[SOLVED]Getting kicked out from playing Overwatch



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    Damn I can't post here, getting this messages about spam.... ๐Ÿ™

    Post content was flagged as spam by Akismet.com

    I bet everything is going out your NordVPN connection.

    Does this print out your WAN IP address or a NordVPN address ?

    https://www.whatsmyip.org/



  • @NogBadTheBad No, had it only enabled in Firefox, but after disabling it is still get this messages here. It is my regular ISP IP-address. I also use that for gaming, no VPN there.

    I am not a total noob, just not a network professional. โ˜บ



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    Also why all the pfBlocker Geo blocks on the WAN interface traffic is denied by default?

    It is the default behavior and works fine I think.

    No it's not you've enabled them here and there is no need to unless your blocking a country in the region, are you telling me you have blocked something in Antartica

    Screenshot 2019-10-03 at 15.34.32.png

    I only use it to block China, etc ... from hitting my sftp server.

    Screenshot 2019-10-03 at 15.30.22.png

    Screenshot 2019-10-03 at 15.31.23.png



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    @NogBadTheBad No, had it only enabled in Firefox, but after disabling it is still get this messages here. It is my regular ISP IP-address. I also use that for gaming, no VPN there.

    I am not a total noob, just not a network professional. โ˜บ

    BTW you've not removed your IP from the bottom of the screenshot .



  • I almost block everything because it is for incoming connections only I thought, it is for my server.



  • BTW you've not removed your IP from the bottom of the screenshot .

    You right, will change it later anyways.

    And default deny rule is probably not related to pfblocker anyway, right?



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    I almost block everything because it is for incoming connections only I thought, it is for my server.

    Everything would be blocked by default on the WAN interface, you've just changed the default deny rule into one huge set of firewall rules using pfBlocker.



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    BTW you've not removed your IP from the bottom of the screenshot .

    You right, will change it later anyways.

    And default deny rule is probably not related to pfblocker anyway, right?

    Nope nothing to do with pfblocker.



  • @NogBadTheBad For incoming connections to my server it is what I want. I mean everything works but kicked out of the game randomly.



  • Nope nothing to do with pfblocker.
    That is the point! Sorry i have to change my postings to not get marked as spam... I can't quote it seems....



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    For incoming connec

    Post the full WAN rules page.



  • @NogBadTheBad There is nothing of interest, some open ports (NAT) and the country blocks which again is intended.



  • Umm just noticed in the first screenshot it says default deny rule.

    I don't think this is a pfBlocker issue.

    Asymetric routing perhaps.

    I want to come back to that asymetric routing.
    My ISP is doing something, so that my Router can't see its internet IP-Address, but a different address. Maybe that is the problem for the firewall?

    Capturex.JPG



  • @Bob-Dig

    So what are you using the pfBlocker GeoIP rules for on the WAN interface.

    To Block all countries bar one for your inbound rules ?



  • @NogBadTheBad please see my posting above
    And it is default on the wan interface and I am blocking almost everyone but some countries for incoming connections to my server, but is this really related to my Overwatch problem?



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    @NogBadTheBad please see my posting above
    And it is default on the wan interface and I am blocking almost everyone but some countries for incoming connections to my server, but is this really related to my Overwatch problem?

    Your using pfBlocker wrong then.

    You need to create an alias in pfBlocker and use it in a firewall rule to pass, doing it the way you are every packet will be evaluated top to bottom till there is a match.

    Screenshot 2019-10-03 at 15.58.37.png

    Screenshot 2019-10-03 at 16.01.36.png



  • I think you need to talk with your ISP.



  • @NogBadTheBad One County or one list only would be easy because I could just Invert Source and everything would be fine. Your screen looks much more complicate to me.
    So what I will do now is disable all geoblocking and all of pfblocker and will look if the problem still occurs.
    Thank you for now!



  • I think you need to talk with your ISP.

    It is a big one, Germanys second or third biggest cable-provider, so no chance, they do what they do. โ˜บ



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    I could just Invert Source and everything would b

    Is it Telecolumbus ?

    Whoever it is they are doing something funky as your router has a different IP address to what's reported by whatsmyip.



