How do you block an IP address on Windows?

I'm just learning Wireshark where all I'm doing at the moment is going line
by line to see what IP addresses are accessed by my computer when I am
doing nothing and the computer is just on.

In Wireshark I see connections to IP addresses which I look up and find out
who they are but I have no idea why my computer is connecting to them.

I tried putting them in the HOSTS file but HOSTS doesn't work this way.
# 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare
# 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider
# 127.0.0.1 152.195.54.20 # Wireshark - ANS Communication Verizon Busines
# 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok)

Since I have no idea why my computer is connecting to these IP addresses,
I'll just block them, but how?

On 8/21/2017 12:30 AM, Bram van den Heuvel wrote:
I'm just learning Wireshark where all I'm doing at the moment is going line
by line to see what IP addresses are accessed by my computer when I am
doing nothing and the computer is just on.

In Wireshark I see connections to IP addresses which I look up and find out
who they are but I have no idea why my computer is connecting to them.

I tried putting them in the HOSTS file but HOSTS doesn't work this way.
# 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare
# 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider
# 127.0.0.1 152.195.54.20 # Wireshark - ANS Communication Verizon Busines
# 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok)

Since I have no idea why my computer is connecting to these IP addresses,
I'll just block them, but how?

I may be wrong but I think you have the IP pairings reversed.
Try something more like;
104.28.17.56 127.0.0.1 # to send the first IP into the black hole that
the 127 address uses.

---
This email has been checked for viruses by AVG.
http://www.avg.com

Given news wrote:

I may be wrong but I think you have the IP pairings reversed.
Try something more like;
104.28.17.56 127.0.0.1 # to send the first IP into the black hole that
the 127 address uses.

I looked up if the HOSTS file can handle IP addresses but it can't.
It only blocks domain names using the syntax
127.0.0.1 www.google.com

So what you saw in my original post is just the comments in my HOSTS.

I just rebooted and watched Wireshark capture the following IP addresses.
# 23.215.102.64 # Wireshark - Akamai Technologies
# 64.4.54.50 # Wireshark - Microsoft Corporation
# 65.55.252.202 # Wireshark - Microsoft Corporation
# 72.21.91.29 # Wireshark - EDGECAST-NETBLK-01 Verizon
# 104.16.91.188 # Wireshark - Cloudflare, Inc.
# 104.17.104.175 # Wireshark - Cloudflare, Inc.
# 104.28.17.56 # Wireshark - Cloudflare
# 152.195.54.20 # Wireshark - ANS Communication Verizon Business
# 172.217.5.206 # Wireshark - Google Search Engine Spider
# 204.79.197.200 # Wireshark - Microsoft Corporation (MSFT)
# 216.239.39.21 # Wireshark - Google
# 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use

I didn't touch anything and these are being accessed so I just want to
block them.

What's the method Windows 10 blocks specific IP addresses?

On Mon, 21 Aug 2017 06:10:01 +0000 (UTC), Bram van den Heuvel wrote:

What's the method Windows 10 blocks specific IP addresses?


That is the job of your firewall, whichever it is.


--
Kind regards
Ralph
🦊

On 8/20/2017 11:53 PM, Ralph Fox wrote:
On Mon, 21 Aug 2017 06:10:01 +0000 (UTC), Bram van den Heuvel wrote:

What's the method Windows 10 blocks specific IP addresses?


That is the job of your firewall, whichever it is.


Comodo firewall will let you do that easily.
Beware that there may be unintended consequences.
For example, a typical webpage loads other pages
that load other pages that....
The content you want to see may be at the end of that
cascade. Block part of it also blocks the content you wish to view.
Anything hosted by MS has the technical ability to cause
you enough discomfort that you won't do it. I expect the same
goes for google.

On Mon, 21 Aug 2017 06:10:01 +0000 (UTC), Bram van den Heuvel
wrote:

Given news wrote:

I may be wrong but I think you have the IP pairings reversed.
Try something more like;
104.28.17.56 127.0.0.1 # to send the first IP into the black hole that
the 127 address uses.

I looked up if the HOSTS file can handle IP addresses but it can't.

Correct. The hosts file is accessed when the system needs to perform a
DNS query. If the system tries to access a specific IP address directly,
there's no DNS query and hence no need to check the hosts file.

