How are sites blocked on public WiFi?

by Terry McDanel   Last Updated July 17, 2018 19:01 PM

I have a MacBook Pro High Sierra v10.13.6

At a coffee shop, I was trying to Google an answer to a question, but it seemed like most sites, including StackExchange. Browsers usually say "Server cannot be found". I presume this means that the IP is specifically blocked. At first i thought they were blocking HTTPS but Google is HTTPS so it's not that simple.

I realized I had seen this before. The shop's WiFi setup blocked VPN and L2TP as a work around. I can only write this because I turned off WiFi on my iPhone and am using it as a hotspot.

How do coffee shop ISPs do that?

Is there a workaround besides using up my cell service bandwidth? Can i solve the problem by forcing a different DNS? How can I get VPN?

Answers 1

Technically, this isn't an Apple question per se, but the question (IMO) is a good one because it "seems" like an Apple issue and (some of) the technology involved is actually included with macOS - pf firewall.

Network owners can "shape" traffic on their network. This can be:

  • specifying QoS for different traffic types (i.e. priority for web browsing and slowing down email delivery)
  • blocking traffic based on source, destination, or even application
  • blocking or dropping traffic based on protocol
  • specifying custom DNS servers

Why they do this

In short, economic reasons. Bandwidth costs money and they want to ensure there's enough to serve the needs of all their customers.

VPN traffic (L2TP, IKEv2, PPTP, etc) is a bandwidth hog. It's very design keeps a tunnel state active to the endpoint you're connecting to meaning it's allocating bandwidth even if you're not using it. That's bandwidth that could have gone to another customer.

File transfers (like software updates, App store purchases, etc. and even streaming services) are notoriously bandwidth hungry. Could you imagine the network saturation with some folks watching Netflix and others downloading macOS Mojave beta?

How they do this

Basic firewalls have the ability to block/drop traffic based on protocol, source and destination. For example, they can choose to block all traffic to port 22 (ssh). They can also block websites, set their own DNS server (if they want to prevent access to adult sites for example) and even drop DNS requests (port 53) to everything outside their network to prevent circumventing their services.

More advanced firewalls can filter/prioritize/redirect/drop/block traffic based on application (i.e. Skype or Torrent). They can further shape the traffic by putting a higher priority on web browsing (port 80) and slowing down or even blocking SMTP/POP (port 25/110; not used as much anymore).

Is there a workaround besides using up my cell service bandwidth? Can I solve the problem by forcing a different DNS? How can i get VPN?

You can attempt all of these things. You can try to get a VPN Service (Tunnel Bear, NordVPN, etc), you can try manually setting your own DNS servers. However in the end, you are limited by one fact:

                         Their Network = Their Rules

The only sure way around this limitation is to use your own access point to the Internet like your iPhone (smartphone/tablet/hotspot).

July 17, 2018 18:15 PM

Related Questions

How do you change the TTL in macOS High Sierra?

Updated June 28, 2018 17:01 PM

macOS Sierra: reload firewall when network changes

Updated August 26, 2017 08:01 AM

Network Sharing Dies Constantly

Updated January 01, 2018 18:01 PM