bbs

bbs copied to clipboard

As a network administrator, I can explain that all of these filtering are being done by aggregator routers and end firewalls located in TIC corporation, soif you are connected to a v2ray server, probably using ssh tunnels or vmess protocols, no matter even if it was tunneld through other servers, it is being monitored by the corp and alerted, so the ip address range + the protocol name which was under monitoring is now detected and filtered using an ACL which makes your traffic as a black whole one (leads to nowhere).

I have used vless+xtls and have been selling to many of my customers. I have used x-ui for managing customers and it uses a different port for each account which is not ideal. Since about a week ago my servers have been blocked so I started to use fallback and added nginx on port 80 and 443 it delayed the blocking for some of my servers but some still got blocked after 24h. The speed has been dropped on my servers (from hetzner) to about 1Mbps but from other cloud providers I could get like 20Mbps on irancell. It seems that some vps service providers' ip addresses are being blocked or limited (e.g. hetzner) in Iran.

Now I have started using other transports such as vless+tls+ws+nginx to have the minimum risk of blocking (as far as I know with v2ray/xray).

@cyberxf please say more about how you know the information in your post. By itself, the information you have posted is not very useful. Filtering is done by routers and firewalls—no surprise there. The firewalls are located in TCI TIC—that is potentially interesting, but without more context it is a claim without evidence. Is that true of all ISPs, that they route traffic to firewalls in TIC? Are the firewalls located on TIC premises, or are they installed at ISPs and only operated by TIC? What network tests could help reveal the routing topology?

How do you reconcile your claim that all filtering is done uniformly at aggregator routers, with the reports of users who say that filtering is different in different network (especially mobile networks)? If the traffic were already aggregated, it would be more work to separate out the different sources and apply different filtering rules to them.

Other threads (e.g. #171) have reported throttling of V2Ray, not IP blackholing, which contradicts your post. Is there an explanation for that.

And the big question is: how are V2Ray, SSH, or VMess connections distinguished from other traffic, so they can be filtered? We know how that kind of thing happens in general, but how exactly is it being done in this case, according to your knowledge? Without that information, the post essentially says "Iran blocks V2Ray by detecting it and filtering it," which is not informative.

Please provide additional context to justify your claims and help others estimate their accuracy.

Ok, let me make it a bit more clear, it's all done by the TIC itself, not any ISPs, as I was talking to one of the TIC experts the other day, the fact is, if you are connected more than 24 hours to a server using ssh tunnels or any other protocols and the traffic reaches up to ..(didn't tell me how much), the TIC would write an ACL an put that range into int null 0 in networking. So, how is that we can connect to a server with one isp, but not with the other one? well the anwser is clear, let me explain it in this way. imagine you've bought a subscription from Shatel (ISP) corp, they will give your home router a public ip (which is used only when nat is there), for instance, 1.1.1.1/32, and you also have bought another subscription from Respina (ISP) corp, and they will give you the 2.2.2.2/32 ip, you are connected to the Respina and using v2ray vpn, so your are connected to your home's router using a private ip, will be natted bu the router in a public ip, then you are into the ISP itself, (Respina), your traffic will flow into their network and has a BGP route to the TIC ito reach outside of the country, so TIC would monitor this traffic for 2.2.2.0/32, would filter it as soon as possible, so the Respina route to your vps server is banned, but the Shatel is not cause it is using a different ip range and subnet.

@wkrp, I think the OP is referring to TIC (Telecommunication Infrastructure Company) which is a fully government-owned company responsible for providing international network bandwidth and ports. This is a sensitive and security oriented organization which is also the primary enforcer of censorship in Iran. Essentially it controls the gates (and how open or closed they are).

TCI (Telecommunications Company of Iran) on the other hand, is an altogether different corporation, partly government-owned and responsible for the majority of traditional telephone landlines in Iran and is also the majority stake holder in MCI (Mobile Telecommunication Company of Iran aka همراه اول) which is one of the two big mobile/cell comm operators in Iran (the other being Irancell).

Yeah, exactly, these 2 corporations are just different.

Ok, let me make it a bit more clear, it's all done by the TIC itself, not any ISPs, as I was talking to one of the TIC experts the other day, the fact is, if you are connected more than 24 hours to a server using ssh tunnels or any other protocols and the traffic reaches up to ..(didn't tell me how much), the TIC would write an ACL an put that range into int null 0 in networking. So, how is that we can connect to a server with one isp, but not with the other one? well the anwser is clear, let me explain it in this way. imagine you've bought a subscription from Shatel (ISP) corp, they will give your home router a public ip (which is used only when nat is there), for instance, 1.1.1.1/32, and you also have bought another subscription from Respina (ISP) corp, and they will give you the 2.2.2.2/32 ip, you are connected to the Respina and using v2ray vpn, so your are connected to your home's router using a private ip, will be natted bu the router in a public ip, then you are into the ISP itself, (Respina), your traffic will flow into their network and has a BGP route to the TIC ito reach outside of the country, so TIC would monitor this traffic for 2.2.2.0/32, would filter it as soon as possible, so the Respina route to your vps server is banned, but the Shatel is not cause it is using a different ip range and subnet.

So you mean that the blocking is mutually based on the Source IP and Destination IP? In other words, they are not going to block the IP of your VPN server globally for every ISP inside the country? And, if in total, 2 users used the server more than 24h, what would happen? Determination of the approximate exchange volume range should be simple. after starting to download some GBs of information, it must happen then, right?

