But you are also aware that the phone will switch to cellular network as soon as it knows the Wifi is not connected ?
Put it in flight mode and switch only Wifi on...
If WiFi Assist is off and the iPhone doesn't detect internet it won't switch automatically, instead it asks with a popup if I want to stay or switch to mobile data "as it appears you're disconnected form the internet". I have WiFi Assist off and if I was in mobile data everything else I tested would work.
These are my firewall rules: (MAC address modified)
1 ;;; TEST
chain=forward action=reject reject-with=icmp-network-unreachable src-mac-address=iPhone's MAC addr. log=no log-prefix=""
2 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
3 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
For some reason Spotify now doesn't have connection... But iMessage still does, and while testing again without connection I received a YouTube upload notification but YouTube itself didn't load when opened. Very strange. (I've disabled mobile data even though I know I that on WiFi mobile data connection isn't active)
Maybe in the previous test I had a connection for Spotify already established I don't really know why now it shows no connection...
I've also seen that Kid Control creates two rules when blocking, one with the device's ip in "Source Address" and the other with the ip in "Destination Address". Isn't a rule with Source IP enough as connection to Internet is always started from the device itself? (provided that there's no uPnP or port forwarding)
My kids are too old to be blocked using Kid Control so I never dived into it, so again, I'd have to see the /ip firewall filter print to answer. Maybe someone else has already analysed the behaviour and has a ready answer.
Kid Control creates these two rules for every device:
2 D ;;; Apple TV, kid-control
chain=forward action=reject dst-address=192.168.1.52
3 D ;;; Apple TV, kid-control
chain=forward action=reject src-address=192.168.1.52
I don't get why the need of a rule with dst-address since no connection will be started from WAN to LAN without dst-nat...