Community discussions

MikroTik App
 
migi28
just joined
Topic Author
Posts: 7
Joined: Sun Apr 12, 2020 8:16 pm

Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 6:45 pm

I was testing with the firewall in RouterOS and tried to block my iPhone's internet connection. I got that working with a "forward" firewall rule and both "reject" and "drop" actions but I noticed that Spotify still could search and play any song/playlist/album that wasn't downloaded to my iPhone. iMessage worked too, even with people outside the network. Is there a reason for why they still have internet connection?

Also, what's preferable to use, reject or drop, if I want to someday block a local device from accessing Internet?

I've also seen that Kid Control creates two rules when blocking, one with the device's ip in "Source Address" and the other with the ip in "Destination Address". Isn't a rule with Source IP enough as connection to Internet is always started from the device itself? (provided that there's no uPnP or port forwarding)
 
WeWiNet
Long time Member
Long time Member
Posts: 592
Joined: Thu Sep 27, 2018 4:11 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 7:11 pm

Without posting your firewall config no way to know what is going wrong...
But you are also aware that the phone will switch to cellular network as soon as it knows the Wifi is not connected ?
Put it in flight mode and switch only Wifi on...

You want two rules as you want to control what goes from LAN to WAN (uplink) such as NEW, ESTABLISHED, RELATED connections.
This corresponds to your phone creating connection to Spotify, HTTP web pages etc.
But you do normally not want to allow anybody outside to create a NEW connection into your LAN. That is why you have another rule
for WAN to LAN traffic, where you only allow ESTABLISHED, RELATED (which is basically the "answer/reply" from the servers and services
you asked for (Sporitfy, web server).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 7:19 pm

I got that working with a "forward" firewall rule and both "reject" and "drop" actions but I noticed that Spotify still could search and play any song/playlist/album that wasn't downloaded to my iPhone. iMessage worked too, even with people outside the network. Is there a reason for why they still have internet connection?
You'd have to show the particular setup of your firewall. There are several important points:
  • the defaul firewall rules use the concept of a stateful firewall, where you permit or deny only the initial packet of each connection, and if you permit the first one, the rest is allowed thanks to the first rule in each of the two chains input and forward, saying action=accept connection-state=established,related. The connections have some lifetime, so to test that your added drop or reject rules work, you have to test with newly established connections. So the best way is to disable wifi on the phone and re-enable it after a while (unless iOS maintains connections even if you do that)
  • the order of rules matters, so your drop or reject rule must be moved to a proper place so that some other one doesn't shadow it, i.e. doesn't accept packets matching your rule's criteria before they can reach your rule.
  • depending on what exactly you've blocked, the iPhone may have open an IPsec connection to reach these "essential" services, or it may have used the mobile connection for them as it has failed to reach them via wifi.

Also, what's preferable to use, reject or drop, if I want to someday block a local device from accessing Internet?
Using reject makes sense for requests coming from LAN, as decent applications render to the user the information that the connection was prohibited administratively (and the failure is reported immediately rather than after all the retransmission timeouts expire); for requests coming from WAN, use drop except specific cases, because malware ignores rejects and will keep hammering anyway. If you run a web server accessible via WAN, it may make sense to send rejects in some cases.

I've also seen that Kid Control creates two rules when blocking, one with the device's ip in "Source Address" and the other with the ip in "Destination Address". Isn't a rule with Source IP enough as connection to Internet is always started from the device itself? (provided that there's no uPnP or port forwarding)
My kids are too old to be blocked using Kid Control so I never dived into it, so again, I'd have to see the /ip firewall filter print to answer. Maybe someone else has already analysed the behaviour and has a ready answer.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 7:40 pm

Without posting your firewall config no way to know what is going wrong...
But you are also aware that the phone will switch to cellular network as soon as it knows the Wifi is not connected ?
Put it in flight mode and switch only Wifi on...

You want two rules as you want to control what goes from LAN to WAN (uplink) such as NEW, ESTABLISHED, RELATED connections.
This corresponds to your phone creating connection to Spotify, HTTP web pages etc.
But you do normally not want to allow anybody outside to create a NEW connection into your LAN. That is why you have another rule
for WAN to LAN traffic, where you only allow ESTABLISHED, RELATED (which is basically the "answer/reply" from the servers and services
you asked for (Sporitfy, web server).
This .......... logically speaking!!
 
migi28
just joined
Topic Author
Posts: 7
Joined: Sun Apr 12, 2020 8:16 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 9:02 pm

But you are also aware that the phone will switch to cellular network as soon as it knows the Wifi is not connected ?
Put it in flight mode and switch only Wifi on...
If WiFi Assist is off and the iPhone doesn't detect internet it won't switch automatically, instead it asks with a popup if I want to stay or switch to mobile data "as it appears you're disconnected form the internet". I have WiFi Assist off and if I was in mobile data everything else I tested would work.

