Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split Tunnel with traffic selection

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 895 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meaglerick
      last edited by

      Hi,

      I hope this question is on topic in the Routing section, and not too redundant (I have looked for a solution in the forums but haven't found an answer). I have setup a split tunnel that uses two pfsense boxes in a point to point configuration. One is from the house, the other is a remote instance, where I want to route the majority of my traffic to. However, I want anything related to streaming services (netflix, amazon, hulu) to go out my ISP gateway and not over the point to point VPN to keep my internet costs down.

      However, when I have a windows 10 client device at home resolve netflix.com, and then 10 seconds later my pfsense FW does a dns query for netflix.com, ~20% of the results are different; I am using the same DNS server (pi-hole), just not using the pfsense box as the DNS server. How do I keep this issue from breaking my tunnel? My pfsense box will route based off domain aliases in the interface rules section, so if it resolves a different IP than my client, the rule won't apply and my streaming traffic will go over the VPN tunnel.

      Thanks for any help you can provide.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @meaglerick
        last edited by Konstanti

        @meaglerick
        Hey
        It's not easy to separate the traffic of streaming services from all other traffic.
        For example , the ttl (Time to live) value for storing data in the DNS server cache about Netflix servers is about 1 min.
        Therefore, the responses from the DNS server may differ from what was received earlier.
        On this forum there have already been similar threads , it is necessary to look
        I solved this problem by creating my own module for PF that intercepts all responses from the DNS server and puts them in a PF table on which I can split traffic.

        For example,

        Oct 09 13:23:00 Get DNS response for server: android.prod.cloud.netflix.com
          Alias name(CNAME):  prod.cloud.geo.netflix.com
          Alias name(CNAME):  prod.cloud.eu-west-1.prodaa.netflix.com
          Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
           IP address 18.202.190.126 will be added to table
          Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
           IP address 18.203.1.253 will be added to table
          Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
           IP address 34.247.78.137 will be added to table
          Total ip addresses to add 3, Succefully added 3 ip addresses  to table netflix_ip
        

        8f76e046-17f1-4aff-9b11-2fb26549da80-image.png

        e33a8cd5-a5a6-48ad-9f48-75711d1b05f2-image.png

        As you can see, I've found 268 Netflix hosts so far, and the list is constantly growing

        some are entered in such tables from the entire subnet , which belongs to Netflix. But for this purpose it is necessary to analyze DNS traffic.

        1 Reply Last reply Reply Quote 0
        • M
          meaglerick
          last edited by

          @Konstanti Thanks for the reply. I did look in the forums but wasn't sure how do such a search, so I did not find anything to this problem specifically, though I do find a lot on split tunneling. I do appreciate not just saying "do a search first."

          Is this module something you can share, or posted on the pfSense packages? I would love to use it as I think this solves the problem very well.

          Thank you.

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @meaglerick
            last edited by Konstanti

            @meaglerick said in Split Tunnel with traffic selection:

            It is a daemon (dns_parser) written in C that uses the Netgraph kernel system to filter traffic . And I wrote a small utility that saves and restores the contents of the tables in the database when you reload the rules.

            cdd81c1d-410b-46d9-91f5-d7d9c88b6704-image.png

            I need to think about how to explain to you how to set it up and run
            Write me in private messages your email

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.