It only blocks domain names using the syntax
127.0.0.1 www.google.com

So what you saw in my original post is just the comments in my HOSTS.

I just rebooted and watched Wireshark capture the following IP addresses.
# 23.215.102.64 # Wireshark - Akamai Technologies
# 64.4.54.50 # Wireshark - Microsoft Corporation
# 65.55.252.202 # Wireshark - Microsoft Corporation
# 72.21.91.29 # Wireshark - EDGECAST-NETBLK-01 Verizon
# 104.16.91.188 # Wireshark - Cloudflare, Inc.
# 104.17.104.175 # Wireshark - Cloudflare, Inc.
# 104.28.17.56 # Wireshark - Cloudflare
# 152.195.54.20 # Wireshark - ANS Communication Verizon Business
# 172.217.5.206 # Wireshark - Google Search Engine Spider
# 204.79.197.200 # Wireshark - Microsoft Corporation (MSFT)
# 216.239.39.21 # Wireshark - Google
# 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use

I didn't touch anything and these are being accessed so I just want to
block them.

What's the method Windows 10 blocks specific IP addresses?

A proper firewall allows you to 'drop' traffic destined for a particular
host. Even the Windows firewall appears to offer that capability,
although I haven't used it there. Inbound blocks appear to be more
common, but they mention that outbound blocks are also possible.
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-do-i-block-outbound-and-inbound-specific-ip/d42c58d0-2693-4a10-a4e4-331b7d041036?auth=1

Your router might also have such a feature built in. My TP-Link Archer
C9 does, for example, under the Advanced settings, called Access
Control.

Those two methods would affect every PC on the LAN. Here's a method that
only affects a single PC, regardless of the Windows version. Create a
persistent "host route" that essentially blackholes the traffic that you
don't like. In a Command Prompt, type "route /?" to see the basic help
for adding a route. You'd want it to be persistent so it survives across
reboots, (or use a script that recreates all of your routes each time
you boot), and you'd want the gateway IP to be an address on your LAN
that doesn't exist; i.e., a black hole.

For example, to block outgoing traffic (from this PC only) to 8.8.8.8
route -p add 8.8.8.8 255.255.255.255 192.168.1.254

where the following:
route: the actual command
-p: make it persistent
add: we're going to add a new route to the routing table
8.8.8.8: the IP you want to block
255.255.255.255: block the single IP, not a range or subnet
192.168.1.254: non-existent IP on the LAN

As traffic for 8.8.8.8 travels up the network stack prior to leaving the
PC, the routing table is consulted. Lo and behold, there's a route there
that provides special instructions for only this traffic. Everything
else is unaffected. For this traffic, instead of sending it to the
default gateway, let's send it to a non-existent IP address within the
LAN. It'll time out and die, never leaving the LAN.

"Bram van den Heuvel" wrote

| I looked up if the HOSTS file can handle IP addresses but it can't.
| It only blocks domain names using the syntax
| 127.0.0.1 www.google.com
|

Yes. It's basically a phone book. If your browser or
other software already know the IP then there's
no need for a HOSTS check. If the IP is cached there's
also no HOSTS check.

But there are also other complications. For
example:

* Microsoft or others might hard-code IPs for calling
home.

* Domains like Akamai and Cloudflare may not be
getting called directly. They provide a large
amount of Interent content, as subcontractors.
A company like MS might contract with Akamai to
use their servers when they get heavy loads. The
problem there is that Akamai is not in any way
linked through the webpage you visit. It's a back-end
setup. Akamai is also selling your personal info.**
But it's hard to do anything about it. First, if you
block them you might lose a lot of pages. Second,
even if you didn't mind that, your browser doesn't
look it up so you can't stop it in HOSTS. It seems
to somehow go through the target site, acting like
a back-end server at the site you're visiting. Wireshark
shows that you're connected to Akamai, but there
are no Akamai links in the webpage. You're being
forwarded server-side. That's a whole new(ish)
category of online tracking.

Things were originally designed to prevent privacy
intrusion online. For example, sites are not allowed
to access cookies except from their own domain.
But numerous tricks have been developed to
circumvent that, such as 3rd-party cookies or web
bugs that allow you to be tracked across domains,
and heavy use of script to monitor your actions on
a page, such as mouse movement, hover, or clicking.
Content delivery services, which serve a legitimate
purpose, have nevertheless become an additional
privacy problem. That kind of server-side redirect
opens up lots of possibilities.

