juliobm algunos videos algunas notas algunos scripts aprendiendo

PfSense firewall fighting against Xiaomi

I have for my home a mini-PC Qotom and I installed PfSense 2.3 in it. It was funny to install Squid Proxy Server, DHCP Server, pfBlockerNG, OpenVPN and more.

In my home there are many devices that need internet. I count more than 20 like Kindles, Ipad, Iphone, Android smartphones, laptops, webcams, tablets, and console games.

I like to revise all my internet traphic and watch where those devices do connections, so I get all the information in Squid Proxy Reports.

I saw that a smartphone Xiaomi Redmi Note 3 does a lot of connections to the following ips:

stats

Trying to block to Xiaomi

I can’t stand this:

first round

I did a alias that collect all that ips. I check that Xiaomi DNS uses amazon WS, so the IP’s are variable.

alias

First I created a firewall rule in LAN that blocks that alias. I saw it didn’t work so I put it in Floating Rules.

rule1
rule2

I checked that if I try to web to any of those IP’s I get a message that informs to me that site is blocked. So I thought PfSense was working as desired.

blocked

But I was wrong. Here you see more connections.

try1

second round

I need help so I wrote a post in Redit and another one in forum PfSense. Only in reddit I got some answers so I made some changes suggested by helpfully people.

I check the “Quick” option in the rule, so if any packet fits on this one, PfSense will stop checking any rule more.

try1

Fail or success ?? Failed.

try1

connections at 05h or 06h while all we are sleeping? Damn !

checking Xiaomi smartphone

While I was doing all these tasks in pfSense I did some changes in the Xiaomi Redmi Note3 about privacy. Here is the current state:

xiaomi1
xiaomi1

Solution

Perhaps Squid Proxy Reports registers data connections (petitions) although they are blocked by pfSense rules. Would it explain about 4Kb in every connection to Xiaomi servers?
I don’t know.

But finally I get the solution from forum PfSense, great comments.

Do not use rules for blocking sites. Use DNS Overrides.

Adding this to my DNS Resolver service.

solution