Can not block connections to Xiaomi.com from mobile phone[SOLVED]

jlt · Jan 1, 2017, 2:28 PM

Hello
I dont get success trying this.
It's from my kid mobile phone.
I saw a lot of connections with Squid Proxy Reports to "…xiaomi.com"

It's supposed the connections are made only with wifi? I hope so. I created the alias "xiaomi_recopila" trying to board all th IP's.
First I put it in LAN interface, in the firts line order, and now in Floating Rules.

It doesn't work. Always I see a lot of connections not blocked.
You can see that not only "....xiaomi.com" also "..miui.com" that I will try to block once I get the others blocked.

In this link you can see:

the rule applied
the rule and the ips
the reports from Squid

http://imgur.com/a/bHN1I

what am I doing wrong?

thanks

PD:

• I hate business collecting data without asking or notifying me.
• My kid can use the mobile phone for the purpose he wants.
• I know that mobile phone could transmit data again to xiaomi when It get connected to another wifi.
• I know too that I can't know which comunications occurs while mobile is in 3G or 4G.
• I know that perhaps these transmissions is for asking if it needs any updates. In this case, I don't thing it is the rigth way for doing.

At my home there are more mobiles, and only Xiaomi makes such collection of tries to ping its servers. Even Iphone don't do this.

– Squid Proxy Reports. --

I tried make pings and they get blocked, so I think perhaps Pfsense is working right.
Perhaps Squid Reports show me these tries but they have data ??
Were they succesfully to Xiaomi servers or not?

This is my real question here.

EDIT2:

http://imgur.com/a/E4UNJ

Privacy options on Xiaomi note 3. Although are all deactivated, mobile phone continues sending data to Xiaomi servers.

Something is not working properly in firewall PfSense 2.3.2-RELEASE-p1 (amd64)

jlt · Jan 7, 2017, 10:25 AM

I wrote a post for updates in this problem.

At this moment PfSense can't block Xiaomi. Xiomi is the winner.

http://juliobm.github.io/2017/01/05/PfSense-firewall-fighting-against-Xiaomi.html

Now I have disabled the blocking rule only to see the new reports. I think they will be the same ???

doktornotor · Jan 7, 2017, 11:24 AM

You are doing it wrong. Use DNS overrides to point it to localhost or use the pfBNG DNSBL thing that will do the same plus will log the requests nicely.

jlt · Jan 7, 2017, 8:26 PM

@doktornotor:

You are doing it wrong. Use DNS overrides to point it to localhost or use the pfBNG DNSBL thing that will do the same plus will log the requests nicely.

Sorry but I don't understand
Why have I to override DNS? Why have I to use third partner software like pfBNG?
pfSense is not enough to block sites?

jahonix · Jan 7, 2017, 8:44 PM

@jlt:

At this moment PfSense can't block Xiaomi. Xiomi is the winner.

Nope. You cannot block Xiaomi.

@jlt:

Why have I to override DNS? … pfSense is not enough to block sites?

To block DNS resolution you have to redirect it somewhere. This is done in pfSense.

You could use something like DNSBL as well, which offers this and more.

jlt · Jan 8, 2017, 10:32 AM

Nope. You cannot block Xiaomi.

Well, I do block something to Xiaomi. I checked in any device of my network.

The problem is I don't know which packets, get out the firewall blocking rule and why.

Override DNS. For that try I would not need pfSense.

If I don't get any explanation about why rules don't work, I'll do override DNS.

I would like to understand before why creating rules to blocking completely a site is not the way.

Anyway thanks for your suggestions

johnpoz · Jan 8, 2017, 12:10 PM

So let me get this right.. So you have a Xiaomi phone, I show them as the 3rd largest smartphone maker on the planet. So you bought their phone and now you want to stop it from phoning home? While you could stop it on network. What keeps it from using just the cell data connection?

I don't see the point to this to be honest - if you don't like that it phones home, then you shouldn't of bought it the first place ;)

Proxy would not be the proper way to block such talking.. If you don't want it to phone home over your network - easy way is to just stop it from resolving where it wants to go. If using IP then block those netblocks, etc.

Proxy is great for stopping your kid from surfing porn sites.. Not so much for stopping a iot device from phoning home ;)

Sure you could just put in overrides, you could use package like pfblocker to hand the setup of unbound to block for you, you could do it direct in unbound or you could run say pi-hole on your network.. There are plenty of ways to prevent lookup of a domain and or subs of that domain, etc.

jlt · Jan 8, 2017, 12:30 PM

Thank you very much.

I exposed yet my motives to block these "calls to home". It's only I can't stand.
Yours explanations why not use proxy rules to avoid that, have finally get me to give up.

So, DNS Override or do not look at Squid Proxy Reports if I don't want to suffer. :'(

thanks to all people who tried to help me

johnpoz · Jan 8, 2017, 1:01 PM

you know it simple entry in unbound to stop wildcard.xiaomi.com from resolving..

server:
local-zone: "xiaomi.com" redirect
local-data: "xiaomi.com A 0.0.0.0"

That in your custom box of unbound stops any sort of anything.xiaomi.com from resolving..

Not possible to phone home to something.xiaomi.com if can not resolve it ;)

dig @192.168.9.253 www.xiaomi.com +short
0.0.0.0

dig @192.168.9.253 data.mistat.xiaomi.com +short
0.0.0.0

jahonix · Jan 8, 2017, 5:57 PM

@jlt:

Well, I do block something to Xiaomi. I checked in any device of my network.
…
The problem is I don't know which packets, get out the firewall blocking rule and why.

Might be that your smartphone uses its own GSM/EDGE/UMTS/LTE network to reach Xiaomi.com when not available via Wifi. Then you cannot block it with pfSense anyway.