Misc Nintendo WFC traffic only

[kaymm2]

I'm trying to setup a little Nintendo WFC hotspot for some of the kids in the area but only want them to be able use my net connection for Nintendo WFC traffic only. I'd like to make the router be open as well without WEP. I don't care that anyone can join because, it would be restricted to only allow WFC traffic. So no one should be able to use it for internet/downloading. etc.

I figure I'd have to block all except certain ports or domains on my router, anyone knwo where I can look to do this? I know a hotspot provider, FatPort, in my area does this because they allow WFC traffic through for free but in order to use your laptop for internet browsing/email/etc, you have to buy credits and login.

Thanks.

 

[bryehn]

Fatport is actually who does Nintendo's hotspots in Canada.

it all depends on your router as to what you need to do. I'm really not sure how you could filter it though. Each DS would have its own MAC/IP on your network, I know that much. And I tried leaving my router wide open to test that program that allows you to control your PC with your DS. 2 hours later, I had every wireless device in the neighborhood listed as DHCP clients. Maybe it's my meds talking, but I really can't think of a way to restrict it to DS ttraffic only.

 

[Glacius0]

Only way I can think of is setting it to allow the mac-adresses of the DS users you want to give access to your network. That would require every kid to give you their DS mac adress though and would be a bit of a hassle.

 

[kaymm2]

Fatport is actually who does Nintendo's hotspots in Canada.

it all depends on your router as to what you need to do. I'm really not sure how you could filter it though. Each DS would have its own MAC/IP on your network, I know that much. And I tried leaving my router wide open to test that program that allows you to control your PC with your DS. 2 hours later, I had every wireless device in the neighborhood listed as DHCP clients. Maybe it's my meds talking, but I really can't think of a way to restrict it to DS ttraffic only.

I don't want mac filtering though. Plus, they would be able to use their laptop/pc's to connect to my router and use it for regular internet usage. I want it open for WFC only. So if they associate to my router without a DS (a computer), they can't go anywhere.

I'm really interested in how Fatport did it. Their AP is open, in that anyone can associate to it however you are brought to the fatport.com website everytime you try to go somewhere. It's a captive portal. When you login to get authenticated, it lets you go where ever you want. However, WFC traffic is unrestricted. No login is nessary, just associate and play.

I'm thinking fatport knows the exact servers/IP's/ports that WFC needs and opened them. But I don't have access to that info.

 

[djprotoss]

presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem. The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).


2. IP address filtering - setup packet logging on your firewall box, connect to WFC and then look at the ports and ip's it connects to. On the plus side its pretty easy to do, but the downside is you need to be careful that you don't over filter (tip: once you have an ip, look up what size block it belongs too and allow the block)

3. layer7 filtering - this refers to OSI model layer 7 - the application layer. The only implementation I am aware of of this is l7proto for iptables, but it does work rather well - effectively it does stateful regexps on the packet headers to classify the application that generated the packets. if there is a classifier availiable, this should be a simple drop in and go, however its quite possible that you will only be able to find a stub implementation and need to write your own. An alternative is to use l7 filters to block p2p, ftp, email, irc. messaging, usenet and web traffic (that should block out most everybody else)

hope that gives you a few ideas

 

[kaymm2]

Thanks, that gives me some ideas. I have a WRT54G with a linux distro firmware on it, OpenWrt. I guess I have to run ethereal to find out all the ports and IP's it's using and then using the builtin IPtables to restrict.

 

[kaymm2]

I need some ideas for packet sniffing. Do you think it would be easier to use kismet and capture the data that my DS sends through the air and then using ethereal to analyze it?

 

[Kossan]

My DS only acess

[ALLOW: conntest.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:26
[ALLOW: gamestats.gs.nintendowifi.net] Source: 192.168.1.3 Friday, 28 Jul 2006 17:16:41

What i can see from my router, while playing tetris.
If you allow to acess those from all ip's?

 

[nl255]

presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem. The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).

You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EFE:AD' and I doubt it is much harder on Windows.

 

[Kossan]

presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem. The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).


You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EFE:AD' and I doubt it is much harder on Windows.

