Page 1 of 1
FAH blocked by my router filter list
Posted: Mon Jan 30, 2023 11:09 am
by Weissrolf
Hello. My router is using the following list to filter traffic. FOH seems to need one of these URL to connect to its servers, though. Which one could it be?
Code: Select all
ff.kis.v2.scr.kaspersky-labs.com
adservice.google.com
doubleclick.net
googleadservices.com
googlesyndication.com
telemetry.dropbox.com
telemetry.v.dropbox.com
geo.settings-win.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
settings-win.data.microsoft.com
db5.settings-win.data.microsoft.com.akadns.net
asimov-win.settings.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
v10.vortex-win.data.microsoft.com
v10.events.data.microsoft.com
v20.events.data.microsoft.com
us.vortex-win.data.microsoft.com
eu.vortex-win.data.microsoft.com
vortex-win-sandbox.data.microsoft.com
alpha.telemetry.microsoft.com
oca.telemetry.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
Re: FOH blocked by my router filter list
Posted: Mon Jan 30, 2023 2:39 pm
by Joe_H
As best as I can tell F@h needs none of those to connect. F@h connects to the servers using HTTP over ports 80 and 8080. The default action of some firewalls and anti-malware is to block data transfer over those ports if the software using them is not a "known" browser such as Chrome, Edge, Safari, Firefox, and the like. An exception would need to be added to allow the FAHClient app to transfer over those ports. That is for version 7 of F@h, the name of the client app that does data transfer is far-client in version 8.
In your case the IP you posted from is in Europe. From there we get the periodic reports of this problem from users of Fritz!box routers. It also is down by other routers that do deep packet inspection or stateful packet filtering.
Re: FOH blocked by my router filter list
Posted: Mon Jan 30, 2023 3:09 pm
by Weissrolf
As soon as I clear my filter list from the Fritzbox F@h can connect. And I posted the complete list here. If none of these URLs are known then I have to go through the list one by one.
Re: FOH blocked by my router filter list
Posted: Mon Jan 30, 2023 3:24 pm
by Weissrolf
I went through the list in bigger steps and it seems that the list has to stay empty for the Fritzbox to allow F@h traffic. If anything is in there then F@h gets blocked. Nothing else in our household full of computers and smart-devices runs into this issue, though.
Re: FAH blocked by my router filter list
Posted: Mon Jan 30, 2023 8:50 pm
by toTOW
Fritzbox ... you said everything, this router is known to cause issues with FAH.
You have to find the feature that looks like DPI (deep packet inspection) in the Fritzbox configuration and to disable it (I don't remember how it is called exactly). It messes with FAH transfers to the work servers.
Re: FAH blocked by my router filter list
Posted: Tue Jan 31, 2023 8:18 am
by Weissrolf
The only firewall options available are: stealth mode (don't react ICMP), e-mail filter (port 25), Netbios filter, Teredo filter and WPAD filter. I will disable all for testing, but as I wrote F@h *does* work when I remove *all* URL filters from the black-list.
Re: FAH blocked by my router filter list
Posted: Tue Jan 31, 2023 2:40 pm
by Joe_H
There are other posts on Fritz!box problems, here is one detailing what they went through determining what was blocking connections to the F@h servers -
viewtopic.php?p=342228#p342228. It may take a bit of digging to get the correct settings.
There is also mention in another post of the Fritz!box they were using blocking connections to raw IP addresses, that person found that connecting by the server domain name first would get the box to allow connections by the IP numerical address. They created a script that periodically pinged the servers by name instead of IP number to work around this.
Re: FAH blocked by my router filter list
Posted: Tue Jan 31, 2023 4:05 pm
by Weissrolf
Thanks, but the link you posted lists exactly the same problem and solution: empty the URL filter blacklist.
Does F@h try to connect via direct IP to any server?
Re: FAH blocked by my router filter list
Posted: Tue Jan 31, 2023 4:24 pm
by Joe_H
Yes, at least that was the design for clients using the v7 and earlier software code. The decision then was made on the difficulty of spoofing a numerical IP address.
Here is an example from one of my systems running v7.6.21:
Code: Select all
06:50:18:WU00:FS00:Connecting to assign1.foldingathome.org:80
06:50:19:WU00:FS00:Assigned to work server 129.32.209.202
06:50:19:WU00:FS00:Requesting new work unit for slot 00: cpu:2 from 129.32.209.202
06:50:19:WU00:FS00:Connecting to 129.32.209.202:8080
06:50:20:WU00:FS00:Downloading 835.00KiB
06:50:20:WU00:FS00:Download complete
The client connected to an Assignment Server by name - assign1.foldingathome.org. The AS directs the client to get a WU from a Work Server - 129.32.209.202 - and downloads a WU. The connections are HTTP over ports 80 and 8080.
The v8 client currently in beta test uses names only, so a DNS lookup is needed for every connection that is to an address that is not already cached locally. Another of my systems is running that version, here is an example download:
Code: Select all
\00:34:47:I1::WU350:Requesting WU assignment
00:34:47:I1:OUT5:> POST https://assign1.foldingathome.org/api/assign HTTP/1.1
00:34:47:I3:Connecting to assign1.foldingathome.org:443
00:34:47:I1:OUT5:< assign1.foldingathome.org:443 HTTP/1.1 200 HTTP_OK
00:34:47:I1::WU350:Received WU assignment <removed assignment key>
00:34:47:I1::WU350:Downloading WU
00:34:47:I1:OUT6:> POST https://vav19.fah.temple.edu/api/assign HTTP/1.1
00:34:47:I3:Connecting to vav19.fah.temple.edu:443
00:34:48:I1:OUT6:< vav19.fah.temple.edu:443 HTTP/1.1 200 HTTP_OK
00:34:48:I1::WU350:Received WU
Differences include no use of raw IP address, and connections are HTTPS over port 443. Download size is also not listed by default in the log. v8 has other differences, and currently does not support all features of the v7 client.
Re: FAH blocked by my router filter list
Posted: Tue Jan 31, 2023 8:07 pm
by Weissrolf
This explains the issues with Fritzbox routers then. When you set up an URL blacklist on these routers then they automatically disable direct IP connections, unless they are specifically put on a white list. Once the blacklist ist empty it allows direct IP again.