Split Tunnel with traffic selection

meaglerick

Hi,

I hope this question is on topic in the Routing section, and not too redundant (I have looked for a solution in the forums but haven't found an answer). I have setup a split tunnel that uses two pfsense boxes in a point to point configuration. One is from the house, the other is a remote instance, where I want to route the majority of my traffic to. However, I want anything related to streaming services (netflix, amazon, hulu) to go out my ISP gateway and not over the point to point VPN to keep my internet costs down.

However, when I have a windows 10 client device at home resolve netflix.com, and then 10 seconds later my pfsense FW does a dns query for netflix.com, ~20% of the results are different; I am using the same DNS server (pi-hole), just not using the pfsense box as the DNS server. How do I keep this issue from breaking my tunnel? My pfsense box will route based off domain aliases in the interface rules section, so if it resolves a different IP than my client, the rule won't apply and my streaming traffic will go over the VPN tunnel.

Thanks for any help you can provide.

Konstanti

@meaglerick
Hey
It's not easy to separate the traffic of streaming services from all other traffic.
For example , the ttl (Time to live) value for storing data in the DNS server cache about Netflix servers is about 1 min.
Therefore, the responses from the DNS server may differ from what was received earlier.
On this forum there have already been similar threads , it is necessary to look
I solved this problem by creating my own module for PF that intercepts all responses from the DNS server and puts them in a PF table on which I can split traffic.

For example,

Oct 09 13:23:00 Get DNS response for server: android.prod.cloud.netflix.com
  Alias name(CNAME):  prod.cloud.geo.netflix.com
  Alias name(CNAME):  prod.cloud.eu-west-1.prodaa.netflix.com
  Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
   IP address 18.202.190.126 will be added to table
  Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
   IP address 18.203.1.253 will be added to table
  Domain name(ANAME):  prod.cloud.eu-west-1.prodaa.netflix.com
   IP address 34.247.78.137 will be added to table
  Total ip addresses to add 3, Succefully added 3 ip addresses  to table netflix_ip

As you can see, I've found 268 Netflix hosts so far, and the list is constantly growing

some are entered in such tables from the entire subnet , which belongs to Netflix. But for this purpose it is necessary to analyze DNS traffic.

meaglerick

@Konstanti Thanks for the reply. I did look in the forums but wasn't sure how do such a search, so I did not find anything to this problem specifically, though I do find a lot on split tunneling. I do appreciate not just saying "do a search first."

Is this module something you can share, or posted on the pfSense packages? I would love to use it as I think this solves the problem very well.

Thank you.

Konstanti

@meaglerick said in Split Tunnel with traffic selection:

It is a daemon (dns_parser) written in C that uses the Netgraph kernel system to filter traffic . And I wrote a small utility that saves and restores the contents of the tables in the database when you reload the rules.

I need to think about how to explain to you how to set it up and run
Write me in private messages your email