Why don't firewall rules apply to traffic coming from Android devices?
-
Hello --
I have been banging my head against the wall all weekend trying to figure out why my firewall rules are being completely ignored by my Android devices. My goal is to set up a partial network VPN with a kill switch.
Initially, I went with the configuration outlined here. Everything worked perfectly for my non-Android devices. But when I tested on my Android devices, they still were getting the public WAN IP instead of the VPN IP. I double checked that I had disabled the random MAC addressing and private DNS features on the Android devices. Additionally, I had static DHCP mappings which added to the firewall alias as the post I linked to recommended (this works great for all non-Android devices). Nada.
Given that this didn't work, I thought maybe something buggy was going on with the static DHCP IPs and the firewall alias. So, I flipped the entire configuration of the network so all traffic would go out through the VPN regardless of where it came from. After doing this, the Android devices still were getting the public WAN IP!!! I tried multiple different methods for implementing the "whole home network VPN," including ones that have worked in the past w/ my Android devices, but nothing is working. I also set up individual firewall rules for each specific Android device IP, no dice.
Even weirder, regardless of my approach, I didn't see any traffic coming from the Android device IPs at all when I logged packets. It is as if the pfSense doesn't even know these devices exist. I don't know if a recent Android update screwed things up or what.
Wondering if anyone has an idea how to fix this. It is incredibly frustrating and I am at a loss on where to go from here.
-
You would see traffic from your device, if it is on your network? Period.. There is no way to hide traffic, even if was using some vpn, you would see that traffic. To and from the vpn IP from the devices IP.
If your not seeing any traffic from it, then its not on your network. Or your sniffing the wrong interface, or for the wrong IP, port, etc.
-
@johnpoz yes, about 5 minutes after I posted this, and 48 hours after losing my mind, I discovered that Android device packets are somehow coming from OPT2. I don't understand why or how this is happening though. All other wifi device packets are coming from the LAN. I think it has something to do with Android and IPv6.
I can set the VPN rules on all interfaces and that "fixes" it, even if I still don't understand why it is happening to begin with. You can delete this post if it is clogging things up.
-
Any chance your WiFi is on OPT2? There is absolutely nothing with Android or IPv6 that would cause the packets to come in through a different interface.
-
@JKnott my wifi AP is connected on OPT2, yes, but why are only Android packets going through OPT2 and not any packets from any of the other devices connected to the wifi?
-
Do you have different SSID & VLAN for some things?
