Specific OS traffic routing



  • Hi,

    I remember seing somewhere that this was possible on pfsense, can anyone help me do it?
    I need to route specific os though a specific wan.

    ex:

    android devices -> wan1
    windows devices -> wan2
    linux devices -> wan3

    Thanks


  • Rebel Alliance Global Moderator

    Yeah this is just policy based routing.. Create a firewall rule that pushes the traffic you want either based upon source IP, dest IP or dest port out your specific gateway.

    But pfs is not going to be able to detect that device is a linux based device send it out gateway 1, oh that is a windows based OS send it out gateway 2.. Your going to have to be able to filter on stuff you can filter on..

    I use a vpn connection as a 2nd gateway if you want an example of how the firewall rules would look.



  • Ok, I know how to do that.
    So than my doubt becomes another, how can I have DHCP server group together ips by their OS?

    EX:

    android devices
    192.168.0.10-192.168.0.90
    windows devices
    192.168.0.91-192.168.0.150
    linux devices
    192.168.0.151-192.168.0.200

    Or Maybe have a wild card to create an alias?
    Android devices
    fqn: android-*
    windows devices
    fqn: computer-*
    apple devices
    Iphone-*


  • Rebel Alliance Global Moderator

    You could use class to assign different pools to devices that start with specific MAC address..  So that might allow you to identify say maker of a device.  You could use a something vendor specific maybe, like how you can tell its a IP phone..

    Off the top.. Not sure how you would do that - seems like a pretty odd ball sort of thing.. Never heard of anyone wanting to do such a thing, and really don't see a point to doing it to be honest.. Clearly there are reasons why you might want to know its a IP Phone vs say a Computer sort of device..  But not sure why anyone would want to give windows devices IP address in 1 pool, and linux devices in another pool??  But I can look around..

    Do you mind me asking - WHY???  I just can not see a reason to send windows out gateway A, and linux out gateway B… ??

    But pretty sure the OS would be sending out some for of vendor info, so you could base your pool on..  Let me sniff on what is sent from a windows and what is sent from a linux client..

    Yeah so windows seems to send this a vendor, so you could use that for your pool.

    Edit.. Just looked at a linux discover packet, ubuntu 14.04 and I don't see it sending any sort of vendor info.. Guess you could look to if android sends it out, if so you could assume stuff that does not send vendor is linux ;)




  • I don´t mind at all, just for answering so quickly to my problems, I already admire you. Thank you so much.

    The actual problem here is routing smartphones though wan1 and computer though wan2.

    Smartphones are taking up all the bandwith from my company and we can´t get work done.
    We do have 2 WANS so I thought I´d route the laptops through one wan, and the smartphones through the other wan.
    Thus, having a manual true load balance here.

    I saw that android phones have hostnames starting with "android-" and same goes for iphones.

    I cant set a fixed ip on the laptops since they often leave the company and connect to other places.
    I guess I could specify a lease  to both nic (wired and wireless) for all 50 laptops, but that would suck.

    Any ideas to help my case?


  • Rebel Alliance Global Moderator

    How I would do it is just use a different wifi network.. To be honest smart phones normally shouldn't be on network that has access to your normal network..  Are these WORK smartphones or personal phones of the employees?

    So Work devices would connect to say SSID Work, lots of ways to control access to your wifi so only work devices can connect to it.  Then you could let your smartphone users use your SSID Guest, that just lets anyone on that knows password but can not access work stuff, etc.

    Would have to know more about the hardware and setup to what you have to work with for the best solution.. But creating reservation for all your work laptops should really be easy.  Why would it have to be wired and wifi?  You saying your wifi and wired is all just on the same network segment?  I would change that.. Then you could say all wifi just goes out gateway X to start with ;)



  • We are talking about a real state company, and we ended up using whatsapp to comunicate, so all smartphones are used for work.
    The laptops often access the file server through wireless, because we have 3 conference rooms.

    I have 2 wans -> pfsense and several access points. All on the same network to ensure access to the file server.


  • Rebel Alliance Global Moderator

    Hmmm.. Well that is very limited sort of setup.

    I don't have an android device handy to figure out if it sends vendor specific info.. But you can sniff on your pfsense lan, limit it to say por 67 so you only catch dhcp traffic.  Then have one of your linux devices, and your android devices get an IP.. Look to see if it sends vendor specific ID..  If so then sure you can filter your dhcp on that so it uses a specific pool for IPs.

    Might be easier to just create reservations for your laptops so they are always in a specific pool, then any other IPs go out your 2nd internet connection via policy routing.



  • pfSense firewall rules have very limited OS fingerprinting that seems to have stopped around Windows XP era.  I'm with John though.  Segment them some other way than OS.



  • All right! Thanks guys.
    I guess I have some work to do.