ATT 2wire routers and connectivity with vassalengine

Tabpub · March 19, 2015, 6:25pm

Hello,

I am an ATT customer that has also recently had trouble connecting to the server to participate in games.
I have had some discussion with both the admin here and with some minor support from ATT I think I have a workaround for myself and others that have seen this occur.

My belief was that it is a problem with our routers firewall treating this as intrusion/attack; traceroutes ran during failed connections showed timeouts at gateway and next immediate connection in route.

The simplest answer that I have found (and this has worked now on 3-4 separate occasions, so I feel confident in repeatability) is to enter into your router controls and set the computer to ‘DMZplus’ mode. The following quote from the manual seems to confirm this:

By default, the 2Wire gateway firewall rules block the attack types listed in the Attack Detection pane. There
are some applications and devices that require the use of specific data ports through the firewall. The
gateway allows users to open the necessary ports through the firewall using the Firewall Settings page. If
the user requires that a computer have all incoming traffic available to it, this computer can be set to the
DMZplus mode. While in DMZplus mode, the computer is still protected against numerous broadband
attacks (for example, SYN Flood or Invalid TCP flag attacks).

There is probably a more elegant way to do this, but I don’t know exactly how to achieve this; I just know that this is working for me.
Doing this does have limitations, if you have multiple computers it might not be best, as the DMZplus computer will be the default for all Internet applications that aren’t specifically allocated to another computer in the network for example.

http://setuprouter.com/router/2wire/3800hgv-b/manual-1319.pdf is an online link to the manual for my type of router.
Others are available there.

I do note that in the allow individual applications, there is a ‘server’ setting, which then lists all the different types.
If I knew the information, it might be possible to do the change there to allow data in to the network. Choice are many; DNS, FTP, POP3, etc …doing something like this would probably be ‘better’ than the DMZplus method; but again, I am not informed enough to render a verdict/answer to that.

This may also be mooted by the fact that ATT was apparently treating this IP as a spam source; and therefore it might have also been inhibiting data transfer from it as a security service. Again, I am a not even an educated amateur regarding these things; I just saw that the apparent problem was at the gateway; read that DMZplus lets in the most information; enabled it and it worked. Of course, this puts more reliance on my software firewall; but that’s hopefully not an issue.

Final note, after any changes are saved, most times it requires a re-boot to lock them in; so don’t just do a change and attempt connection. Hope that this helps others out; it’s worked for me in my circumstance.

RD

uckelman · March 19, 2015, 8:33pm

Thus spake Tabpub:

My belief was that it is a problem with our routers firewall treating
this as intrusion/attack; traceroutes ran during failed connections
showed timeouts at gateway and next immediate connection in route.

I suspect that’s a spurious conclusion—you’re firewall and some of
the intermediate network infrastructure might simply be configured not
to respond to pings.

I do note that in the allow individual applications, there is a ‘server’
setting, which then lists all the different types.
If I knew the information, it might be possible to do the change there
to allow data in to the network. Choice are many; DNS, FTP, POP3, etc
…doing something like this would probably be ‘better’ than the
DMZplus method; but again, I am not informed enough to render a
verdict/answer to that.

VASSAL’s game server is on port 5050 on our machine. The port you’re
using locally to connect to it could be anything above 1024. I don’t
understand why what you’re doing would help, since our game server isn’t
initiating connections to client machines. (Nor is our web server, which
people had similar trouble connecting to.)

This may also be mooted by the fact that ATT was apparently treating
this IP as a spam source; and therefore it might have also been
inhibiting data transfer from it as a security service. Again, I am a
not even an educated amateur regarding these things; I just saw that the
apparent problem was at the gateway; read that DMZplus lets in the most
information; enabled it and it worked. Of course, this puts more
reliance on my software firewall; but that’s hopefully not an issue.

I think it would be a good test to check whether you still have the
problem after setting your router back to the way it had been. If so,
then clearly your changes were effective—but then I think some further
investigation would be in order as to why.

–
J.

Tabpub · March 20, 2015, 7:32pm

uckelman:

Thus spake Tabpub:

My belief was that it is a problem with our routers firewall treating
this as intrusion/attack; traceroutes ran during failed connections
showed timeouts at gateway and next immediate connection in route.