As others have said, most newer routers will allow you
to completely block specific IP addresses. While that
might help with Win10 spyware, it may not be feasible
to block all Akamai or Cloudflare IPs, and you probably
wouldn't want to.

------------------------------------
** The Akamai story:

https://blogs.wsj.com/digits/2010/11...ee-technology/

That link is currently just a teaser to sign up with WSJ.
Originally the whole article was available. The gist of it
is that Akamai is estimated to provide 15-30% of Web
traffic, allowing them to monitor your activity closely
despite you never actually visiting their site. (The rest
of the article is mostly damage control, with Akamai
spokespeople claiming that advertising (read "spying")
is "not their main business".

Bram van den Heuvel wrote:
I'm just learning Wireshark where all I'm doing at the moment is going line
by line to see what IP addresses are accessed by my computer when I am
doing nothing and the computer is just on.

In Wireshark I see connections to IP addresses which I look up and find out
who they are but I have no idea why my computer is connecting to them.

I tried putting them in the HOSTS file but HOSTS doesn't work this way.
# 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare
# 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider
# 127.0.0.1 152.195.54.20 # Wireshark - ANS Communication Verizon Busines
# 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok)

Since I have no idea why my computer is connecting to these IP addresses,
I'll just block them, but how?

The fact you can see 1e100.net (172.217.5.206) addresses,
means this is *incoming* traffic. That's the reports I've
received in the past, of someone getting hammered by 1e100.net (Google).
The only way there'd be *outgoing* packets, is if the web server
you're running on your PC, answered the Google probe on port 80
and was sending HTML pages back to Google.

If you have a router box in the network diagram (connect
to broadband with a modem/router box), the diagram can look
like this. With this setup, incoming 1e100.net probes
fall on the floor, at the router box. This is why practically
nobody in this group has seen a 1e100.net packet in Wireshark.
They may have seen it with IPV6 addresses, but the above
172.217.5.206 is an IPV4 address, and could be stopped by
some flavor of NAT in the router. If you Port Forward the
Port 80 on the outside, to PC#4, then you could see and
receive 1E100.net IPV4 packets. If you're using a VPN, I
presume it is *downstream* of where Wireshark is looking,
and you cannot see the traffic there. With TCPView, you're
looking at established connections, not just random incoming
packets. I'm normally only looking for established connections,
any time I've tried to use TCPView.

RJ11 --- ADSL --- ADSL box --------- How to monitor traffic here???
Modem router ----- |
(NAT or ----- v
Firewall) ----- PC#4 --- (VPN???) --- firewall --- applications
^
ie100.net --+ |
| Wireshark
v looks here?

If you connect directly to the Internet with an ADSL modem
or a "bridged" modem/router, then it looks like this. My problem
with these diagrams, is you cannot always see the incoming
packets. Wireshark is only supposed to be using the
promiscuous interface on the actual Ethernet (PCAP) or
Wifi (AirCap???).
OS Terminates PPPOE protocol.
Username/password dialog etc.
|
v

RJ11 --- ADSL --- PC#4 --- (PPPOE) --- (VPN???) --- firewall --- applications
Modem ^ ^ tap/tun?
| |
Wireshark See 1e100.net here ? How ?
looks here?

Sees PPPOE encapsulation...
Might need PPPOE dissector
for visibility.

It's outside my pay level to fix this. You can have one
or two firewalls in the picture. You can replace the
Windows firewall with a third party firewall if you want.
The firewalls could use IPTables, and have rules for
ingress and egress. AFAIK, the Windows firewall also
has ingress and egress rules.

I generally *do not recommend* the second hardware configuration.
If you know what you're doing, and are the Wizard of Networking,
then fine, go right ahead... The second configuration is
not forgiving of mistakes.

The top configuration, a hacker can pwn your modem/router
box, using a known exploit. In the second configuration,
you're relying on "bulletproof Windows" for your protection.
SMB1, anybody ? Here comes your copy of Wannacrypt.

If you don't own a router box, and want to buy one this morning,
make sure it's well documented and has facilities to actually
do stuff with the Firewall. My first router, which cost $300,
only had room for around 10 rules in the interface, and the
hardware happened to be extremely limited. That's no longer
the case today, when there is a Linux kernel running inside
the router box, and the router box can have something better
than a 500MHz MIPS processor to run the whole show.

