Block ALL does NOT block iMessage and FaceTime

[Demusman]

No more replies??
Guess someone figured out he doesn't know as much as he thought.

[athurdent]

No more replies??
Guess someone figured out he doesn't know as much as he thought.

I, too, found it a bit strange that turning off mobile data as a test has been dismissed by the OP as "not the reason".

Apple devices try very hard to give their users the best internet experience and could well route via mobile in the background at some point, Wi-Fi Assist should be turned off as I described earlier.
They may also not cut certain existing mobile connections when transitioning to VPN, and keep routing those outside the VPN tunnel. That behaviour has been criticised in the past.

[cookiemonster]

Indeed we have asked to verify the data is definitively going through the firewall and the responses being:

"All traffic is being backhauled through the FW regardless the utilized link available at the time (5G, home Wi-Fi, 3rd party Wi-Fi, HotSpot, etc..)"

"In what Network design scenario that would be true??
ALL traffic is routed through the FW then out into the wild."

"Cell data is just a link (which goes into the FW then out to the wild)"

Suggest  that there is a chance there is a misunderstanding to clear first. The onus is on the OP to explain the how the traffic goes actually through the firewall rather than expecting it to.

[rgradert]

That's not the case as testing was made while on Wi-Fi...however, even when off WLAN, it automatically initiates a VPN tunnel into the FW routing all traffic through it.

I clearly understand that a VPN is utilized to keep all traffic routed through the firewall regardless of connection.

What's the confusion?

[Patrick M. Hausen]

Do you use the block rules on the VPN interface as well as the LAN? Are you sure the VPN establishes a default route through the firewall and not split-tunnel? How exactly is that VPN set up?

You are complaining something is not working as intended. To help we need the entire network topology, all IP addresses, all rules involved - how else should anyone spot what is wrong? Nobody's got a crystal ball.

[NW4FUN]

No more replies??
Guess someone figured out he doesn't know as much as he thought.

Unlike some of you, I have a life apparently...

That said, if you guys would have taken the time to READ this thread from the top, you'd have realised the answer to your question was already in there, so please go back and read if you're interested in knowing how this is working.

FYI - this bug has been filed with Sunnyvale and currently being worked on.

Thanks to those trying to be helpful.

[LOTRouter]

Seems fairly obvious this won't work as you have it set up.  You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi.  However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.

[NW4FUN]

Seems fairly obvious this won't work as you have it set up.  You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi.  However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.

OK now I'm 100% sure you cannot read, I'll try to make it simpler just for you

1) traffic is correctly routed onto the relevant VLAN
2) traffic is being completely BLOCKED as expected according to policy EXCEPT to/from iCloud.com
3) Sunnyvalley is looking into this as this is unexpected behavior

So, if you have something meaningful to add, please do so as the community at such would benefit from it. However, if you don't know what you're talking about, refrain from misleading readers and wait for me to post the solution from Sunnavalley once they've found it.

[Taunt9930]

Seems fairly obvious this won't work as you have it set up.  You said you have blocked the kids VLAN, which is fine when they are connected using Wi-Fi.  However, when connected through the Carrier/VPN, that connection does NOT come in through the kids VLAN but instead comes in on a separate VPN interface on the OPNsense router that would need to be included in your scheduled block rule.

OK now I'm 100% sure you cannot read, I'll try to make it simpler just for you

1) traffic is correctly routed onto the relevant VLAN
2) traffic is being completely BLOCKED as expected according to policy EXCEPT to/from iCloud.com
3) Sunnyvalley is looking into this as this is unexpected behavior

So, if you have something meaningful to add, please do so as the community at such would benefit from it. However, if you don't know what you're talking about, refrain from misleading readers and wait for me to post the solution from Sunnavalley once they've found it.

You may not see it is helpful, but you could be a bit more polite. Your posts have hardly been clear (it would appear as a result of being overly defensive), and at no point before have you actually clarified that your VPN from the outside world is routed somehow onto your internal kids VLAN, or that the policy is also applied to your VPN interface as well as the Kids VLAN interface - all reasonable questions for someone that has come to seek help, as no-one can see into your network or know what your level of ability is - all people can work with is what you post. PMHausen has asked for the details above, but you have ignored it, so you can't be surprised that people are trying to guess based on the most likely issue.

They are also reasonable points/questions that might help others with similar problems on the face of it, but have missed these points, even if they haven't helped you...