  • @NogBadTheBad Yes. But this IP is "made" for this and I can open ports etc. There is nothing I can do about it and maybe it is an pfsense-only or Fancy-Firewall-only problem.



  • @NogBadTheBad So after disabling pfBlocker I had no problem playing Overwatch, although it might be to early to say that definitely.

    Anyway, maybe all this geoblocking was to much and had unintended consequences?

    So I am looking at this alias permit thingy and I don't understand it at all.
    When I permit something, where is it blocked in the first place to make any sense?
    I made one up but couldn't see it under rules, where is it?
    Maybe you have a link which fully explains it?



  • After watching it more closely I think I get it, how it works. Or at least, I am getting there. ๐Ÿ˜‰
    Interesting... ๐Ÿ˜ณ
    But it doesn't work with NAT or does it? ๐Ÿ˜–
    It does, was on the wrong tab. ๐Ÿ˜Œ

    Now I have to see if it is any good:
    Capture.JPG



  • Your on carrier grade NAT.



  • @Bob-Dig

    You just need to follow the screenshots that i posted to create an alias with all the countries you want to allow through then use it in your allow alias.

    The less rules / matches the firewall needs to process the better.



  • @chpalmer

    Are those carrier grade nat ip address, never come across cgn before?

    https://chrisgrundemann.com/index.php/2012/100640010/

    Also doesnโ€™t cgn break customers doing port forwards?



  • You just need to follow the screenshots that i posted to create an alias with all the countries you want to allow through then use it in your allow alias.

    The less rules / matches the firewall needs to process the better.

    That's what I did on my last screenshot. It is a little more complicated to set up or maybe there are more easy options I don't know. Also I hope this will help with Overwatch, I still don't know for sure, because I like this game but only in small doses.

    Are those carrier grade nat ip address, never come across cgn before?

    Also doesnโ€™t cgn break customers doing port forwards?

    Whatever they do, I can open ports, so would be interested to know the right term for that.

    PS:Still getting marked as spammer here, even without VPN, I have to remove the beginning of each quote.

    @NogBadTheBad I also made some port aliases so my rules on WAN now look more clean (less rules). Again, thank you!

    Capture.JPG



  • @NogBadTheBad said in Getting kicked out from playing Overwatch:

    Also doesnโ€™t cgn break customers doing port forwards?

    Yep. Many people will be behind the public IP address he is behind. no way to port forward and that address is not routable from the outside. Any kind of port forward would have to be set up by the ISP you your NATt'd address.

    Technically you are double NATt'd.

    Id be interested to see your firewall logs..

    pfblocker would be pretty useless on the WAN.



  • pfblocker would be pretty useless on the WAN.

    Don't ask me how it works but I can instantly do port forwards by my own.



  • So you have open ports from the outside?

    If for some reason your ISP was NATting every address in their system I suppose they might put you in a DMZ of sorts.. Can you do a test at GRC.com and show the results here?

    https://www.grc.com/x/ne.dll?bh0bkyd2

    Ive already tried a port scan and came up with nothing. You might have the US blocked so Id understand but..

    Just because you can build a port forward doesn't mean anyone is getting to you. Maybe other customers behind your CGNAT..



  • @chpalmer Like I said before, yes I can. You can believe me or not...

    And I had no more problems with overwatch after changing the geoblocking to what @NogBadTheBad has suggested.



  • @Bob-Dig said in Getting kicked out from playing Overwatch:

    @chpalmer Like I said before, yes I can. You can believe me or not...

    Didn't say I don't believe you.. I am saying that based on your input here.. Your WAN address is 100.65.134.66 and your public IP address shows up as 82.119.9.xxx (you still have it visible in a post above). That means you are behind some kind of NAT. Normally when you are behind CGNAT in such a way there is no way to get to you by accessing the public address you are behind. Usually the carrier has many customers showing up behind the same address. If they have somehow "port forwarded" to you we cannot possibly know that without someone coming along and telling us otherwise.

    (Unless you are double NAT'd behind your own modem and failed to mention that or I missed that above.. The address your WAN shows up is pretty specific and Id not guess that you chose that.)

