Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Specific OS traffic routing

    Scheduled Pinned Locked Moved Routing and Multi WAN
    10 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tarbugre
      last edited by

      Hi,

      I remember seing somewhere that this was possible on pfsense, can anyone help me do it?
      I need to route specific os though a specific wan.

      ex:

      android devices -> wan1
      windows devices -> wan2
      linux devices -> wan3

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Yeah this is just policy based routing.. Create a firewall rule that pushes the traffic you want either based upon source IP, dest IP or dest port out your specific gateway.

        But pfs is not going to be able to detect that device is a linux based device send it out gateway 1, oh that is a windows based OS send it out gateway 2.. Your going to have to be able to filter on stuff you can filter on..

        I use a vpn connection as a 2nd gateway if you want an example of how the firewall rules would look.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tarbugre
          last edited by

          Ok, I know how to do that.
          So than my doubt becomes another, how can I have DHCP server group together ips by their OS?

          EX:

          android devices
          192.168.0.10-192.168.0.90
          windows devices
          192.168.0.91-192.168.0.150
          linux devices
          192.168.0.151-192.168.0.200

          Or Maybe have a wild card to create an alias?
          Android devices
          fqn: android-*
          windows devices
          fqn: computer-*
          apple devices
          Iphone-*

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You could use class to assign different pools to devices that start with specific MAC address..  So that might allow you to identify say maker of a device.  You could use a something vendor specific maybe, like how you can tell its a IP phone..

            Off the top.. Not sure how you would do that - seems like a pretty odd ball sort of thing.. Never heard of anyone wanting to do such a thing, and really don't see a point to doing it to be honest.. Clearly there are reasons why you might want to know its a IP Phone vs say a Computer sort of device..  But not sure why anyone would want to give windows devices IP address in 1 pool, and linux devices in another pool??  But I can look around..

            Do you mind me asking - WHY???  I just can not see a reason to send windows out gateway A, and linux out gateway B… ??

            But pretty sure the OS would be sending out some for of vendor info, so you could base your pool on..  Let me sniff on what is sent from a windows and what is sent from a linux client..

            Yeah so windows seems to send this a vendor, so you could use that for your pool.

            Edit.. Just looked at a linux discover packet, ubuntu 14.04 and I don't see it sending any sort of vendor info.. Guess you could look to if android sends it out, if so you could assume stuff that does not send vendor is linux ;)

            vendor.png
            vendor.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              tarbugre
              last edited by

              I don´t mind at all, just for answering so quickly to my problems, I already admire you. Thank you so much.

              The actual problem here is routing smartphones though wan1 and computer though wan2.

              Smartphones are taking up all the bandwith from my company and we can´t get work done.
              We do have 2 WANS so I thought I´d route the laptops through one wan, and the smartphones through the other wan.
              Thus, having a manual true load balance here.

              I saw that android phones have hostnames starting with "android-" and same goes for iphones.

              I cant set a fixed ip on the laptops since they often leave the company and connect to other places.
              I guess I could specify a lease  to both nic (wired and wireless) for all 50 laptops, but that would suck.

              Any ideas to help my case?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                How I would do it is just use a different wifi network.. To be honest smart phones normally shouldn't be on network that has access to your normal network..  Are these WORK smartphones or personal phones of the employees?

                So Work devices would connect to say SSID Work, lots of ways to control access to your wifi so only work devices can connect to it.  Then you could let your smartphone users use your SSID Guest, that just lets anyone on that knows password but can not access work stuff, etc.

                Would have to know more about the hardware and setup to what you have to work with for the best solution.. But creating reservation for all your work laptops should really be easy.  Why would it have to be wired and wifi?  You saying your wifi and wired is all just on the same network segment?  I would change that.. Then you could say all wifi just goes out gateway X to start with ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • T
                  tarbugre
                  last edited by

                  We are talking about a real state company, and we ended up using whatsapp to comunicate, so all smartphones are used for work.
                  The laptops often access the file server through wireless, because we have 3 conference rooms.

                  I have 2 wans -> pfsense and several access points. All on the same network to ensure access to the file server.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Hmmm.. Well that is very limited sort of setup.

                    I don't have an android device handy to figure out if it sends vendor specific info.. But you can sniff on your pfsense lan, limit it to say por 67 so you only catch dhcp traffic.  Then have one of your linux devices, and your android devices get an IP.. Look to see if it sends vendor specific ID..  If so then sure you can filter your dhcp on that so it uses a specific pool for IPs.

                    Might be easier to just create reservations for your laptops so they are always in a specific pool, then any other IPs go out your 2nd internet connection via policy routing.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      pfSense firewall rules have very limited OS fingerprinting that seems to have stopped around Windows XP era.  I'm with John though.  Segment them some other way than OS.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tarbugre
                        last edited by

                        All right! Thanks guys.
                        I guess I have some work to do.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.