Hello,
I've implemented a timed scheduled BLOCK ALL policy running on my kids VLAN from 10pm to 6am every day. Needless to say, it is so straight forward that it is working as expected until I realised my daughter was able to send/receive iMessages on her iPhone to which point I tried to give her a FaceTime call and to my surprise this was going through no problems at all!!
I'm puzzled on what/why this is happening as to my understanding the BLOCK ALL TRAFFIC policy should do what it says on the tin, period.
What am I missing??
Cheers,
NW4FUN
Could the phone be off the LAN/VLAN and using mobile network?
That's not the case as testing was made while on Wi-Fi...however, even when off WLAN, it automatically initiates a VPN tunnel into the FW routing all traffic through it.
Quote from: cookiemonster on December 07, 2022, 04:22:33 PM
Could the phone be off the LAN/VLAN and using mobile network?
I had instances where WiFi Assist on the iPad thought that Zenarmor's adblocker was actually a network problem and started to load ads via mobile, so this could well be a cause.
Also iCloud relay should be kept off.
That's not the case as testing was made while on Wi-Fi...however, even when off WLAN, it automatically initiates a VPN tunnel into the FW routing all traffic through it.
All traffic is being backhauled through the FW regardless the utilized link available at the time (5G, home Wi-Fi, 3rd party Wi-Fi, HotSpot, etc..)
Also, all other traffic is being blocked as expected, it is just iCloud services going through.
Hi,
Do you see this non-blocked traffic in the live session explorer?
Yes I do
Hi,
Please share a bug report from the upper right corner of Zenarmor GUI.
Done.
Turn off the mobile data on the phone just to be sure.
Quote from: Demusman on December 09, 2022, 04:06:02 PM
Turn off the mobile data on the phone just to be sure.
Again, traffic is routed through the firewall then out to the internet. As a matter of facts, everything else is blocked but iCloud services
Quote from: NW4FUN on December 09, 2022, 04:59:52 PM
Quote from: Demusman on December 09, 2022, 04:06:02 PM
Turn off the mobile data on the phone just to be sure.
Again, traffic is routed through the firewall then out to the internet. As a matter of facts, everything else is blocked but iCloud services
Right, but if it's blocked by the firewall and cell data is on it will use cell data.
Quote from: Demusman on December 09, 2022, 09:06:22 PM
Quote from: NW4FUN on December 09, 2022, 04:59:52 PM
Quote from: Demusman on December 09, 2022, 04:06:02 PM
Turn off the mobile data on the phone just to be sure.
Again, traffic is routed through the firewall then out to the internet. As a matter of facts, everything else is blocked but iCloud services
Right, but if it's blocked by the firewall and cell data
is on it will use cell data.
In what Network design scenario that would be true??
ALL traffic is routed through the FW then out into the wild.
Cell data is just a link (which goes into the FW then out to the wild)
I for one am wondering what you mean when saying that when the mobiles are connected to the cell goes thorough your firewall.
Unless the mobiles have a permanent VPN to OPN that keeps on when in the house in range of your wifi, and then out of the building; or even if the user switches off wifi, then the normal behaviour is to only use the cellular network bypassing your FW.
If you have something like that or something else that ensures the mobile phone data is always going via OPN even when the wifi is switched off, then you're good.
You haven't stated this so it's fair imo to wonder it.
So for the purpose of the question, is the mobile phone still going through OPN when the wifi is off, and if yes, would you care to say how?
Quote from: NW4FUN on December 09, 2022, 09:15:02 PM
Quote from: Demusman on December 09, 2022, 09:06:22 PM
Quote from: NW4FUN on December 09, 2022, 04:59:52 PM
Quote from: Demusman on December 09, 2022, 04:06:02 PM
Turn off the mobile data on the phone just to be sure.
Again, traffic is routed through the firewall then out to the internet. As a matter of facts, everything else is blocked but iCloud services
Right, but if it's blocked by the firewall and cell data
is on it will use cell data.
In what Network design scenario that would be true??
ALL traffic is routed through the FW then out into the wild.
Cell data is just a link (which goes into the FW then out to the wild)
In every scenario.
Cell data goes to the towers outside, not your firewall.
No more replies??
Guess someone figured out he doesn't know as much as he thought.