I suspect that’s a spurious conclusion—you’re firewall and some of
the intermediate network infrastructure might simply be configured not
to respond to pings.

I do note that in the allow individual applications, there is a ‘server’
setting, which then lists all the different types.
If I knew the information, it might be possible to do the change there
to allow data in to the network. Choice are many; DNS, FTP, POP3, etc
…doing something like this would probably be ‘better’ than the
DMZplus method; but again, I am not informed enough to render a
verdict/answer to that.

VASSAL’s game server is on port 5050 on our machine. The port you’re
using locally to connect to it could be anything above 1024. I don’t
understand why what you’re doing would help, since our game server isn’t
initiating connections to client machines. (Nor is our web server, which
people had similar trouble connecting to.)

This may also be mooted by the fact that ATT was apparently treating
this IP as a spam source; and therefore it might have also been
inhibiting data transfer from it as a security service. Again, I am a
not even an educated amateur regarding these things; I just saw that the
apparent problem was at the gateway; read that DMZplus lets in the most
information; enabled it and it worked. Of course, this puts more
reliance on my software firewall; but that’s hopefully not an issue.

I think it would be a good test to check whether you still have the
problem after setting your router back to the way it had been. If so,
then clearly your changes were effective—but then I think some further
investigation would be in order as to why.

–
J.

Spurious; yes, that might be correct. I was just going with the first thought that came to mind. My knowledge for this is quite limited and am just doing the simian at the keyboard bit right now…

Ran it set up with the DMZplus protocol set last night; it wasn’t ideal as one of the participants was traveling and using an ‘hotel wi-fi’ that we have no data on. Logging on to the module for me was possible, but took approx. 5 min to ‘get the map’ displayed on my computer. Play was ok, but then ‘lag’ started to enter the equation about 1/2 way thru a 3 hour session; several people, myself on ATT and 2-3 others were experiencing it; mine seemed the worse though…at one point was getting no information.

Now, comes the odd thing; we were all in voice communication thru Skype, then apparently the connection crashed and the conversation ended. IMMEDIATELY upon this I got a Noah’s Ark-like flood of information on the map screen…felt like the end of ‘Wargames’ as text and units sped across the mapscreen.

So, would it be potentially possible that this might also be the culprit lurking in the weeds? It’s interesting that the ‘lag’ seems to build up for some (for me to the point of ‘freezing’ on my screen), yet I can still move things and they are seen by others, but I don’t see their inputs.

Finally, regarding router setup; as a default, these two options are enabled in my 2wire router (pg 31 of the manual that I linked to in above message):

Enabling Advanced Security
The 2Wire gateway firewall already provides a high level of security. You can configure the firewall to provide
advanced security features, including stealth mode, strict UDP, or block pings.
• Stealth Mode. When in stealth mode, the 2Wire gateway firewall does not return information in
response to network queries; that is, it will appear to hackers who are trying to access your network
that your network does not exist. This discourages hackers from further attempts at accessing your
network, because to them it will appear as though there is no active network to access.
• Block Ping. Ping is a basic Internet program that, when used without malicious intent, allows a user to
verify that a particular IP address exists and can accept requests. Hackers can use ping to launch an
attack against your network, because ping can determine the number form of the network’s IP address
(for example, 105.246.172.72) from the domain name (for example, mynetwork.com). If you
enable Block Ping, your network will block all ping requests.

This is a bit of a Gordian Knot to unravel…it sure seems to be connected to # of participants in module (we had 5); same 5 were in a Skype voice conversation on the side. I know that I had nothing else running concurrently; but can’t say for the others.
My internet test this afternoon shows:
• Download Speed 7.7 Mbps (962 KB/sec transfer rate)
• Upload Speed 1.53 Mbps (191.8 KB/sec transfer rate)
• Latency 24 ms
• Jitter 0 ms
which would appear to be sufficient to do these two tasks to my layman’s eye. In the past we have ran a module with 4-5 participants and a Skype on the side with no apparent problems last fall of '14. At this time, we’re probably just going with ‘when we get slow, turn off the Skype and turn it back on’ as a workaround. Though, if you see something in the above that seems a good candidate to modify, I am open to trying it.

RD