Blocking internet to a specific LAN IP with exceptions

Sometimes using an IP address in the source network fails without errors. What I suggest is you create clientless user for that ip, add that to the fire wall rule in the allowed user field and put the network in the source network field. The destination looks partially correct and will allow some of google stuff through while you debug.

ian

fixed auto spellchecker error.

I honestly can't believe it, but this seems to have worked. The first time I tried it, it didn't seem to, but after tinkering a bit more it started working (at least for Google, I still need to play with Zoom more). How bizarre.

Is this a bug (exceptions not working properly when the device is in the Source Networks and Devices field, but it does work when the device is configured as a clientless user and populated under Match Known Users)?

Just for clarity, here's how I have the rule set up. The Zoom group under exclusions/destination networks includes *.zoom.us and *.cloudfront.net per Zoom's documentation, but their website still only half works on the ipad. 

Nevermind, this still doesn't work reliably. I tried adding some other sites (e.g., Netflix) to the exclusions and it didn't work. What am I doing wrong??

Hi Nicholas,

netflix does its own thing and exclusions do not work. My TV works with netflix using allow all (web proxy) and https without scanning.

Do you have do not scan audio and video unticked in WEB general?

Ian

There is a FQDN group defined in the XG for netflix.

Hi Nicholas Bethard,

You need to create a firewall rule on top of the Reject rule to allow DNS traffic.

After that, you can just add an exclusion in the Reject rule for required URLs and services(HTTP and HTTPS for web traffic).

This makes total sense! But I still can't get it to work. It seems that things start acting odd as soon as I enable the DNS rule. I created two rules similar to what you suggested. "iPad" is the IP address assigned to the iPad being used to test this.

If I disable both rules, browsing on the iPad works properly. If I enable only the DNS rule, browsing mostly doesn't work (Google still works for some reason, but as soon as I try to click on a link from a search, it doesn't work).

The DNS rule I created is very simple, see below. Why is explicitly accepting DNS breaking browsing?

I think I figured out the answer using Yash's post as a clue. Instead of a separate rule like Yash suggested, I added the DNS servers I use (1.1.1.1 and 8.8.8.8) as well as the DNS service to the reject rule's exclusions (as well as ICMP for testing). Now it works. Hooray.

I suspect part of the issue is the XG is not part of your DNS chain. You should be pointing the device DNS at the XG DNS and then point the XG DNS at your choice of DNS providers.

Ian

Probably right, I'll have to tinker with that later. Thanks!