Firewall rule to route a website
-
so i have load balancing, but i want youtube to only go through one modem
youtube…
lol I have 50 firewall lan rules with so many youtube ip addresses.How can I Just add a host?
because it still gets through even with 50 ip addresses, since youtube has so many. -
ip or network alias ;)
-
Youtube is difficult to work with since it has so many points of presence, as you have found.
To tidy up your rules you can add a youtube alias and use that in a single rule. That won't help traffic getting past though.
I don't know of anyway to do this easily. You could do it using squid.
Just wondering if you do it with a DNS overide, hmmm.Steve
You could try using dig to see what your dns cache has for youtube, assuming you have dns forwarding enabled.
[2.0.1-RELEASE][root@pfsense.fire.box]/root(6): dig youtube.com ; <<>> DiG 9.6.2-P2 <<>> youtube.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7473 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;youtube.com. IN A ;; ANSWER SECTION: youtube.com. 178 IN A 173.194.41.136 youtube.com. 178 IN A 173.194.41.132 youtube.com. 178 IN A 173.194.41.135 youtube.com. 178 IN A 173.194.41.130 youtube.com. 178 IN A 173.194.41.128 youtube.com. 178 IN A 173.194.41.137 youtube.com. 178 IN A 173.194.41.134 youtube.com. 178 IN A 173.194.41.131 youtube.com. 178 IN A 173.194.41.133 youtube.com. 178 IN A 173.194.41.129 youtube.com. 178 IN A 173.194.41.142 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Jun 10 22:03:30 2012 ;; MSG SIZE rcvd: 205 -
I don't know if this idea would be remotely useful, but maybe make an alias for a network mask. You might get a few false positives going over, but you will certainly hit on youtube. For example. if youtube lives on 172.16. and it appears to be a /16 network, you could set an alias for 172.16..
This would ensure that youtube gets shlepped over, at the minor cost of some other innocent ips in the 172.16/16 block.
It certainly would make for quicker times in the firewall table.brainbubble fixed
-
Yes, that's a good point.
In this case some false positives on the policy routing rule will probably not be a problem unlike if you were trying block youtube all together.Steve
-
if youtube lives on 178.1. and it appears to be a /16 network, you could set an alias for 172.1..
So nobody takes the previously quoted set of IP addresses as definitive, I'll point out that in my part of the world (Australia) youtube seems to live on a different range of IP addresses:
[2.0.1-RELEASE][admin@pfsense.example.org]/root(7): dig youtube.com
; <<>> DiG 9.6.2-P2 <<>> youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25338
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;youtube.com. IN A;; ANSWER SECTION:
youtube.com. 248 IN A 74.125.237.104
youtube.com. 248 IN A 74.125.237.96
youtube.com. 248 IN A 74.125.237.102
youtube.com. 248 IN A 74.125.237.97
youtube.com. 248 IN A 74.125.237.103
youtube.com. 248 IN A 74.125.237.98
youtube.com. 248 IN A 74.125.237.101
youtube.com. 248 IN A 74.125.237.110
youtube.com. 248 IN A 74.125.237.99
youtube.com. 248 IN A 74.125.237.105
youtube.com. 248 IN A 74.125.237.100;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 11 13:33:37 2012
;; MSG SIZE rcvd: 205[2.0.1-RELEASE][admin@pfsense.example.org]/root(8):
-
Whoops. tyoped my example, I'll fix it. 172.16.x.x is a class b under RFC1918, that's what I meant, to put, not 178.1. Those won't be real youtube ips unless you are doing it very, very, wrong. ;)
-
So nobody takes the previously quoted set of IP addresses as definitive
Yes, re-reading my previous post I failed to make it clear that anyone doing this must do it themselves locally in order to get a useful set of IPs. The IPs used by Youtube (or any large distribution network) will vary geographically. Wallabybob and I are about as geographically separated as possible but you get the idea. ;)
Steve