It is based on the protocol, source and destination ip. if you use the server more than 24 hours + a specific amount of bandwidth that is being used, yes, it is very likely that it will be filtered. (They didn't mention the amount of bandwidth).

@manwithoutpant can you connect to these servers via ssh with iran ip?

@manwithoutpant برای من هم همینطور شده. اگه راهی پیدا کردی ممنون میشم اطلاع بدی

That's the case for me as well. I'd appreciate it if you let me know when you find a way

@manwithoutpant can you connect to these servers via ssh with iran ip?

yes it is still possible but not always, the ssh traffic is limited nowadays.

@manwithoutpant چه بد. من از جایی که vps خریدم برای تعویض ip ۳ دلار میگیره! یعنی به جز تغییر ip راهی نداره؟ اگه هی ip تعویض کنیم و باز بن بشه که هیچی!

How awful! The place I get my VPS from charges me $3 for changing IP addresses. Are you saying this is the only way? What if we change the IPs and they keep getting banned?

@manwithoutpant من تا به حال ۲تا اکانت کلود فلر ساختم ولی متاسفانه بعد از ست کردن dns بر روی دامین، دامین دیگه پینگ نمیشه. چه با روشن بودن پراکسی چه بدون روشن بودن پراکسی. منظورتون از ip سالم کلود فلر چی هست؟

So far I have made 2 CloudFlare accounts but unfortunately I can't get a ping after I set the DNS on the domain. With proxy being on or off. What do you mean by "healthy CloudFlare IP"?

One of the easiest ways for analytic teams is to read the situation and mitigations all gathered in one bbs issue, read the sentiment on their work on censoring and try to break the solutions again, what a smart move.

One of the easiest ways for analytic teams is to read the situation and mitigations all gathered in one bbs issue, read the sentiment on their work on censoring and try to break the solutions again, what a smart move.

These public discussions are helping the developers of censorship circumvention tools to implement a solution which can help people on a mass scale.

Developing private tools for bypassing censorship may work for a limited number of people but developing for public use requires the most "bullet proof" solution such that even knowing how one tool can bypass the censorship it is very hard to block that tool.

Besides, creating firewall rules to block a specific tool is also very expensive and time consuming which gives time for us to develop even more tools to bypass the censorship

Agreed with @sambali9 . This is an endless cat and mouse game. The current situation in Iran is so tough in the history of the Internet that makes every developer re-think about the current solutions to change them (or invent) to be more robust against censorship. In the other words, we must keep this discussion public. Because everyone should have access to the uncensored and free (Libre) Internet, and not just the people knew how to bypass the new restriction. As long as discussion done here, it is public and everyone can benefit (and it's the goodness of a community). Private forums has no meaning, as the censor also can join as you can NOT verify identity. @lostact @alirezaac Keep in mind that we are not the only people who have the active censor. These forums and public tools helped Chinese, even they started to build public solution for everybody. Today we all use their publicly available products. No commercial product is working! You see that always FREE SOFTWARE is the solution for restrictions.

Anyway, this is off topic. let's keep the thread clean. To keep net4people clean, we can always move the problems and asking for help to another GitHub repo like https://github.com/iranxray/hope/issues

I suggest making a private group in telegram (or something else), because even if we find a solution for the filtering, the censors can just watch this thread and block it. Discussing matters like this in public is just pointless.

@manwithoutpant بایداینقدر تنظیمات عوض کنی تا نتیجه بگیری اولا که شدنی نیست از بیخ فیلتر کردن که اگه بود اینهمه ملت پس چطور وصلن

You gotta change the settings until you get results. First of all it's not feasible to block everything, and if it was then how is it that so many people are connected.

imagine you've bought a subscription from Shatel (ISP) corp, they will give your home router a public ip (which is used only when nat is there), for instance, 1.1.1.1/32, and you also have bought another subscription from Respina (ISP) corp, and they will give you the 2.2.2.2/32 ip, you are connected to the Respina and using v2ray vpn, so your are connected to your home's router using a private ip, will be natted bu the router in a public ip, then you are into the ISP itself, (Respina), your traffic will flow into their network and has a BGP route to the TIC ito reach outside of the country, so TIC would monitor this traffic for 2.2.2.0/32, would filter it as soon as possible, so the Respina route to your vps server is banned, but the Shatel is not cause it is using a different ip range and subnet.

Thank you for the clarification. I am still not following this logic completely. I understand that if you have two Internet connections and only use V2Ray on one of them (Respina), then the other connection (Shatel) will not be affected. But if you used V2Ray on both connections, then they would both be blocked, correct? Both connections being blocked is what I would expect, if both ISPs route through uniform censorship boxes at TIC: equal censorship in all ISPs. But some users report that censorship is not equal in all ISPs. Maybe censorship is equal with respect to V2Ray detection, but unequal in other respects?

@wkrp feel free to mention me if there's any need for farsi -> english translations. These machine translations are almost completely unreadable.

if they block servers by traffic usage !how many traffic i can use per day? or what is limit?

if they block servers by traffic usage !how many traffic i can use per day? or what is limit?

Answering this question, even if the premises are true, would require doing a controlled experiment, which I don't think anyone has done yet.

راه کار دور زدن فیلترینگ رو دارم که یکی از جدید ترین پروتکل هاست اگر یک راهکار قطعی و مطمئن خاستی تلگرام پیام بده اینم ایدیم [@wkrp: redacted Telegram account name]

I have a way to bypass filtering, which is one of the newest protocols If you have a definite and confident solution to the telegram Here's the [@wkrp: redacted Telegram account name]