    Since you are obviously behind CGNAT then you have to take that into account in trying to diagnose your connection problems here.

    Many times a carrier will use CGNAT as a side benefit to them to keep residential service customers from hosting servers.



  • @chpalmer I even have a rule just for GRC, which doesn't work anymore, because now the geoblocking is in the portforwards. ๐Ÿ˜‰

    Capture.JPG

    And no double-NAT on my side.



  • @chpalmer but for your curiosity, here is a portscan from another site. And I already changed my WAN-IP-address.
    Capture.JPG


  • LAYER 8 Moderator

    @Bob-Dig gave you a couple of ๐Ÿ‘ so you shouldn't be hit as hard by spam detection anymore.

    Still don't really get your NAT forwards or rules you made with pfBlockerNG but we could more easily discuss that in german in the other section. But a 100.x address is most probably a CGN address. And if you have that on the WAN and can port forwards ports yourself, the assumption that double NAT from the carrier itself is in play is a big possibility. As there are quite a few special nets included in the various pfBNG lists, it may very well be an update of one of the lists that locked you out of play (as some of them get updated hourly). Perhaps a false positive or sth.



  • @NogBadTheBad and now you've preserved it for posterity in your own post despite the fact that it's they've removed it ๐Ÿคฃ



  • @JeGr Hey JeGr, thanks for upvoting. What is not to get on my NAT-Forwards? I now do geo-blocking or to be more precise -permitting within these rules.
    And again, I don't know what my ISP is doing... I only say I can open ports, lucky me. โ˜บ

    And before that I geoblocked almost every Country on the WAN-Interface, which worked quite nice I thought, because it effected only unsolicited incoming connections. Worked good to geoblock on my port-forwards. I also could go everywhere on the web so I am pretty sure with the "unsolicited" incoming connections. And that should never be making a problem to the overwatch game in the first place. Overwacht doesn't open any ports, no UPnP.
    So I think it was just the overwhelming geoblocking that was somewhat responsible for dropping the connection.. But that is just a guess. There are some more variables on my side. But it works now, so probably solved.



  • @Doktor-Jones

    @NogBadTheBad and now you've preserved it for posterity in your own post despite the fact that it's they've removed it ๐Ÿคฃ

    โ˜บ I removed it yesterday, don't think it is needed but I am no expert.
    PS:Still getting flagged as spam when doing full-quotes.


  • LAYER 8 Moderator

    @Bob-Dig said in [SOLVED]Getting kicked out from playing Overwatch:

    And that should never be making a problem to the overwatch game in the first place. Overwacht doesn't open any ports, no UPnP.

    Yeah but Blizzard is using CDNs and other stuff. Even when just allowing German/EU servers your pfBNG rules may very well been hit by IPs listed to other areas/countries etc. because of CDN and Co. And as the lists are updated hourly that could enter an IP you were using to one of the blocklists.

    What is not to get on my NAT-Forwards?

    I'm not discussing your forwards, just saying, that with your blurs I can't say anything about them being effective/useful or not. And as your screenshot on your LAN shows pfBNG rules as well (Pri1!) it's entirely possible, that one of the necessary IPs for Overwatch was listed on one of the PRI1 lists temporarily (false positives happen) and you were kicked out be the rule taking effect hourly. Also you didn't mention running IDS in addition, which could also have triggered that. But as you say it's working now, pretty sure it was a pfBNG list.



  • @JeGr I watched the IDS every time, there was nothing.

    And the pfBNG on LAN would had potentially harm every pfsense user with this pfBNG-rule who was playing overwatch (in europe), wouldn't the outcry immense around here? ๐Ÿ˜‰

    Here is a non-blurred version of my newly created port-forwards thanks to NogBadTheBad. I hope you like it, I do.
    There is not much happening and it is more a fun-project, hosting these servers, again, I am no professional but kinda like this stuff on an amateur-basis. And pfSense is a new challenge and I like it too. Also I didn't got any more firmwareupgrades for my beloved merlin-router. ๐Ÿ˜‹

    Capture.JPG


Log in to reply