I loved my Cisco ASA. You'll probably have to do a little research into the licensing terms (I think the base-level license only includes 10 network clients, but you can get an unlimited license for like $50 or something).

http://www.amazon.com/Asa-5505-Security-Appliance-10/dp/tags-on-product/B000O0Z8GC

Have you considered a firewall to do this?

You could say get a 5505 for ~$300 on Amazon

The license it comes with only allows for 2 VPN tunnels at once (although you could have a theoretical unlimited number of clients going over the 1 tunnel).

You could then set everything's gateway to the ASA, and configure the ASA to forward the things you want over the tunnel and everything else out the other gateway.

Sorry if this is a dumb suggestion, I've only been in the networking field for 6 months and that's just how I would do it. I'm sure there's other ways too.

It sounds like you need a vpn solution, but i dont think you will be able to accomplish what you seek with software. A cisco asa 5505 would be able to provide remote access (up to 10 users I think) and you can apply access control lists to only allow certain ports (the ones needed for the game)

You can also disable the ability to connect to other vpn clients, so that they can only talk to whatever ip address and port combo you allow them to.

That being said, if you don't trust the computers explicitly then you should never ever ever let them connect to you using any app, protocol, port or orifice. Games are notorious for buffer overflows and all sorts of other tomfoolery that would allow them to own your box.

So, tl;dr yes it can be done but you need a $300 appliance and if you do then get ready for network buttrape.

 

ASA 5505 on Amazon

http://www.amazon.com/Cisco-ASA5505-BUN-K9-ASA-5505/dp/B000O0Z8GC

how to set up remote access vpns on cisco asa

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/vpnrmote.html


hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
hostname(config)# write memory

Here is a doc how to set up a filter for remote access vpns

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

permit remote acess hosts to http browse to 192.168.1.0 network (inside)

hostname(config)# access-list vpnfilt-ra permit tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80<br />

hostname(config)# group-policy DfltGrpPolicy internal
hostname(config-group-policy)# vpn-filter vpnfilt-ra

Thats it
cheers

here you go:

https://www.amazon.com/Cisco-ASA5505-BUN-K9-ASA-5505/dp/B000O0Z8GC

You sure you have pricing right and yes photos of the vpn routers would be nice.

http://www.amazon.com/HP-ASA5505-BUN-K9-Cisco-ASA-5505/dp/B000O0Z8GC

http://www.ebay.com/sch/Enterprise-Networking-Servers-/175698/i.html?_from=R40&_nkw=cisco+asa+5505&LH_Complete=1&rt=nc

I know you can't prevent a ddos but you can mitigate its effect. Its a single person (most of the time unless they are using a paid service) sending you a UDP flood limited by their router and bandwidth aswell. All I need to do is mitigate it long enough so I do not lose connection to the xbox live service.

I also have a real hardware firewall, I use a cisco ASA5505 as my home border but I don't know how to specifically setup rate limits for UDP 3074 traffic (has to be a class map I can create), I'm looking into it. I watch the logs on the firewall and see the DDOS as its happening I just can't figure out the settings to mitigate it. There is no built in configureable ddos protection on this level hardware firewall however it does have better cpu/ram resources than the out of the box router that your ISP provides so if I can write something to identify and flag the IP I should be able to shun it and have my ASA use its resources to mitigate. I'm trying to fix an issue and the only responses I get are "Nope won't work, dont bother" thats bullshit there are ways to stop this.


edit: K I found it, its threat detection in the ASA which is what I was looking for.

For the total nerds/ engineers , its the burst settings I am going to mess with. I'll let ya know if this pans out.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html

Basically when you boot someone you have to be doing it from a seperate public Ip than your xbox or you will kick yourself offline. This is easily done because most ISP's provide you with 1 dmz ip address when you sign up for service. The ddos'er will use a seperate IP address to send the spam and the firewall can detect this traffic and auto-shun it. Auto shun blocks the ip address for a period of time, the cpu / ram cycles should have no issue.

Once I get this setup I'll let ya know if I can block some of the tools used.

Just for more info this is the firewall I have

http://www.amazon.com/Cisco-ASA5505-BUN-K9-5505-Security-Appliance/dp/B000O0Z8GC/ref=sr_1_1?ie=UTF8&qid=1375800539&sr=8-1&keywords=cisco+asa5505

Supports 85,000 packets a second mine is 1GB ram version

There are free versions of Linux that will do more than your current router. You can get an entry level Cisco firewall for < $300. Upgrading to something appropriate for you environment would probably be more cost effective in the long run since you won't be wasting your time trying to find workarounds like this.

http://www.amazon.com/Cisco-ASA5505-BUN-K9-ASA-5505/dp/B000O0Z8GC