While it's fun to be listing these IP addresses above, the
fact you can see them, has implications about your config...

Google has a zillion spiders, so blocking 172.217.5.206 won't
stop the other zillion minus one. A person would be delusional
to even try that. Maybe blocking 1e100.net domain would help ?

See, it's outside my pay scale... Whatever you're doing.

Paul

Bram van den Heuvel wrote:

# 127.0.0.1 104.28.17.56 # Wireshark - Cloudflare

cloudflare is used as an anti-DDOS frontend to web servers vulnerable to
being attacked (e.g. high profile ones)

# 127.0.0.1 172.217.5.206 # Wireshark - Google Search Engine Spider

if you use nay of google's services (search, youtube, gmail etc) then
blocking any part of 1e100.net is unwise

# 127.0.0.1 224.0.0.252 # Wireshark - MCAST-NET IANA Special Use (probably ok)

that's a multicast address, so unlikely to leave your own network, used
for multicast name resolution, it might be related to the Link Local
Discover Mapper/Responder protocols if you have then bound to your NIC.
Since I have no idea why my computer is connecting to these IP addresses,
I'll just block them, but how?

Blocking stuff just because you don't know what it is one way to deal
with with it, but just beware if stuff starts getting slow, or not
working, you might need to re-enable whatever you've blocked to see if
it's related.

Given news
Comodo firewall will let you do that easily.
Beware that there may be unintended consequences.
Story of my life.

For example, a typical webpage loads other pages
that load other pages that....
I know. But we can't always be running scared to lock our doors.

The content you want to see may be at the end of that
cascade. Block part of it also blocks the content you wish to view.
Anything hosted by MS has the technical ability to cause
you enough discomfort that you won't do it. I expect the same
goes for google.

I already have a huge hosts file so it wouldn't be the first time.

Given news wrote:

That is the job of your firewall, whichever it is.

The only firewall I have is Glasswire which I forget why I installed it
long ago.

Opening up Glasswire it has a "click to block" selection for items its
sees, but that's not the same thing because I'd have to find these IP
addresses where Glasswire seems to use domain names.

Given , Char Jackson
wrote:

I looked up if the HOSTS file can handle IP addresses but it can't.

Correct. The hosts file is accessed when the system needs to perform a
DNS query. If the system tries to access a specific IP address directly,
there's no DNS query and hence no need to check the hosts file.

Thanks for making it make sense as I wasn't sure why the HOSTS file didn't
work.

A proper firewall allows you to 'drop' traffic destined for a particular
host. Even the Windows firewall appears to offer that capability,
although I haven't used it there. Inbound blocks appear to be more
common, but they mention that outbound blocks are also possible.
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-do-i-block-outbound-and-inbound-specific-ip/d42c58d0-2693-4a10-a4e4-331b7d041036?auth=1

It seems by all accounts that a software firewall on Windows 10 is the
answer.

Since I'm not a firewall knowledeable person, and since I'm using Glasswire
(I forget why), I'm willing to change the software firewall.

What is the recommended firewall for Windows 10 for this blocking purpose?

Your router might also have such a feature built in. My TP-Link Archer
C9 does, for example, under the Advanced settings, called Access
Control.

The router has the advantage of working on all the devices, but it also has
the disadvantage of being a bit harder to test out for unintended
consequences since I don't know what other people in the house are doing at
any one time.

So I'll try first the machine.

Those two methods would affect every PC on the LAN. Here's a method that
only affects a single PC, regardless of the Windows version. Create a
persistent "host route" that essentially blackholes the traffic that you
don't like.

Interesting concept!

In a Command Prompt, type "route /?" to see the basic help
for adding a route. You'd want it to be persistent so it survives across
reboots, (or use a script that recreates all of your routes each time
you boot), and you'd want the gateway IP to be an address on your LAN
that doesn't exist; i.e., a black hole.

