Gargoyle Forum

Hello hello, thanks for such a great firmware, it's been very useful for us.
We have very expensive Iridium internet on board the ship and therefor we want that all devices that connect to the internet can ONLY do a few certain things;
We have pop3 email, some http and https sites and we want whatsapp messenger to work solely.

Solved it so far by making two groups via DHCP assignments based on their MAC address put in a range that the rules and quota's apply so they don't gobble up our 1 GB/month data. The PC's work well (windows 10) Daily 5 mb/ device reset every day, perfect! emails via pop3 are a few kb's and the weatherforecast is 100 kb per download.

I have an issue with iOS devices that go straight through all the rules that I make for them.

Setup that makes the most sense for me so far:

1st group (IP range) for PC that can access pop3 email (on port allowed) 993 and sending 568, plus a few http (80) and https (443) sites, that works well, the websites are allowed and the pop3 email connects easily.

2nd group (IP Range) are the mobile devices, that should only access whatsapp, now android behaves well, although I suspect it still tries and successful connects though the rules, but iOS just goes straight though the rules . If you leave it connected to the wifi, after about 3 minutes the 5mb is gone, and the phone hasn't done anything besided connecting to a lot of stuff that it shouldn't do based on the rules., and the the quota successfully disconnect the device (thank god!)

I tried this:
domain filter, gets fully ignored by iOS and gargoyle happily routes it. Safari does not work, so web domain works, but a lot more stuff eats data!

Port based on 5222, 5223 (default whatsapp ports) + and and without domain filters and combinations of that, also I see a lot of TCP connections on port 443 on domains I have to whitelisted.

I'm running the latest gargoyle on a TP-link wr1043 v1

Am I doing something wrong? Or can someone point where I could configure that the mobile devices can connect only to whatsapp dot net on port 5222 and 5223

A quick google found a few more whatsapp ports
TCP: 4244,5222,5223,5228,5242
TCP/UDP: 59234, 50318
UDP: 3478,45395

Here's a pretty comprehensive list of what needs blocking too:
https://github.com/ukanth/afwall/wiki/H ... g-WhatsApp

It's not practical to block all of that and even then it wouldn't be guaranteed to work.

One thing to remember as well is that the iOS app is probably not connecting to the URL. It probably does a DNS lookup to find an IP address, and then directly connects to that.

Hi Lantis!
Yeah I've been down that road trying to add the whatsapp IP address range, but the thing is, no matter what I block or whitelitst, iOS does a different way of dns resoving I guess, and gargoyle lets it though..

Right, but Gargoyle doesn't offer you the option to block DNS resolution of that address. It only blocks web requests to it. There's a difference between those two. So if it still got through, there's an IP not blocked that it is still using.

You could use dnsmasq custom config, or the adblock plugin to poison the DNS records for whatsapp, but it doesn't offer you the ability to do that for specific times, specific devices or anything else. It's very much a sledge hammer approach.

If you block every single IP address in that range, and it still gets through, use the connection tracking page to find out what IPs/ports it is still using and block those too.

Hi Lantis,
Thanks for replying!
I think I need to rethink my options.
My next would be to run everything though a squid proxy and whitelist the websites and make whatsapp als work through it as well, but does that work with gargoyle?
I'm sure that with the sledgehammer technique it's not very userfriendly, which gargoyle IS, and non tech people have to work with it!

A squid proxy is probably the ultimate solution here.
I don't have any experience in setting one up.

It should work with Gargoyle, but will be command line configuration only.

The squid proxy has already been discussed here: viewtopic.php?p=55647#p55647

Thanks guys!
I'm going down the squid track now.. thanks so much for your input!