How are sites blocked on public WiFi?

3

I have a MacBook Pro High Sierra v10.13.6

At a coffee shop, I was trying to Google an answer to a question, but it seemed like most sites, including StackExchange were blocked or "inaccessible". Browsers usually say "Server cannot be found". I presume this means that the IP is specifically blocked. At first i thought they were blocking HTTPS but Google is HTTPS so it's not that simple.

I realized I had seen this before. The shop's WiFi setup blocked VPN and L2TP as a work around. I can only write this because I turned off WiFi on my iPhone and am using it as a hotspot.

How do coffee shop ISPs do that?

Is there a workaround besides using up my cell service bandwidth? Can i solve the problem by forcing a different DNS? How can I get VPN?

Terry McDanel

Posted 2018-07-17T18:11:59.480

Reputation: 31

Answers

2

Technically, this isn't an Apple question per se, but the question (IMO) is a good one because it "seems" like an Apple issue and (some of) the technology involved is actually included with macOS - pf firewall.

Network owners can "shape" traffic on their network. This can be:

  • specifying QoS for different traffic types (i.e. priority for web browsing and slowing down email delivery)
  • blocking traffic based on source, destination, or even application
  • blocking or dropping traffic based on protocol
  • specifying custom DNS servers

Why they do this

In short, economic reasons. Bandwidth costs money and they want to ensure there's enough to serve the needs of all their customers.

VPN traffic (L2TP, IKEv2, PPTP, etc) is a bandwidth hog. It's very design keeps a tunnel state active to the endpoint you're connecting to meaning it's allocating bandwidth even if you're not using it. That's bandwidth that could have gone to another customer.

File transfers (like software updates, App store purchases, etc. and even streaming services) are notoriously bandwidth hungry. Could you imagine the network saturation with some folks watching Netflix and others downloading macOS Mojave beta?

How they do this

Basic firewalls have the ability to block/drop traffic based on protocol, source and destination. For example, they can choose to block all traffic to port 22 (ssh). They can also block websites, set their own DNS server (if they want to prevent access to adult sites for example) and even drop DNS requests (port 53) to everything outside their network to prevent circumventing their services.

More advanced firewalls can filter/prioritize/redirect/drop/block traffic based on application (i.e. Skype or Torrent). They can further shape the traffic by putting a higher priority on web browsing (port 80) and slowing down or even blocking SMTP/POP (port 25/110; not used as much anymore).

Is there a workaround besides using up my cell service bandwidth? Can I solve the problem by forcing a different DNS? How can i get VPN?

You can attempt all of these things. You can try to get a VPN Service (Tunnel Bear, NordVPN, etc), you can try manually setting your own DNS servers. However in the end, you are limited by one fact:

                         Their Network = Their Rules

The only sure way around this limitation is to use your own access point to the Internet like your iPhone (smartphone/tablet/hotspot).

Allan

Posted 2018-07-17T18:11:59.480

Reputation: 264

This is very simplified. – JBis – 2018-07-17T18:28:25.507

@JBis - how so? Please clarify – Allan – 2018-07-17T18:39:58.370

1

@JBis - You're apparently not familiar with Deep Packet Inspection that can identify application by packet header and even heuristic signature.

– Allan – 2018-07-17T18:48:31.003

1Yes. But "Basic Firewalls" rarely contain this feature. And most coffee shops aren't spending time or money to set it up (or have the knowledge). – JBis – 2018-07-17T18:50:09.483

@JBis - please take time to read the answer. I never said basic firewalls do that. – Allan – 2018-07-17T18:53:06.177

Darn. It was moved before I could edit. – JBis – 2018-07-17T19:00:37.600

Your edits are better. I would just add "It is almost always possible to bypass these restrictions but it depends how these restrictions are implemented. We are unable to determine what restrictions exist and how they are implmenting without testing." For example if they block based on port (my schools does this) then just switch ssh to different non blocked port (even 80 (http) or 443 (https)) and create an SSH tunnel with SOCKS5 Proxy. Heres an upvote :) – JBis – 2018-07-17T19:11:51.917

Suggests from JBis is pretty much over my head. Though I have a vague familiarity with all of the terms, the process & tools would be beyond me. I strongly suspect, we are not talking about ports. Some websites are accessible, some are not but it very confounding to me to understand which & why. For example, why could I not access StackExchange.com? It is not a bandwidth issue, like VPN. StackExchange is a broad & useful information resource. I should have tried forcing a different DNS, but I don't want to patronize that coffee shop now. – Terry McDanel – 2018-07-18T20:07:04.463

To be more specific, I was googling "how to make a key for an old mortise lock". Not exactly a Dark Web question. I was surprised at how many sites were blocked, This Old House, Pinterest, www.houseofantiquehardware.com, ehow... I can always tell the sites are working with "down for just me?" websites. "Bandwidth" does not explain the ISP's agenda. PIA does offer SOCKS5 as I remember, though I have no experience with it & I may try it the next time. Great discussion in any case. Thanks. – Terry McDanel – 2018-07-18T20:13:24.227

Asked: 2018-07-17T18:11:59.480

Viewed: 189 times

Active: 2018-07-19T10:48:11.763