For example, to block outgoing traffic (from this PC only) to 8.8.8.8
route -p add 8.8.8.8 255.255.255.255 192.168.1.254

where the following:
route: the actual command
-p: make it persistent
add: we're going to add a new route to the routing table
8.8.8.8: the IP you want to block
255.255.255.255: block the single IP, not a range or subnet
192.168.1.254: non-existent IP on the LAN

This is neat if it works!
I get "route: bad argument 192.168.1.254

As traffic for 8.8.8.8 travels up the network stack prior to leaving the
PC, the routing table is consulted. Lo and behold, there's a route there
that provides special instructions for only this traffic. Everything
else is unaffected. For this traffic, instead of sending it to the
default gateway, let's send it to a non-existent IP address within the
LAN. It'll time out and die, never leaving the LAN.

route -p add 23.215.102.64 255.255.255.255 192.168.1.254 # Wireshark - Akamai Technologies
route -p add 64.4.54.50 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation
route -p add 65.55.252.202 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation
route -p add 72.21.91.29 255.255.255.255 192.168.1.254 # Wireshark - EDGECAST-NETBLK-01 Verizon
route -p add 104.16.91.188 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare, Inc.
route -p add 104.17.104.175 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare, Inc.
route -p add 104.28.17.56 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare
route -p add 152.195.54.20 255.255.255.255 192.168.1.254 # Wireshark - ANS Communication Verizon Business
route -p add 172.217.5.206 255.255.255.255 192.168.1.254 # Wireshark - Google Search Engine Spider
route -p add 204.79.197.200 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation (MSFT)
route -p add 216.239.39.21 255.255.255.255 192.168.1.254 # Wireshark - Google
route -p add 224.0.0.252 255.255.255.255 192.168.1.254 # Wireshark - MCAST-NET IANA Special Use

Am I supposed to get "bad argument" as a result?

Given , KenW
wrote:

The # is to enter comments.

The pound sign is just because I started using the HOSTS file and when it
didn't work, I commented them out.

Ignore the pound sign for our purposes.
It was just a cut and paste of the IP addresses which were being sought by
my computer when I wasn't doing anything.

Haven't used Wireshark, just found way to use it with WiFi, for years.
What you see is everything your connection goes through.

The output from Wireshark is voluminous but I'm only showing you the IP
addresses that showed up after a reboot and after I manually started
Wireshark and I watched it for about 10 or 20 minutes.

There were hundreds of lines but all of the others didn't go outside the
network (for example, there is something that HP does that asks for every
single IP address on my local network!).

There were broadcasts and other calls to local networks - so these are the
IP addresses that went OUT of my network.

The question is really a general question which is how best to block any
specific IP address (where I know that there can be repercussions but
that's not the question).

The question is how best to block any given IP address, where the HOSTS
file isn't the answer I found out (thanks for everyone who explained why).

Either a software or hardware firewall is the answer or the route command
is the answer. I'm trying to get the route to work but I must have done
something wrong.

route -p add 23.215.102.64 255.255.255.255 192.168.1.254
"route: bad argument 192.168.1.254"

My network is "normal" as far as I know, with the router at 192.168.1.1 and
the rest is a normal setup (afaik).

"Andy Burns" wrote

| if you use nay of google's services (search, youtube, gmail etc) then
| blocking any part of 1e100.net is unwise
|
I've blocked that for years. I have all of the following
Google domains in my Acrylic HOSTS file, which
allows wildcards. I occasionally use Google search
(when DuckDuckGo doesn't seem up to the task) and
sometime Youtube. No problems. But I don't use
gmail. I suppose if you're going to use gmail there's
not much point trying to protect privacy from Google.

127.0.0.1 *.googlesyndication.com
127.0.0.1 *.googleadservices.com
127.0.0.1 *.googlecommerce.com
127.0.0.1 *.1e100.com
127.0.0.1 *.1e100.net
127.0.0.1 *.doubleclick.net
127.0.0.1 *.doubleclick.com
127.0.0.1 *.googletagservices.com
127.0.0.1 *.googletagmanager.com
127.0.0.1 *.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 fonts.googleapis.com
127.0.0.1 googleadapis.l.google.com
127.0.0.1 ssl.gstatic.com
127.0.0.1 plusone.google.com
127.0.0.1 cse.google.com
127.0.0.1 www.google.com/cse

On Mon, 21 Aug 2017 16:45:58 +0000 (UTC), Bram van den Heuvel
wrote:

Given , Char Jackson
wrote:

I looked up if the HOSTS file can handle IP addresses but it can't.

Correct. The hosts file is accessed when the system needs to perform a
DNS query. If the system tries to access a specific IP address directly,
there's no DNS query and hence no need to check the hosts file.

