Routing using Source IP and destination hostname

codechurn

I use pfSense to do my DNS resolution.

I also have the following rule setup which routes LAN traffic from certain source IPs over an ExpressRoute VPN connection:

Is it possible to exclude certain traffic destination hostname traffic from this rule, for example anything going to *.pbskids.org? I have been thinking that I may be able to use tagging somehow to do this since pfSense also does DNS resolution, but I am not quite sure how to go about ding this.

viragomann

@codechurn said in Routing using Source IP and destination hostname:

Is it possible to exclude certain traffic destination hostname traffic from this rule, for example anything going to *.pbskids.org?

Not this way, with a wildcard domain.

You can use host names in filter rules though, but pfSense has to be able to resolve it and set the proper rule with its IP address. Wildcards cannot be resolved like that.

boulesmoonraker

@codechurn snow rider said in Routing using Source IP and destination hostname:

I use pfSense to do my DNS resolution.

I also have the following rule setup which routes LAN traffic from certain source IPs over an ExpressRoute VPN connection:

Is it possible to exclude certain traffic destination hostname traffic from this rule, for example anything going to *.pbskids.org? I have been thinking that I may be able to use tagging somehow to do this since pfSense also does DNS resolution, but I am not quite sure how to go about ding this.

To exclude traffic destined for specific hostnames (like *.pbskids.org) from your pfSense rule that routes LAN traffic over an ExpressRoute VPN, you can indeed use firewall rules and DNS-based filtering. Create Alias for Destination Hosts:

Go to Firewall > Aliases and create a new alias containing the hostnames you want to exclude. For example, create an alias named Exclude_PBSKids and add *.pbskids.org to it.
Create a Firewall Rule:

Navigate to Firewall > Rules, and under your LAN interface rules, find the rule that directs traffic over the ExpressRoute VPN.
Edit the rule and scroll down to the Advanced Options.
In the Advanced Options, you can use the Match tab to set the conditions. Here you can specify that the rule should only apply if the destination does not match a specific alias.
Select Single Host or Alias in the Destination field and select the Exclude_PBSKids alias you created earlier. Ensure the Invert match option is enabled to exclude traffic to *.pbskids.org.
DNS Resolver Settings:

If pfSense is resolving DNS queries locally, configure it to forward DNS queries to a DNS server that can resolve *.pbskids.org addresses correctly. This ensures that traffic to these destinations bypasses the VPN rule based on DNS resolution.
Testing and Verification:

Apply the changes and test by accessing websites under *.pbskids.org domains from your LAN. Verify that traffic to these destinations is not routed over the ExpressRoute VPN connection but rather through the regular internet connection.

codechurn

@boulesmoonraker
Thanks guys. I was able to get this to work with your advice, but unfortunately wildcards are not supported in the IP Alias list as @viragomann pointed out. It would be a cool feature if pfSense did support wildcards for hostnames.

With some packet captures I was able to determine the handful of hosts I needed to add to the list and it worked like a champ.