How does a hotel blocks outgoing connection to public CPE IP addresses?
-
@Gerard64
Possibly they just allow standard ports for web and mail like 80, 443, 465, 587, and maybe only TCP.To circumvent such network restrictions in hotels, I have my OpenVPN server running on TCP 587, aside from the default UDP 1194.
-
@Gerard64 said in How does a hotel blocks outgoing connection to public CPE IP addresses?:
I understand why hotels do this ...
Please tell me, why should they doing this ?
I'll say upfront : I run a hotel, in France, I have a captive portal I use for my hotel clients (they love it), I use pfSense since it exists.
I never felt the need to block my portal users (hotel clients) some kind of port or IP or protocol.
Its actually the other way around : I'll advise my hotel clients to use a VPN. This way they don't have to 'trust' me - and they can't do things with 'my' ISP WAN IP.Ok, true, I use these :
(the first two are inbound matchers so I can limit the access my OpenVPN server a little bit )
where I block the most obvious BS IPs and hostname "for their own good".Tell your friend : instead of using the default 1194 OpenVPN UDP port, let him try port 443, TCP, the ordinary https port. No one can block that port, as it will disable all classic internet browsing.
Ok, the hotel can still block by 'country IP' and if that's the case, their is little you can do.
Before he leaves, let him check if his ISP doesn't block 'incoming' port 443 TCP traffic.A warning : I don't know the laws in Turkey. Maybe a 'hotel' is responsible for their connection, like such a concept exist here in France (Europe) also. The difference is probably : here, you'll get a warning.
Over there : you'll be taken probably out of the circuit for a while. Don't take anything for 'granted'. -
@Gertjan
You are absolutely right.
I understand why they do it. That does not mean i would do it or even need it.
My question is mainly HOW you can do such a thing?
Not that i am going to use it i am just curious about the how not the why. -
My friend and me myself have both selfhosted services at home with standard ports like 80 and 443 opened for instance for our httpd. He can not connect them.
It is not just this one hotel every hotel he was in over the years have this setup.
I am just curieus how they pick out dynamic public addresses to block them. -
I use pfsense and before m0n0wall also for many years and can get around with pfsense pretty well also.
If they would use a country block then you couldn't reach any services in that country either but he can connect dutch servers with static ip addresses without any problem just not services that run on a dynamic ip.That is what i am curious about how they separate dyn vs static.
Probably there exist a blocklist that collect dynamic IP address ranges but i can not find one.It puzzles me how they do that.
-
@Gerard64 said in How does a hotel blocks outgoing connection to public CPE IP addresses?:
.... just not services that run on a dynamic ip.
You mean : Entire sets of IPs are allocated to known ISPs. All these network are known, and listed as such. You, and I, and also hotels, can use these lists.
Most ISP randomize their network pool amongst their subscribers. See it as a huge DHCP pool that they own (== bought).
All these routable IPs, entire networks actually like /24 or bigger (/16 or lower) are of course 'static'. They are just assigned to the ISP clients in a random fashion. That's why you say "dynamic" but these are very normal IPs.
Me, in France, I get always the same IP from my ISP (Orange). That has it advantages, and disadvantages.And while I think about it : If I was a Dutch ISP, would I block connection going to my subscribers coming from .... "suspected" countries ? ( "just to protect you").
Something I discovered last year : I use Orange as my ISP, so I have some mails' with them.
I took my phone to Tenerife (small island in front of Africa, using IP's listed to ... Africa even if Tenerife is Europe ...).
I synced my phone mail app ..... and that went wrong : they (Orange) blocked my email account. And I had to unlock it using a French IP, connect to their orange.fr portail, etc - so yes, I admit : it can be useful to have a VPN account ready and avaible 'when needed'.
I've tried again with a Turkey IP using my VPN cnncted to a VPN POP in Ankara and ..... bingo, same situation : the access to mail (Orange) was blocked again. This was my ISP helping me to protect my mail account. So, Ok, I get it, if I want to access my mails when I'm out of Europe, use a VPN ..... or just don't look at your mails (now that's something of a real holiday !)Btw : using "port 80 TCP " is suspect these days. No one wants to use 'clear' traffic these days.
@Gerard64 said in How does a hotel blocks outgoing connection to public CPE IP addresses?:
but he can connect dutch servers
Then that is a possible solution :
Get a small VPS, install OpenVPN server and a OpenVPN client.
You connect to the OpenVPN server from Turkey.
The VPS OpenVPN client connects to your home OpenVPN pfSense.
It's a whole route to set up and maintain, but it will do the trick.@Gerard64 said in How does a hotel blocks outgoing connection to public CPE IP addresses?:
It is not just this one hotel every hotel he was in over the years have this setup.
It's probably possible to 'detect' that traffic coming from port x going to port y as actual 'OpenVPN' traffic.