Thanks for making it make sense as I wasn't sure why the HOSTS file didn't
work.

A proper firewall allows you to 'drop' traffic destined for a particular
host. Even the Windows firewall appears to offer that capability,
although I haven't used it there. Inbound blocks appear to be more
common, but they mention that outbound blocks are also possible.
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/how-do-i-block-outbound-and-inbound-specific-ip/d42c58d0-2693-4a10-a4e4-331b7d041036?auth=1

It seems by all accounts that a software firewall on Windows 10 is the
answer.

Since I'm not a firewall knowledeable person, and since I'm using Glasswire
(I forget why), I'm willing to change the software firewall.

What is the recommended firewall for Windows 10 for this blocking purpose?

Your router might also have such a feature built in. My TP-Link Archer
C9 does, for example, under the Advanced settings, called Access
Control.

The router has the advantage of working on all the devices, but it also has
the disadvantage of being a bit harder to test out for unintended
consequences since I don't know what other people in the house are doing at
any one time.

So I'll try first the machine.

Those two methods would affect every PC on the LAN. Here's a method that
only affects a single PC, regardless of the Windows version. Create a
persistent "host route" that essentially blackholes the traffic that you
don't like.

Interesting concept!

In a Command Prompt, type "route /?" to see the basic help
for adding a route. You'd want it to be persistent so it survives across
reboots, (or use a script that recreates all of your routes each time
you boot), and you'd want the gateway IP to be an address on your LAN
that doesn't exist; i.e., a black hole.

For example, to block outgoing traffic (from this PC only) to 8.8.8.8
route -p add 8.8.8.8 255.255.255.255 192.168.1.254

where the following:
route: the actual command
-p: make it persistent
add: we're going to add a new route to the routing table
8.8.8.8: the IP you want to block
255.255.255.255: block the single IP, not a range or subnet
192.168.1.254: non-existent IP on the LAN

This is neat if it works!
I get "route: bad argument 192.168.1.254

Well, it would work if I had provided a proper example. Unfortunately, I
omitted the MASK keyword. Try this:

route -p add 8.8.8.8 mask 255.255.255.255 192.168.1.254

As traffic for 8.8.8.8 travels up the network stack prior to leaving the
PC, the routing table is consulted. Lo and behold, there's a route there
that provides special instructions for only this traffic. Everything
else is unaffected. For this traffic, instead of sending it to the
default gateway, let's send it to a non-existent IP address within the
LAN. It'll time out and die, never leaving the LAN.

route -p add 23.215.102.64 255.255.255.255 192.168.1.254 # Wireshark - Akamai Technologies
route -p add 64.4.54.50 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation
route -p add 65.55.252.202 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation
route -p add 72.21.91.29 255.255.255.255 192.168.1.254 # Wireshark - EDGECAST-NETBLK-01 Verizon
route -p add 104.16.91.188 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare, Inc.
route -p add 104.17.104.175 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare, Inc.
route -p add 104.28.17.56 255.255.255.255 192.168.1.254 # Wireshark - Cloudflare
route -p add 152.195.54.20 255.255.255.255 192.168.1.254 # Wireshark - ANS Communication Verizon Business
route -p add 172.217.5.206 255.255.255.255 192.168.1.254 # Wireshark - Google Search Engine Spider
route -p add 204.79.197.200 255.255.255.255 192.168.1.254 # Wireshark - Microsoft Corporation (MSFT)
route -p add 216.239.39.21 255.255.255.255 192.168.1.254 # Wireshark - Google
route -p add 224.0.0.252 255.255.255.255 192.168.1.254 # Wireshark - MCAST-NET IANA Special Use

Am I supposed to get "bad argument" as a result?

No, if you do a "route print" and check the section of the output that
shows the persistent routes, you'll see that you haven't added any new
routes yet. In addition to adding the "mask" keyword, you can't add
comments, so be sure to remove all of that.

After you add routes, do a "route print" to see what the routing table
looks like, especially the section for persistent routes:

C:\Windows\System32route print
================================================== =========================
Interface List
snip
================================================== =========================

IPv4 Route Table
================================================== =========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
snip
================================================== =========================
Persistent Routes:
Network Address Netmask Gateway Address Metric
23.215.102.64 255.255.255.255 192.168.1.254 1
8.8.8.9 255.255.255.255 192.168.1.254 1
================================================== =========================
snip