Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can not block connections to Xiaomi.com from mobile phone[SOLVED]

    Scheduled Pinned Locked Moved Firewalling
    10 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlt
      last edited by

      Hello
      I dont get success trying this.
      It's from my kid mobile phone.
      I saw a lot of connections with Squid Proxy Reports to "…xiaomi.com"

      It's supposed the connections are made only with wifi? I hope so. I created the alias "xiaomi_recopila" trying to board all th IP's.
      First I put it in LAN interface, in the firts line order, and now in Floating Rules.

      It doesn't work. Always I see a lot of connections not blocked.
      You can see that not only "....xiaomi.com" also "..miui.com" that I will try to block once I get the others blocked.

      In this link you can see:

      • the rule applied
      • the rule and the ips
      • the reports from Squid

      http://imgur.com/a/bHN1I

      what am I doing wrong?

      thanks

      PD:

      •  I hate business collecting data without asking or notifying me.
        •  My kid can use the mobile phone for the purpose he wants.
        •  I know that mobile phone could transmit data again to xiaomi when It get connected to another wifi.
        •  I know too that I can't know which comunications occurs while mobile is in 3G or 4G.
        •  I know that perhaps these transmissions is for asking if it needs any updates. In this case, I don't thing it is the rigth way for doing.

      At my home there are more mobiles, and only Xiaomi makes such collection of tries to ping its servers. Even Iphone don't do this.

      – Squid Proxy Reports. --

      I tried make pings and they get blocked, so I think perhaps Pfsense is working right.
      Perhaps Squid Reports show me these tries but they have data ??
      Were they succesfully to Xiaomi servers or not?

      This is my real question here.

      EDIT2:

      http://imgur.com/a/E4UNJ

      Privacy options on Xiaomi note 3. Although are all deactivated, mobile phone continues sending data to Xiaomi servers.

      Something is not working properly in firewall PfSense 2.3.2-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • J
        jlt
        last edited by

        I wrote a post for updates in this problem.

        At this moment PfSense can't block Xiaomi. Xiomi is the winner.

        http://juliobm.github.io/2017/01/05/PfSense-firewall-fighting-against-Xiaomi.html

        Now I have disabled the blocking rule only to see the new reports. I think they will be the same  ???

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          You are doing it wrong. Use DNS overrides to point it to localhost or use the pfBNG DNSBL thing that will do the same plus will log the requests nicely.

          1 Reply Last reply Reply Quote 0
          • J
            jlt
            last edited by

            @doktornotor:

            You are doing it wrong. Use DNS overrides to point it to localhost or use the pfBNG DNSBL thing that will do the same plus will log the requests nicely.

            Sorry but I don't understand
            Why have I to override DNS? Why have I to use third partner software like pfBNG?
            pfSense is not enough to block sites?

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              @jlt:

              At this moment PfSense can't block Xiaomi. Xiomi is the winner.

              Nope. You cannot block Xiaomi.

              @jlt:

              Why have I to override DNS? … pfSense is not enough to block sites?

              To block DNS resolution you have to redirect it somewhere. This is done in pfSense.

              You could use something like DNSBL as well, which offers this and more.

              1 Reply Last reply Reply Quote 0
              • J
                jlt
                last edited by

                Nope. You cannot block Xiaomi.

                Well, I do block something to Xiaomi. I checked in any device of my network.

                The problem is I don't know which packets, get out the firewall blocking rule and why.

                Override DNS. For that try I would not need pfSense.

                If I don't get any explanation about why rules don't work, I'll do override DNS.

                I would like to understand before why creating rules to blocking completely a site is not the way.

                Anyway thanks for your suggestions

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So let me get this right.. So you have a Xiaomi phone, I show them as the 3rd largest smartphone maker on the planet.  So you bought their phone and now you want to stop it from phoning home?  While you could stop it on network.  What keeps it from using just the cell data connection?

                  I don't see the point to this to be honest - if you don't like that it phones home, then you shouldn't of bought it the first place ;)

                  Proxy would not be the proper way to block such talking.. If you don't want it to phone home over your network - easy way is to just stop it from resolving where it wants to go.  If using IP then block those netblocks, etc.

                  Proxy is great for stopping your kid from surfing porn sites.. Not so much for stopping a iot device from phoning home ;)

                  Sure you could just put in overrides, you could use package like pfblocker to hand the setup of unbound to block for you, you could do it direct in unbound or you could run say pi-hole on your network.. There are plenty of ways to prevent lookup of a domain and or subs of that domain, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J
                    jlt
                    last edited by

                    Thank you very much.

                    I exposed yet my motives to block these "calls to home". It's only I can't stand.
                    Yours explanations why not use proxy rules to avoid that, have finally get me to give up.

                    So, DNS Override or do not look at Squid Proxy Reports if I don't want to suffer.  :'(

                    thanks to all people who tried to help me

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      you know it simple entry in unbound to stop wildcard.xiaomi.com from resolving..

                      server:
                      local-zone: "xiaomi.com" redirect
                      local-data: "xiaomi.com A 0.0.0.0"

                      That in your custom box of unbound stops any sort of anything.xiaomi.com from resolving..

                      Not possible to phone home to something.xiaomi.com if can not resolve it ;)

                      dig @192.168.9.253 www.xiaomi.com +short
                      0.0.0.0

                      dig @192.168.9.253 data.mistat.xiaomi.com +short
                      0.0.0.0

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • jahonixJ
                        jahonix
                        last edited by

                        @jlt:

                        Well, I do block something to Xiaomi. I checked in any device of my network.
                        …
                        The problem is I don't know which packets, get out the firewall blocking rule and why.

                        Might be that your smartphone uses its own GSM/EDGE/UMTS/LTE network to reach Xiaomi.com when not available via Wifi. Then you cannot block it with pfSense anyway.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.