What about tailscale ? IPSEC ?
Or union-like-network your connection : make a VPN to dono : VPN POP in amsterdam.
Then open a VPN over the VPN to your home. You've now created a tunnel into a tunnel.
I know, when visiting crazy countries you need to do crazy things ^^.If Turkey doesn't like VPN traffic because [what ever their reason is] then maybe some hotels should tell this their clients if this is the case : like 'no, you can't call home from here' and maybe they tell you also why.
They wouldn't block classic TLS (https) type traffic as that would make Internet non usable for 99 %.If you have some extra space left while traveling : bring along Starlink dish ?
-
Yeah we shouldn't be doing this while on vacation haha but he and i are always talking about computer networking related stuff he sends me pictures of wifi accesspoints even
Its just funny while he lays on the side of a swimming pool in Turkey.We know we could setup a vpn server on a vps to solve this but we don't really need nothing to solve we just want to know.
If there would be a list of all the dyn ip ranges in the world i just want to have that list not for some reason it is just curiosity if this list exists.
I know how dhcp works and that ISP's have huge ip ranges for their costumers.
The thing i would be curious about is how they filter dyn ip's.
I know people all over the world from Taiwan to south and north america all can connect to our selfhosted services without a problem just not from Turkey Hotels. Maybe a residential internet connection in Turkey would work i don't know. We just noticed this wen he is on a holidays in turkey and tries to connect to our selfhosted services running on standaard tcp ports.
We don't want to solved a problem because then we would how to do it like your said through a vps from a hosting provider then problem would be solved.
His connection attempts aren't seen in my pfsense logs its not ports they block they block dyn ip ranges. i would like to know how they do that. if there is a list of all dyn ip's then i would like to see this list.
Every year we ask ourselves how do they do it?
-
I read sometimes SMTP servers block dyn ip's also.
I never noticed my selfhosted mail server was ever blocked btw but i read about it that smtp servers block dyn ip's. But i never experienced it myself.
If they do then how? How do they do it?
How can you distinguish between dynamic and static IP addresses? -
@Gerard64 said in How does a hotel blocks outgoing connection to public CPE IP addresses?:
How can you distinguish between dynamic and static IP addresses?
Most of use an ISP to get an Internet access.
When connecting, you get a WAN IP that is (hope for you) non a "RFC1918." You get an IP that is routable over the Internet. RFC1918 (an some others) are not.What you call "dynamic IP addresses" is just your ISP that give you an IP to use for xx time. Most often these days : a classic DHCP lease with a lease duration of a couple of days, a week.
Then the dhcp client renews that lease.
Your ISP can say : ok, you can are allowed to use the same IP one week more. And so on.
You would say : Ok, I have a "static" (WAN) IP.
Your ISP can also say ; "Hey, it's time up for the IP you were using this lats week. Here you have a new one - take it or leave it". You are calling this a "dynmaic IP".But the notion 'dynamic' or 'static' doesn't really exist.
My ISP give me the option to get an IP 'that also ways changes' (your dynamic), or get an IP that is always the same :
I still need to use the dhcp client of my ISP box to get an IP from my ISP, a DHCP lease actually, as a DHCP lease contains an IP, a DNS or two (who uses them these days ?), and the very, extremely important ISP 'gateway'.
You can also chose between a 'dynamic' (changes all the time) or 'static' (never changes) WAN IP.
Call your ISP ^^
Or visit their extranet (like ziggo.nl) a,d select the option. And probably you have to pay for it.And yes, a 'static' IP means that you do not have to use a Dyndns service anymore.
-
The link below answers my question:
https://serverfault.com/questions/919829/how-does-ms-know-which-public-ip-addresses-are-dynamically-assignedThis is interesting to:
https://en.wikipedia.org/wiki/Dynamic/Dialup_Users_List -
You can add the ASN 'dictionary' to the list : the list with ASN 'network' numbers that are owned by companies. Each ASN contains one or more networks, like /8 or /16 or even /8 or combination of these.
Find who own your IP : https://whatismyipaddress.com
I found for my IP :
Orange, a big ISP in Europe and outside of Europe, own a lot of these ASNs. Each has many networks, like 82.127.0.0 to 82.127.255.255 which is a /16 or 65535 IPv4.
There is nothing dynamic to these IPs, they are like phone numbers.
One of them can get assigned to Jack's place today, and I can have Jack's IP tomorrow, and he got mine. And so on. -
This post is deleted! -
@Gerard64 Did you try if he can connect to anything using the raw public WAN ip address of your home Firewall (not using a DNS name)?
Could be they are just doing DNS filtering that only allow the top 1 mio or top 10 mio most used sites…
-
@keyser
That might be a good idea to test next time my friend is abroad.
Thank you for this tip!