These are my firewall rules: (MAC address modified)
 1    ;;; TEST
      chain=forward action=reject reject-with=icmp-network-unreachable src-mac-address=iPhone's MAC addr. log=no log-prefix="" 

 2 X  ;;; place hotspot rules here
      chain=unused-hs-chain action=passthrough 

 3    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 4    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 5    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 6    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 7    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 8    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

10    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

11    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

For some reason Spotify now doesn't have connection... But iMessage still does, and while testing again without connection I received a YouTube upload notification but YouTube itself didn't load when opened. Very strange. (I've disabled mobile data even though I know I that on WiFi mobile data connection isn't active)

Maybe in the previous test I had a connection for Spotify already established I don't really know why now it shows no connection...

I've also seen that Kid Control creates two rules when blocking, one with the device's ip in "Source Address" and the other with the ip in "Destination Address". Isn't a rule with Source IP enough as connection to Internet is always started from the device itself? (provided that there's no uPnP or port forwarding)
My kids are too old to be blocked using Kid Control so I never dived into it, so again, I'd have to see the /ip firewall filter print to answer. Maybe someone else has already analysed the behaviour and has a ready answer.
Kid Control creates these two rules for every device:
 2  D ;;; Apple TV, kid-control
      chain=forward action=reject dst-address=192.168.1.52 

 3  D ;;; Apple TV, kid-control
      chain=forward action=reject src-address=192.168.1.52 
I don't get why the need of a rule with dst-address since no connection will be started from WAN to LAN without dst-nat...
 
migi28
just joined
Topic Author
Posts: 7
Joined: Sun Apr 12, 2020 8:16 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 9:16 pm

while testing again without connection I received a YouTube upload notification but YouTube itself didn't load when opened. Very strange. (I've disabled mobile data even though I know I that on WiFi mobile data connection isn't active)
Actually, I keep receiving notifications from various apps but can't access them. That is very weird.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 9:40 pm

Actually, I keep receiving notifications from various apps but can't access them. That is very weird.
Maybe Apple does it differently, but in Android, text notifications use a dedicated notification channel of the mobile network which is different from the "mobile data". The motivation is that wifi or mobile data consume power, so to keep the regular internet connection active just to receive the notifications would reduce the time between chargings. Hence the application's servers get a hook on Google's (and likely also Apple's) servers which they use to deliver notifications to the phone. So incoming calls on Viber, Whatsapp etc. work in such a way that arrival of an accordingly formatted notification wakes up the application, which then activates the internet connection and connects to the application's own servers to actually serve the call.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Apps having internet connection with reject and drop firewall rule  [SOLVED]

Thu Apr 30, 2020 9:47 pm

Kid Control creates these two rules for every device:
 2  D ;;; Apple TV, kid-control
      chain=forward action=reject dst-address=192.168.1.52 

 3  D ;;; Apple TV, kid-control
      chain=forward action=reject src-address=192.168.1.52 
I don't get why the need of a rule with dst-address since no connection will be started from WAN to LAN without dst-nat...
I could imagine those two rules themselves from your description. The reason I wanted the print of the complete firewall is that, as I've already written, the order of firewall rules matters, so I wanted to see their position in the chain.

To reject packets towards the LAN IP makes perfect sense if the purpose is to prevent already established connections from continuing. So if these rules are placed before (above) the "accept established, related" one, they act before that one, so they break even established connections. And it is not rare that a connection uses UDP (so no confirmations) for a long period of time (e.g. watching video or listening to audio only needs the download direction once you request the video/song), so dropping only upload packets would not prevent the incoming stream from flowing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 10:59 pm

Concur sindy.

As to the OPs issue. Here is the answer, you only....................... and there it is.

Have a good day.....
Oh you want the whole answer....................... well give snippets receive snippets. ;-P
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Apps having internet connection with reject and drop firewall rule

Thu Apr 30, 2020 11:31 pm

Perhaps explanation about why some services continued to work after you added the block rule:
 1    ;;; TEST
      chain=forward action=reject reject-with=icmp-network-unreachable src-mac-address=iPhone's MAC addr. log=no log-prefix="" 

 9    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 
When a connection gets fast-tracked, packets belonging to it generally won't be filtered through firewall filter rules again. So the connections already established at the moment you added rule #1 continued to work (more or less), while new ones are blocked by the first rule.
 
migi28
just joined
Topic Author
Posts: 7
Joined: Sun Apr 12, 2020 8:16 pm

Re: Apps having internet connection with reject and drop firewall rule

Fri May 01, 2020 2:59 am

@mkx Ok that makes sense.

Thank you to both of you! @sindy @mkx

Who is online

Users browsing this forum: cyrq, JDF and 79 guests