How to consistently bypass vpn gateway for macys.com



  • Hey there,
    I have a problem with accessing macys.com form an interface that route all traffic through vpn, so I decided to create an alias for websites that doesn't work through vpn and redirect them through WAN.
    For that I created an Alias:
    Screen Shot 2019-10-20 at 12.02.14 AM.png
    and added a new firewall rule to route through WAN gateway
    Screen Shot 2019-10-19 at 11.56.14 PM.png
    The problem is that most of the time the website macys.com returns: Access Denied
    You don't have permission to access the requested URL on this server.

    And only sometime I could reach the macys.com website.

    Also I have tried to add the ip addresses that DNS Lookup returns for macys.com, but there are so many that after ~15 I stopped.

    Maybe somebody solved such issue successfully or have more experience and could help?



  • Make sure that on your VPN Client Set-Up page you have not ticked the "Pull Routes" option. If ticked, that will cause all of your traffic to use the gateway IP provided by the VPN provider for the "default gateway". Almost 100% of the VPN provider setup instructions tell you to check that box because they want all of your traffic to hit their gateway.

    You need to uncheck that box and then use policy routing on pfSense along with your alias.

    Another problem you can run into with some sites is that they may be behind a CDN and thus have dozens of IP addresses. So it can happen in that situtation that when your LAN client asks for a macys.com IP address that it gets a newer different one than the filterdns client on the firewall received earlier and used to update the FQDN alias. Or stated simply, when your client and the firewall ask for the IP of a CDN host each can potentially receive a different IP depending on how the CDN does round-robin and how long the TTL is for the domain A record.



  • @bmeeks
    Thanks for looking,
    Are you talking about this option in VPN/OpenVpn/Clients:
    Screen Shot 2019-10-20 at 7.57.00 PM.png
    Also I have next lines added in the Advanced Configuration/Custom options:
    Screen Shot 2019-10-20 at 7.59.40 PM.png.
    I have directly set the WAN gateway in the Advanced options of the firewall rule for sites_must_use_WAN alias

    I suspect that macys.com have multiple ip addresses but don't know if there is any reliable solution to dynamically find them and update the ip pool each time they change.



  • @ady2 said in How to consistently bypass vpn gateway for macys.com:

    @bmeeks
    Thanks for looking,
    Are you talking about this option in VPN/OpenVpn/Clients:
    Screen Shot 2019-10-20 at 7.57.00 PM.png
    Also I have next lines added in the Advanced Configuration/Custom options:
    Screen Shot 2019-10-20 at 7.59.40 PM.png.
    I have directly set the WAN gateway in the Advanced options of the firewall rule for sites_must_use_WAN alias

    I suspect that macys.com have multiple ip addresses but don't know if there is any reliable solution to dynamically find them and update the ip pool each time they change.

    Yes, that's it. I'm sorry, but I had the logic backwards. You need to "check" that box. I don't use a VPN service.

    Yes, macys.com might have multiple IP addresses, but I am getting only a single one returned for the moment. It is possible that single one might change, though. It's one of the hassles involved with using a VPN service. I am not a fan and neither are several other pfSense users. We spend a lot of time on the board walking folks through blocked sites and other connection difficulties caused by using a VPN service. They really offer no value-add in my opinion, and especially so considering the connectivity grief they can cause.



  • @bmeeks
    macys.com has a lot of ip addresses as if you check each time you will see they are different (maybe not each time but each other time). And the DNS lookup is returning only one ip address for macys.com each time.

    Regarding vpn service usage, probably you are right, there is more marketing. Real benefits in real life is not so much or even not at all as they could sell our data same as our internet providers.

    I was hopping that there should be a way to be able to make an alias for a website and block or allow or redirect it how you like, (for example I found that there are some alias for amazon and netflix in pfBlockerNG for them) but I was not able to find by googling how to identify all the ip addresses for a website as they could change and you actually will beed to update that pool.

    Thanks @bmeeks , appreciate



  • @ady2 said in How to consistently bypass vpn gateway for macys.com:

    @bmeeks
    macys.com has a lot of ip addresses as if you check each time you will see they are different (maybe not each time but each other time). And the DNS lookup is returning only one ip address for macys.com each time.

    Regarding vpn service usage, probably you are right, there is more marketing. Real benefits in real life is not so much or even not at all as they could sell our data same as our internet providers.

    I was hopping that there should be a way to be able to make an alias for a website and block or allow or redirect it how you like, (for example I found that there are some alias for amazon and netflix in pfBlockerNG for them) but I was not able to find by googling how to identify all the ip addresses for a website as they could change and you actually will beed to update that pool.

    Thanks @bmeeks , appreciate

    Some domains are popular enough to warrant folks maintaining all or most of their IP space in lists that pfBlocker can download. Think Google, Amazon, YouTube, Facebook, etc. However, many other retail sites are not so lucky.

    As I mentioned earlier, because of the all the difficulties with streaming services and such, I just am not a VPN fan. I use a VPN only for secure connection back into my LAN from the Internet. So I run the OpenVPN server on my firewall and have a client on my mobile devices. Remote access and extending a LAN to remote office locations (point-to-point VPN) are the only two reasons I consider good reasons to use a VPN. The privacy thing does not get me excited.


Log in to reply