Domain/hostname based routing?

Ender117

I have been researching how to route specific traffic differently, ex. route traffic to certain sites through VPN. The obvious solution was that you set a FQDN alias and do PBR for that alias. That's not real domain/hostname based routing and relies on IP being the same between alias update and a client actually request the site. It might work well for smaller sites but not for larger sites with large pools of IPs.

Since domain/hostname is at L7, I think we need some proxy involved. Here is what I have in mind:

A WAN and a VPN interface, a LAN1 and LAN2 interface. Proxy1 listen to LAN1 and Proxy2 listen to LAN2, both as transparent proxy. All client computer connects on LAN1.

Proxy1 filters specific traffic containing the domain/hostname in question and forward them to Proxy2, process the rest of the traffics itself. Proxy2 just work like normal proxy.

Have PBR setup to guide traffic from LAN1 to WAN and LAN2 to VPN. Done

I believe at least squid can be setup like this: https://www.rootusers.com/configure-squid-proxy-to-forward-to-a-parent-proxy/. Perhaps it's something beyond the scope of WebGUI but still feasible.

The biggest problem I see here is pfSense can only apply firewall rules (thus PBR) on inbound traffic, so once it gets to the proxy it cannot be re-directed. However I read that floating rules can work around this restriction. If not, I think one can always move Proxy2 to a dedicated server connecting to LAN2 and be done with it.

Last but not least, this would only work with HTTP, so only solve part of the problem. Not sure if squid or other proxies can work with HTTPs and/or other protocols, but HTTP is what we see most anyway. Nowadays more and more traffic are HTTPs just for the sake of it so this might be a problem. If the proxy can still see the URLs itself (should be or how it can be routed normally?) then this should still work. Nevertheless, one can at least deploy proxies as man-in-the-middle for HTTPs, which shouldn't be a big problem as long as you own both the client and the proxy.

So, what are your thoughts on this? Do you think I am on the right track?

kpa

@ender117 said in Domain/hostname based routing?:

The biggest problem I see here is pfSense can only apply firewall rules (thus PBR) on inbound traffic, so once it gets to the proxy it cannot be re-directed. However I read that floating rules can work around this restriction. If not, I think one can always move Proxy2 to a dedicated server connecting to LAN2 and be done with it.

Floating rules can't solve this problem, they are equally unable to redirect traffic that has already entered the system. The limitation is in FreeBSD's own implementation of the PF packet filter and it prevents policy based routing on traffic that is going out on an interface.

Ender117

@kpa said in Domain/hostname based routing?:

@ender117 said in Domain/hostname based routing?:

The biggest problem I see here is pfSense can only apply firewall rules (thus PBR) on inbound traffic, so once it gets to the proxy it cannot be re-directed. However I read that floating rules can work around this restriction. If not, I think one can always move Proxy2 to a dedicated server connecting to LAN2 and be done with it.

Floating rules can't solve this problem, they are equally unable to redirect traffic that has already entered the system. The limitation is in FreeBSD's own implementation of the PF packet filter and it prevents policy based routing on traffic that is going out on an interface.

That's what I heard as well. But according to pfsense document:

Floating Rules can:

Filter traffic from the firewall itself
Filter traffic in the outbound direction (all other tabs are Inbound processing only)
Apply rules to multiple interfaces
Apply filtering in a “last match wins” way rather than “first match wins” (quick)
Apply traffic shaping to match traffic but not affect it’s pass/block action
Much more.

https://www.netgate.com/docs/pfsense/firewall/floating-rules.html

I cannot see any other way to understand the first 2 points

kpa

All correct but the document makes no mention of policy based routing on the outgoing direction which is not possible in pfSense, normal rules or floating rules. PBR on the inbound direction works just fine with floating rules just like it does with normal rules.

Ender117

@kpa said in Domain/hostname based routing?:

All correct but the document makes no mention of policy based routing on the outgoing direction which is not possible in pfSense, normal rules or floating rules. PBR on the inbound direction works just fine with floating rules just like it does with normal rules.

Oh I just assume that PBR is just a firewall action like pass/drop so if you can apply firewall you can PBR. Looks like things are a bit more complex.

Anyway if Proxy2 is setup on a dedicate VM instead of pfsense then it should work? It might be a bit too complicated though.