I am trying to troubleshoot why a school iPad (I believe it requires all traffic to go through securely) cannot get out to the Internet. My personal iPads can get out just fine and I believe this was working at some point (prior to FreeBSD 14, but also perhaps before I switched to dnsmasq or some other internal change).
I have dnsmasq running on my network locally and all internal devices should be able to access it via TCP or UDP port 53. Running a packet capture, I can see the school iPad is sending DNS traffic that way:
I see the DNS traffic, but what looks odd to me is I see a few bad udp cksum for NXDomain useast-www.securely.com.
My firewall rules for these devices is to allow DNS to dnsmasq internally and HTTP and HTTPS traffic anywhere. I believe this was working at some point and all that was needed because I thought these iPads did DNS over HTTPs and never used my DNS server.
Therefore, I'm a bit stuck, at the end of my pf ruleset, I log and block traffic to pflog1 for internal traffic and pflog2 for external traffic. The only traffic I see from this device destined for pflog1 is port 5353 and ICMP to Apple's CIDR block (after it appears that the iPad cannot get to the Internet). I don't believe those are required to get out, at least my personal iPad gets out just fine without those specific rules.
Lastly, to remove DNS from the equation, I merely tried plugging in the public IP address for google.com and the iPad still complained about not being connected to the Internet. So, after all of that, I don't believe it is just a DNS issue.
Any ideas?
I have dnsmasq running on my network locally and all internal devices should be able to access it via TCP or UDP port 53. Running a packet capture, I can see the school iPad is sending DNS traffic that way:
Code:
tcpdump -i wired -n host xxx.xxx.xxx.xxx and port 53 -vvvI see the DNS traffic, but what looks odd to me is I see a few bad udp cksum for NXDomain useast-www.securely.com.
My firewall rules for these devices is to allow DNS to dnsmasq internally and HTTP and HTTPS traffic anywhere. I believe this was working at some point and all that was needed because I thought these iPads did DNS over HTTPs and never used my DNS server.
Therefore, I'm a bit stuck, at the end of my pf ruleset, I log and block traffic to pflog1 for internal traffic and pflog2 for external traffic. The only traffic I see from this device destined for pflog1 is port 5353 and ICMP to Apple's CIDR block (after it appears that the iPad cannot get to the Internet). I don't believe those are required to get out, at least my personal iPad gets out just fine without those specific rules.
Lastly, to remove DNS from the equation, I merely tried plugging in the public IP address for google.com and the iPad still complained about not being connected to the Internet. So, after all of that, I don't believe it is just a DNS issue.
Any ideas?