FAH blocked by my router filter list

Moderators: Site Moderators, FAHC Science Team

Post Reply
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

FAH blocked by my router filter list

Post by Weissrolf »

Hello. My router is using the following list to filter traffic. FOH seems to need one of these URL to connect to its servers, though. Which one could it be?

Code: Select all

ff.kis.v2.scr.kaspersky-labs.com
adservice.google.com
doubleclick.net
googleadservices.com
googlesyndication.com
telemetry.dropbox.com
telemetry.v.dropbox.com
geo.settings-win.data.microsoft.com.akadns.net
db5-eap.settings-win.data.microsoft.com.akadns.net
settings-win.data.microsoft.com
db5.settings-win.data.microsoft.com.akadns.net
asimov-win.settings.data.microsoft.com.akadns.net
db5.vortex.data.microsoft.com.akadns.net
v10-win.vortex.data.microsoft.com.akadns.net
geo.vortex.data.microsoft.com.akadns.net
v10.vortex-win.data.microsoft.com
v10.events.data.microsoft.com
v20.events.data.microsoft.com
us.vortex-win.data.microsoft.com
eu.vortex-win.data.microsoft.com
vortex-win-sandbox.data.microsoft.com
alpha.telemetry.microsoft.com
oca.telemetry.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
Joe_H
Site Admin
Posts: 7951
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: FOH blocked by my router filter list

Post by Joe_H »

As best as I can tell F@h needs none of those to connect. F@h connects to the servers using HTTP over ports 80 and 8080. The default action of some firewalls and anti-malware is to block data transfer over those ports if the software using them is not a "known" browser such as Chrome, Edge, Safari, Firefox, and the like. An exception would need to be added to allow the FAHClient app to transfer over those ports. That is for version 7 of F@h, the name of the client app that does data transfer is far-client in version 8.

In your case the IP you posted from is in Europe. From there we get the periodic reports of this problem from users of Fritz!box routers. It also is down by other routers that do deep packet inspection or stateful packet filtering.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

Re: FOH blocked by my router filter list

Post by Weissrolf »

As soon as I clear my filter list from the Fritzbox F@h can connect. And I posted the complete list here. If none of these URLs are known then I have to go through the list one by one.
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

Re: FOH blocked by my router filter list

Post by Weissrolf »

I went through the list in bigger steps and it seems that the list has to stay empty for the Fritzbox to allow F@h traffic. If anything is in there then F@h gets blocked. Nothing else in our household full of computers and smart-devices runs into this issue, though.
toTOW
Site Moderator
Posts: 6373
Joined: Sun Dec 02, 2007 10:38 am
Location: Bordeaux, France
Contact:

Re: FAH blocked by my router filter list

Post by toTOW »

Fritzbox ... you said everything, this router is known to cause issues with FAH.

You have to find the feature that looks like DPI (deep packet inspection) in the Fritzbox configuration and to disable it (I don't remember how it is called exactly). It messes with FAH transfers to the work servers.
Image

Folding@Home beta tester since 2002. Folding Forum moderator since July 2008.
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

Re: FAH blocked by my router filter list

Post by Weissrolf »

The only firewall options available are: stealth mode (don't react ICMP), e-mail filter (port 25), Netbios filter, Teredo filter and WPAD filter. I will disable all for testing, but as I wrote F@h *does* work when I remove *all* URL filters from the black-list.
Joe_H
Site Admin
Posts: 7951
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: FAH blocked by my router filter list

Post by Joe_H »

There are other posts on Fritz!box problems, here is one detailing what they went through determining what was blocking connections to the F@h servers - viewtopic.php?p=342228#p342228. It may take a bit of digging to get the correct settings.

There is also mention in another post of the Fritz!box they were using blocking connections to raw IP addresses, that person found that connecting by the server domain name first would get the box to allow connections by the IP numerical address. They created a script that periodically pinged the servers by name instead of IP number to work around this.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

Re: FAH blocked by my router filter list

Post by Weissrolf »

Thanks, but the link you posted lists exactly the same problem and solution: empty the URL filter blacklist.

Does F@h try to connect via direct IP to any server?
Joe_H
Site Admin
Posts: 7951
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: FAH blocked by my router filter list

Post by Joe_H »

Yes, at least that was the design for clients using the v7 and earlier software code. The decision then was made on the difficulty of spoofing a numerical IP address.

Here is an example from one of my systems running v7.6.21:

Code: Select all

06:50:18:WU00:FS00:Connecting to assign1.foldingathome.org:80
06:50:19:WU00:FS00:Assigned to work server 129.32.209.202
06:50:19:WU00:FS00:Requesting new work unit for slot 00: cpu:2 from 129.32.209.202
06:50:19:WU00:FS00:Connecting to 129.32.209.202:8080
06:50:20:WU00:FS00:Downloading 835.00KiB
06:50:20:WU00:FS00:Download complete
The client connected to an Assignment Server by name - assign1.foldingathome.org. The AS directs the client to get a WU from a Work Server - 129.32.209.202 - and downloads a WU. The connections are HTTP over ports 80 and 8080.

The v8 client currently in beta test uses names only, so a DNS lookup is needed for every connection that is to an address that is not already cached locally. Another of my systems is running that version, here is an example download:

Code: Select all

 \00:34:47:I1::WU350:Requesting WU assignment
00:34:47:I1:OUT5:> POST https://assign1.foldingathome.org/api/assign HTTP/1.1
00:34:47:I3:Connecting to assign1.foldingathome.org:443
00:34:47:I1:OUT5:< assign1.foldingathome.org:443 HTTP/1.1 200 HTTP_OK
00:34:47:I1::WU350:Received WU assignment <removed assignment key>
00:34:47:I1::WU350:Downloading WU
00:34:47:I1:OUT6:> POST https://vav19.fah.temple.edu/api/assign HTTP/1.1
00:34:47:I3:Connecting to vav19.fah.temple.edu:443
00:34:48:I1:OUT6:< vav19.fah.temple.edu:443 HTTP/1.1 200 HTTP_OK
00:34:48:I1::WU350:Received WU
Differences include no use of raw IP address, and connections are HTTPS over port 443. Download size is also not listed by default in the log. v8 has other differences, and currently does not support all features of the v7 client.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Weissrolf
Posts: 13
Joined: Mon Jan 30, 2023 11:01 am

Re: FAH blocked by my router filter list

Post by Weissrolf »

This explains the issues with Fritzbox routers then. When you set up an URL blacklist on these routers then they automatically disable direct IP connections, unless they are specifically put on a white list. Once the blacklist ist empty it allows direct IP again.
Post Reply