Wildcards in aliases? pushing traffic via VPN or nonencrypted route

  • I'm posting this in multiwan since it's closes to what I'm doing, I think.

    I have an SG-2440 which is connected to my ISP, and am running an openVPN client to connect to my VPN provider.

    Traffic uses the openVPN connection by default.  I have a few static routes that use the ISP directly for ipsec to the office, and for those websites which don't like my VPN provider.

    I primarily use aliases for those sites, so that www.foo.com is included within an alias that has a firewall rule explicitly permitting the alias to use the ISP gateway rather than the openVPN gateway.  By default, packets from the lan to the ISP gateway are rejected.

    The issue is that for some sites, many hosts seem to be required in the alias to get the traffic to pass.

    There doesn't seem to be a way to include
    *.foo.com in an alias so that the alias will pick up traffic to
    foo.foo.com and
    bar.foo.com all the time.  (For some domains, using just foo.com will pick up all variants, but for some domains, each host needs the entire hostname in the alias.)

    Is there a way to include wildcards in an alias that I don't know about?

    Should I be looking at setting up Squid or similar and using Squid to make these decisions rather than hoping for firewall permissions and aliases to get it to work?

    Thanks in advance!

  • Rebel Alliance Developer Netgate

    There is no way to use wildcards in aliases, and using hostnames like that often does not work how you expect.

    It can work for some simple sites where the site resolves to one IP address or a static set of addresses, but using a hostname in an alias in that way does not work for large sites that employ rotating sets of addresses or CDNs that change constantly.

    When you enter a hostname into an alias it is resolved right then, and periodically after (once every 5 minutes by default). It can't resolve "*.foo.com" to an IP address, so there is no way to check that. It does not check the hostname on each attempted access, as the firewall does not ever see the hostname requested by the client.

  • Thanks, Jimp

    I did figure out that wildcards don't work, at least in the web gui.  Many times hostnames will work for this but not always as you point out.

    So, is this a task that Squid is the right tool for?

  • Rebel Alliance Developer Netgate

    For dealing with hostnames you would need to use squid or perhaps DNSBL from pfBlockerNG may have some features you'd be interested in.

  • Is squid able to address both http and https these days?  It's been a long time since I've poked around the open source proxy universe.  At the office we use honking commercial products that can proxy everything transparently.  Which, ideally, I'd like to do in this case as well - I'm not interested in the content or setting up PAC files, just in getting target.com's weekly ad to display for She Who Must Be Obeyed.

    the other option might be to sign up with a VPN provider with fewer sketchy clients, of course.  PIA's great and all, but their network is abused so much that lots of web properties don't like talking to them.

  • Rebel Alliance Developer Netgate

    Squid can only grab HTTP transparently unless you jump through a bunch of hoops and install a custom CA on all clients to break SSL and intercept HTTPS (it's a bad idea – don't do it)

    If the user puts their proxy settings in the browser it can do both easily.

    Choosing to allow some clients to bypass or use a different VPN based on their source is easy, just policy route with a rule matching their source IP address and direct them to whatever gateway you want.

Log in to reply