Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How To Direct Traffic For Specific Website(s) Out Specific Gateway?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    11 Posts 5 Posters 2.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK Offline
      KOM @alteredstate
      last edited by

      @alteredstate pfSense can filter based on IP address, port or protocol and that's about it. It has no concept of URLs. To do what you describe, you would need to provide a complete list of IP addresses used by that particular website. Then you could direct traffic out a specified gateway based on destination IP address.

      A 1 Reply Last reply Reply Quote 0
      • A Offline
        akuma1x @KOM
        last edited by akuma1x

        @kom said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:

        It has no concept of URLs. To do what you describe, you would need to provide a complete list of IP addresses used by that particular website.

        Um, yes it does, kind of... It works with FQDN's and for most users, that would work just fine. I know a URL is more than just an FQDN, so that's why I say "it kind of works". Lots of people don't even know the difference between the two.

        If the user can simplify, like I believe he/she has done, it should work. It is most likely that Disney+ uses tons of domains and/or a CDN network with many hundreds of IP addresses to deliver their content, then all bets are off on getting this to work successfully.

        So, OP, you could try this - in your alias for Disney+ (I would suggest to make just one for all of this stuff), add all of these domains:

        https://support.opendns.com/hc/en-us/articles/360037591112-Domains-to-Allow-for-Disney-Plus

        Hope that helps.

        johnpozJ KOMK 2 Replies Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator @akuma1x
          last edited by

          A easier solution for the streaming channel stuff, is just to policy route out your wan via the source IP.. Just setup your policy route to send traffic from what your playing your channel on out your wan.

          Be that a roku/fire stick, apple TV, shieldTV, PS/Xbox, your TV.. etc..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          A A 2 Replies Last reply Reply Quote 0
          • A Offline
            akuma1x @johnpoz
            last edited by

            @johnpoz I agree, that's how I do it with a couple of streaming things.

            1 Reply Last reply Reply Quote 0
            • KOMK Offline
              KOM @akuma1x
              last edited by

              @akuma1x The problem with that approach is that the domain in question often has many IP addresses associated with it, and they can reference external addresses owned by CDNs that can change on the fly. It's not as simple as just creating a rule that says if DestAddr=www.disney.com then gateway2...

              A 1 Reply Last reply Reply Quote 0
              • A Offline
                akuma1x @KOM
                last edited by akuma1x

                @kom According to the HOSTS area in the Alias tab, IP addresses of FQDNs are resolved on some kind of periodic basis.

                "Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used"

                I don't know how many levels of resolving happens, however, like you're saying in your post.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator @akuma1x
                  last edited by johnpoz

                  @akuma1x the default time is 5 minutes. While some TTLs on CDNs can be as low as 60 seconds.. They can and do change quite often.

                  But that is prob the least of the issues to be honest. Its more the vast amount of domains and fqdn that could be used by a service such as netflix or disney, amazon, etc. Which can also change..

                  I only block ad related domains, and don't route any traffic out a vpn.. And I ran into an issue where some streaming app wasn't working... Took me few minutes to figure out which freaking domain it was asking for that was killing the app from fully loading..

                  So attempting to policy route based on something that is resolved and can change on a dime, while you only resolve it every 5 minutes. And quite often its possible said device is hard coding dns an using different dns than pfsense - this can also lead to differences in what is allowed or routed out wan, and what is being attempted to go to..

                  Seems like a lot of effort.. It would be easier to just let the stick do what it wants out your wan.. Do you care if your isp knows you watch a movie off netflix? ;)

                  To me it would be much simpler to just route the devices you want to route out the vpn, vs routing everything out it an making exceptions to that rule for only specific domains. Say your running some p2p box on your network... Run it through the vpn.. Let everything else go out your wan..

                  If your running your dns through the vpn, or using the vpn dns - that can cause some issues as well.. Since they might resolve wrong IPs for your actual connection, or not resolve at all..

                  While what is being asked can be done sure - its just it can become really quickly a bit more complex than put in this domain in an alias and bobs your uncle ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 1
                  • A Offline
                    alteredstate @johnpoz
                    last edited by

                    @johnpoz

                    Thanks for the suggestion but the problem with this is let's say I want my laptop to always use the VPN gateway but now I want to watch something on Disney+ from my laptop. I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • C Offline
                      couteauabeurre
                      last edited by couteauabeurre

                      PFBlockerNG with IPv4 Source Definitions & FW rule with specific GTW

                      PFBlockerNG :

                      Create an "alias native" IPv4 into PFBlockerNG :

                      3- 2021-08-28 115520.jpg

                      Populate this new alias with whois source definitions :

                      1- 2021-08-28 115520.jpg

                      Force an update of PFBlockerNG,
                      Then create your FW rule with a specific existing gateway :
                      2- 2021-08-28 115520.jpg

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator @alteredstate
                        last edited by

                        @alteredstate said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:

                        I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.

                        Just create another wifi network then, when you want to watch Disney, connect to your non vpn wifi. When you want to do whatever else, just switch to your vpn wifi..

                        I would just watch on my TV to be honest.. Why would anyone watch on little screen when there is a big screen available?

                        But if your going to be using a device where you want to split traffic vpn and non vpn - then yeah the policy routing is really the only way to do that. It can be problematic - especially if laptop is not using pfsense for dns, say doh..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.