The hard thing is to know what mac adresses are allowed.

 

[nl255]

presumably you are setting out ith something in place that can setup traffic filters. his could be a wireless access point running linux (linksys wrt54g's a very good for this), or you are putting a firwall box between the wap and your modem.  The reason for me saying this is that few off the shelf waps / modems have sufficient flexibility to do what you want.

Now, I can think of three different ways you could attempt to do this. In order of increasing difficulty and likely effectiveness, they are:

1. partial mac address filtering - chips from the same manufacturer tend to have similar mac addresses (especially the higher bits), whilst chips from different ones will tend to have wildly different addresses. You could check the macs on a handful of ds' to determine if this is the case, and if so set a bit mask to only allow packets that match the mask. If the ds' mac's are clustered like that, then this should work pretty well. The downside is if there is a batch of ds' made with a different chip, then they would be blocked, and that if someone figured it out then they could get around the restriction by changing their mac address.
This has the feature of being the only technique from my list that would allow use of the opera browser on the DS (whether that is good or bad I don't know).


You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EFE:AD' and I doubt it is much harder on Windows.

The hard thing is to know what mac adresses are allowed.

Just use a mac address vendor finder to see what mac address ranges are for Nintendo (there are only two).

 

[Cyan]

When using PeerGuardians I cannot connect to WFC.
I had to allow some IPs from Gamespy server (peerguardian said it were Gamespy range IPs) .
the range may not be full as it is only the IP that were blocked, there may be more or less IPs needed, I don't know.

I had to allow 2 ranges :
207.38.8.16 - 207.38.8.27
207.38.11.11 - 207.38.11.49


The most common IP and ports are
207.38.11.34 : 27900 and 29900
81.49.402.102 : 59832


You will have to allow the provider DNS IP too.
Mine are on ports 53, I don't know if it's the same for everyone.

And the Nintendo authentications servers I think
192.195.204.40:443
192.195.204.216:80
205.166.76.177:80

 

[vinsm]

I tried leaving my router wide open to test that program that allows you to control your PC with your DS.

Sorry to get off topic but what programme is this and does it work ok?

 

[djprotoss]

You do know how easy it is for someone to change their MAC address, right? I can do it on my laptop as easily as typing 'ifconfig eth1 HW DE:AD:BE:EFE:AD' and I doubt it is much harder on Windows.

heh, well I did say it was the least effective of all the methods...

Still, you can always combine it with one of the other methods for increased security (no it won't keep a determined hacker out. But then again, the only really secure option when dealing with one of those is to run an ipsec or similar based vpn over the top of your wireless (and I know some people who say the only properly secure way of doing wireless is to use wires) - the point is that you can't fully lock down your network - you just do what you can, and hope you make your self a sufficiently unappealing target that you get left alone.

 

[Peter Hacke]

hi!

these are the nintendo-wfc ip-ranges :
WIFI_RANGE_1="205.166.76.0/255.255.255.0"
WIFI_RANGE_2="192.195.204.0/255.255.255.0"

nintendo installs/adds new wfc-servers frequently. i know, because at first i only had 1 server in the list and after about 3 weeks wfc-connection failure messages came up upon connecting to wfc.

the other question was, which are the ports that are used by wfc. i've been a bit lazy trying to figure them out, so i simply blocked all "important" ports like SMB,SSH,HTTP,HTTPS,FTP etc. . it's a small list of ports/port-ranges and eventually the wifi-connection is pretty much useless for "normal" internet usage

. i did a tcpdump check some time ago and as far as i can remember the default protocol for datatransfer was UDP and the ports which showed up were way above 40.000. so it might be even save to say BLOCK ALL, but >45.000 & PROT=UDP.

i've also added MAC and IP checks, but as you stated before thats not an option.

some games also connect to GAMESPY for whatever reason. the only gamespy server i could find in my logs was : 207.38.11.49

...hope i could help you a bit

game on

 

[Kaphis]

so ...um O.o..what is it? XD I tried to read thorugh most of it but is ther a summary..what is the ip address that has to be allowed?~..and another thing is....if I Have a laptop that I use on the same wireless network...would that still work?