Multi-WAN, route by destination hostname not IP
-
Hi,
Have done some searching on the forum and in the pfsense interface but haven't seen a solution to my problem so far.
I have 2 WAN connections one static, one dynamic and would like to route all traffic via the dynamic connection by default. Certain traffic (mostly queries to online informational databases…local network is a library providing public access) needs to be routed via the static connection based on destination because the paid databases authenticate access by source IP address
Most of the destinations can be routed statically by destination IP, however 1 of the database providers uses Amazon Cloud services and as such the destination IP address changes frequently and drastically. As such we are looking for a way to configure static routes via destination hostname rather than IP.
We would normally accomplish this via Policy-Based Routing and IP SLA, but their Cisco router is older and does not have adequate DRAM to run the version of IOS required for this functionality.
Is there any way to configure static routes in pfsense based on destination hostname/DNS as opposed to IP? Or maybe a more elegant solution?
Many thanks,
-abd
-
Create a rule for these destinations(most cases on Lan) and apply a gateway for it.
-
Thanks very much for the reply.
When configuring a new rule on the LAN using a hostname (e.g., www.google.com) as the destination and selecting a gateway for routing, I receive the following error:
The following input errors were detected:
www.google.com is not a valid destination IP address or alias.
I am able to create an alias for www.google.com (even though the alias editor states that "Hosts must be specified by their IP address") and use that alias to create a firewall Block rule. However, the rule doesn't seem to have any effect…all traffic is allowed to www.google.com and no log entry is created (I enabled logging on the rule).
I'm probably just missing something obvious, any additional input would be greatly appreciated
-
Create rules based on ip not host-names.
nslookup www.google.com, find its ips and add to your alias.
-
Sorry, I should have stressed more the reason why I need to route by hostname and not IP.
As I mentioned 1 of the database providers uses Amazon Cloud services and as such the destination hostname's IP address changes frequently (often 4-5 times a week) and drastically (such that specifying a route based on destination range or network will also not work).
Resolving the IP of my destination hostname isn't the problem, it's that I would have to constantly update the route every time the IP changes. The more I look at and test the issue with pfsense the more I suspect that routing by hostname isn't supported, but maybe I'm missing something.
-
You can use hostnames in aliases, just not directly in firewall rules.
That said, it doesn't really work well for things like google that return a random set of IPs from a large pool.
The hostname is resolved (and re-resolved periodically) by the firewall and updated as needed, however the client also resolves the hostname and if there is a difference between the set of IPs obtained by the firewall, and those obtained by the client, the rule is ineffective.
-
We would normally accomplish this via Policy-Based Routing and IP SLA
How exactly would you do this?
Sorry, I should have stressed more the reason why I need to route by hostname and not IP. As I mentioned 1 of the database providers uses Amazon Cloud services and as such the destination hostname's IP address changes frequently (often 4-5 times a week) and drastically (such that specifying a route based on destination range or network will also not work).
It can be done with pfsense as jimp explained. Since the hostname you need to resolve changes IPs relatively infrequently ("4-5 times a week") then you can simply use an alias, as previously suggested. pfsense includes a daemon that periodically resolves any fqdn in aliases into IP(s).
But it wouldn't work if the fqdn resolved to a different IP every time you did a DNS query (e.g. www.facebook.com). For those cases I've considered doing policy routing for the entire IP range and suggested a related feature to the devs here.