Quote from: Demusman on December 13, 2022, 12:16:17 AM
No more replies??
Guess someone figured out he doesn't know as much as he thought.
I, too, found it a bit strange that turning off mobile data as a test has been dismissed by the OP as "not the reason".
Apple devices try very hard to give their users the best internet experience and could well route via mobile in the background at some point, Wi-Fi Assist should be turned off as I described earlier.
They may also not cut certain existing mobile connections when transitioning to VPN, and keep routing those outside the VPN tunnel. That behaviour has been criticised in the past.
Indeed we have asked to verify the data is definitively going through the firewall and the responses being:
"All traffic is being backhauled through the FW regardless the utilized link available at the time (5G, home Wi-Fi, 3rd party Wi-Fi, HotSpot, etc..)"
"In what Network design scenario that would be true??
ALL traffic is routed through the FW then out into the wild."
"Cell data is just a link (which goes into the FW then out to the wild)"
Suggest that there is a chance there is a misunderstanding to clear first. The onus is on the OP to explain the how the traffic goes actually through the firewall rather than expecting it to.
Quote from: NW4FUN on December 07, 2022, 04:24:34 PM
That's not the case as testing was made while on Wi-Fi...however, even when off WLAN, it automatically initiates a VPN tunnel into the FW routing all traffic through it.
I clearly understand that a VPN is utilized to keep all traffic routed through the firewall regardless of connection.
What's the confusion?
Do you use the block rules on the VPN interface as well as the LAN? Are you sure the VPN establishes a default route through the firewall and not split-tunnel? How exactly is that VPN set up?
You are complaining something is not working as intended. To help we need the entire network topology, all IP addresses, all rules involved - how else should anyone spot what is wrong? Nobody's got a crystal ball.
Quote from: Demusman on December 13, 2022, 12:16:17 AM
No more replies??
Guess someone figured out he doesn't know as much as he thought.
Unlike some of you, I have a life apparently...
That said, if you guys would have taken the time to READ this thread from the top, you'd have realised the answer to your question was already in there, so please go back and read if you're interested in knowing how this is working.
FYI - this bug has been filed with Sunnyvale and currently being worked on.
Thanks to those trying to be helpful.
Seems fairly obvious this won't work as you have it set up. You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi. However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.
Quote from: LOTRouter on December 21, 2022, 07:52:24 PM
Seems fairly obvious this won't work as you have it set up. You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi. However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.
OK now I'm 100% sure you cannot read, I'll try to make it simpler just for you
1) traffic is
correctly routed onto the relevant VLAN
2) traffic is being completely
BLOCKED as expected according to policy
EXCEPT to/from iCloud.com
3) Sunnyvalley is looking into this as this is unexpected behavior
So, if you have something meaningful to add, please do so as the community at such would benefit from it. However, if you don't know what you're talking about, refrain from misleading readers and wait for me to post the solution from Sunnavalley once they've found it.
Quote from: NW4FUN on December 21, 2022, 08:15:41 PM
Quote from: LOTRouter on December 21, 2022, 07:52:24 PM
Seems fairly obvious this won't work as you have it set up. You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi. However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.
OK now I'm 100% sure you cannot read, I'll try to make it simpler just for you
1) traffic is correctly routed onto the relevant VLAN
2) traffic is being completely BLOCKED as expected according to policy EXCEPT to/from iCloud.com
3) Sunnyvalley is looking into this as this is unexpected behavior
So, if you have something meaningful to add, please do so as the community at such would benefit from it. However, if you don't know what you're talking about, refrain from misleading readers and wait for me to post the solution from Sunnavalley once they've found it.
You may not see it is helpful, but you could be a bit more polite. Your posts have hardly been clear (it would appear as a result of being overly defensive), and at no point before have you actually clarified that your VPN from the outside world is routed somehow onto your internal kids VLAN, or that the policy is also applied to your VPN interface as well as the Kids VLAN interface - all reasonable questions for someone that has come to seek help, as no-one can see into your network or know what your level of ability is - all people can work with is what you post. PMHausen has asked for the details above, but you have ignored it, so you can't be surprised that people are trying to guess based on the most likely issue.
They are also reasonable points/questions that might help others with similar problems on the face of it, but have missed these points, even if they haven't helped you...