke

    Newcomer Peter Hacke Member

    Joined:
    May 25, 2006
    Messages:
    18
    Country:
    hi!

    these are the nintendo-wfc ip-ranges :
    WIFI_RANGE_1="205.166.76.0/255.255.255.0"
    WIFI_RANGE_2="192.195.204.0/255.255.255.0"

    nintendo installs/adds new wfc-servers frequently. i know, because at first i only had 1 server in the list and after about 3 weeks wfc-connection failure messages came up upon connecting to wfc.

    the other question was, which are the ports that are used by wfc. i've been a bit lazy trying to figure them out, so i simply blocked all "important" ports like SMB,SSH,HTTP,HTTPS,FTP etc. . it's a small list of ports/port-ranges and eventually the wifi-connection is pretty much useless for "normal" internet usage [​IMG]. i did a tcpdump check some time ago and as far as i can remember the default protocol for datatransfer was UDP and the ports which showed up were way above 40.000. so it might be even save to say BLOCK ALL, but >45.000 & PROT=UDP.

    i've also added MAC and IP checks, but as you stated before thats not an option.

    some games also connect to GAMESPY for whatever reason. the only gamespy server i could find in my logs was : 207.38.11.49

    ...hope i could help you a bit [​IMG]

    game on [​IMG]
     
  16. Kaphis

    Member Kaphis GBAtemp Regular

    Joined:
    Aug 20, 2006
    Messages:
    271
    Location:
    Richmond
    Country:
    Canada
    so ...um O.o..what is it? XD I tried to read thorugh most of it but is ther a summary..what is the ip address that has to be allowed?~..and another thing is....if I Have a laptop that I use on the same wireless network...would that still work?
     

Share This Page