RESOLVED: Roblox and URLs Ports open
-
Hello fellow Netgate community,
I have added all the requests for URLs and port requirements within access control lists to my working Xbox profile as well as added then to do not cache and inside Snort as a do not block alias.
Ref:
https://en.help.roblox.com/hc/en-us/articles/115005744663All URLs and ports are added. The Xbox works normally for Hulu, Amazon, Disney plus and it is seen running on the proxy.
Image: UDP ports open for XBOX ACLS with Static assigned addresses for XBOX with Mac addresses
Image: Do not cache was tested on full URL list provided and with primary domains seen here
Image: Do not block alias that is used with snortTo get this to work I had to add the Xbox primary home IP address to the bypass the Squid Proxy. It works for everything else just not Roblox.
Image: Testing shows solid connections in proxy however I keep getting error 17 cannot connect to server.Keep in mind the goal here is to filter the URLS that the Xbox browser can access when my child is using it this does not see anything but HTTP get requests. It is set to block specific websites and it works perfectly for that as well as timed access. Roblox is causing some confusion for me.
-
@jonathanlee After it has been connected for sometime I removed the bypass and it seems to stay working and I can see the filter running again for now. If anyone else notices issues please give me a heads up.
-
Per Roblox website for support for Educational networks provides the following information seen here.
Required URLS HTTP and HTTPS use
www.roblox.com
api.roblox.com
clientsettings.api.roblox.com
versioncompatibility.api.roblox.com
chat.roblox.com
chatsite.roblox.com
assetgame.roblox.com
setup.roblox.com
setup.rbxcdn.com
cdn.arkoselabs.com
roblox-api.arkoselabs.com
js.rbxcdn.com
static.rbxcdn.com
captcha.roblox.commy additional to add to do not cache locally :
UPDATE THIS WAS REMOVED THIS CACHES FOR ACCELERATION USE NOW
|rbxcdn.com|
|roblox.com|Required UDP ports that need to be open for the Xbox systems
UDP ports: 49152 - 65535Per Roblox website for support for Educational networks provides the following information seen here.
-
@jonathanlee
Create an aliases for your do not block list for snort:
(IMAGE: FirewallAliasesIP)
Create an aliases for ports required for Xbox:
(IMAGE: Ports Aliases)
(IMAGE: Add your Access Control List with XBOX made group and your ports)
(IMAGE: You can add your aliases of your do not block list to snort IPS/IDS so it will bypass the intrusion detection as known URLs that are approved if you want )
(IMAGE: in Squidguard make sure you make a specific group ACL with IP-addresses in URL approved for XBOX if you would like them to bypass proxy)
(IMAGE: Inside your IDS/IPS add your aliases notice do not block, this will stop SNORT from auto blocking roblox)After all of this, its working,
(IMAGE: Live approved usage of roblox seen inside proxy)I hope that helps.
-
I created a separate Alias and named it Roblox
I have included the list that works for me here SNORT will try to block them without an alias set up as a pass list that was my issue. Enjoy. Every item on their website is included as well as additional items I found that were required for use.
www.roblox.com
api.roblox.com
clientsettings.api.roblox.com
versioncompatibility.api.roblox.com
chat.roblox.com
chatsite.roblox.com
assetgame.roblox.com
setup.roblox.com
setup.rbxcdn.com
cdn.arkoselabs.com
roblox-api.arkoselabs.com
js.rbxcdn.com
static.rbxcdn.com
captcha.roblox.com
presence.roblox.com
friends.roblox.com
ecsv2.roblox.com
clientsettingscdn.roblox.com
c7.rbxcdn.com
c6.rbxcdn.com
c5.rbxcdn.com
c4.rbxcdn.com
c3.rbxcdn.com
c2.rbxcdn.com
ephemeralcounters.api.roblox.com
c0.rbxcdn.com
assetdelivery.roblox.com
t2.rbxcdn.com
t3.rbxcdn.com
t4.rbxcdn.com
t5.rbxcdn.com
t6.rbxcdn.com
t7.rbxcdn.com
t1.rbxcdn.com
c1.rbxcdn.com
client-telemetry.roblox.com
economy.roblox.com
thumbnails.roblox.com
tr.rbxcdn.com
games.roblox.com
t0.rbxcdn.com
clientsettingscdn.roblox.com ADDED: Aug 12: 2020 must have or snort will block durrng upd scans once this occurs it will boot you unless this is in alias
-
@jonathanlee if you have UPD scans disabled in SNORT remember to also add the CIDER block for ROBLOX because once the tunnel starts it scans the UPD ports for a good connection.
If you do not use SNORTS Port scan auto block, you do not need to do this.
If you also need more security do not add the cider block 128.116.0.0/17 to the pass list, instead add it to the preprocessor to ignore as a scanning cider block and leave the other snort detection rules in place see next reply.
-
@jonathanlee If this is to many hosts to allow as pass items for SNORT, you can just add the cider block to the ignore scan inside of the SNORT Preprocessors that is safer, because if someone clones an IP it will still be detected by the rest of the snort security and not auto approved if it is listed in pass. For this delete the cider block as a pass item and add it to the preprocessor area as ignore if it is a port scan.
(IMAGE: SNORT PREPROCESSORS LOCATION)
(IMAGE: PreProcessor approved cider block)This will still allow SNORT to use its IPS/IDS system on the full cider block however ignore the UDP scans used for ROBLOX during the game start up.
-
@jonathanlee ( add the cider block to the ignore scan inside of the SNORT Preprocessors and add it to the preprocessor area as ignore if it is a port scan.)
Hi jonathanlee
How would I accomplish the above with Suricata ? -
@yorke I would have to research this more. Thanks for the reply.
