Router 1 (College Campus) : 10.1.0.1/16
Router 2 (ISP Router) : 10.1.0.4/16
Both Routers connected to each other. Hence R1, R2, pfSense WAN on same layer 2 network.

pfSense :
WAN 1 : 10.1.0.2/30 Gateway : 10.1.0.1 (Default Route)
WAN 2 : 10.1.0.5/30 Gateway : 10.1.0.4
LAN 1 : 192.168.1.1/24

Firewall Rules for LAN :
Alias containing FQDN of all websites :

LAN Firewall Rules :

Traceroute Diagnostics :

Results :

Test (if BlockedWebsites firewall rule is disabled)

So yes, I believe that Sophos ( the firewall which my campus uses) blocks access to the TLD name, hence blocking any chance of redirect. So I guess I was partly right in saying that Sophos can't really block CDNs since many websites originate from the very same CDN.

Also, I still can't understand properly what causes so much trouble if both the gateways are on the same subnet.

Why did you start another thread?

Because I though topics are different, the other thread is just asking for URL based routing (not necessarily about gateways on same subnet).

@johnpoz said in Possible to select gateway based on URL ?:

Where client only uses 1 gateway..
There is a VM hooked behind pfSense, through which I am doing all the tests. Hence all traffic is infact flowing through pfSense (the only gateway on the VM).

I guess the whole issue is because both my gateways are on the same subnet. I'll try moving them to separate subnets, see if things work.

And your whole setup is BORKED, from reading that other thread.. If you want to policy route than you need to have both wan connections routed through pfsense.. Where client only uses 1 gateway..

again.. msn.com doesn't do anything but redirect you to a different IP.. So that is not going to work..

I believe that my campus internet is blocking access to msn.com also, since I can successfully ping www.msn.com but not msn.com. Also, since a lot of content is hosted through (microsoft) CDN (bing works), I believe that the block is at the first level only, preventing msn.com from loading up, hence no redirects, and the page fails to loads up.

@johnpoz said in Possible to select gateway based on URL ?:

because your policy route is for tcp only.

Tried with all protocols, still no success.

@johnpoz said in Possible to select gateway based on URL ?:

Did you validate your table shows the IPs?

I'll post updates once I'm back home.

@johnpoz said in Possible to select gateway based on URL ?:

Have you validated your gateway even works - route all your traffic through it

Yes. My secondary gateway works (no blocks) if I set it up as the sole gateway on pfSense.

However, if I setup my secondary gateway by going under System > Routing, and then create a firewall rule for this second gateway, even then this rule doesn't apply and all my traffic gets routed through the first gateway regardless of any firewall rules.

@dr_tech said in Possible to select gateway based on URL ?:

Gateways :

I tried pinging msn.com

again.. msn.com doesn't do anything but redirect you to a different IP.. So that is not going to work..

curl msn.com
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.msn.com/">here</a></body>

Which is a different IP.

$ dig msn.com +short
13.82.28.61

$ dig www.msn.com +short
www-msn-com.a-0003.a-msedge.net.
a-0003.a-msedge.net.
204.79.197.203

And your ping wouldn't ever go through that policy route, because your policy route is for tcp only.

Did you validate your table shows the IPs?

example

Have you validated your gateway even works - route all your traffic through it.. Do a traceroute showing your path that will be taken.. Via the IP your trying to hit, etc.

IPv6

No, I don't have IPv6 on any of my gateways.

Also, as far as DOH is concerned, I tried pinging msn.com, x1337x.ws, and other similar blocked sites directly through Windows Ping utility, and the resolved IP is the same as what pfSense DNS lookup shows.

(hoping that the resolved DNS IP gets refreshed once every while)

They do, by default every 5 minutes.

I would suggest you actually validate the table you created contains the IPs you expect to be using, and what your client is using to get there.

Also with browsers using their own dns via doh, you can run into a whole different problem were they resolve something different than pfsense did.

For such aliases to work for firewall rules, you need to make sure your client is actually resolving via pfsense, so you more likely to have the client trying to go to the IP that pfsense has for the www.domain.tld it resolved, etc.

Another issue - are you even using IPv4 to get there, many sites these days have IPv6, your x1337x.ws example

104.31.68.27	A
172.67.218.132	A
104.31.69.27	A
2606:4700:3034::681f:441b	AAAA
2606:4700:3030::ac43:da84	AAAA
2606:4700:3030::681f:451b	AAAA

So did you client try and use IPv6 to get there, if so then it wouldn't be forced out your gateway because its only a IPv4 rule, etc.

Hosted off CDN.. that IPs will change all the time, etc. And the IPs are different..

Yes, that is why I thought of using DNS names instead of explicit IP addresses in the first place (hoping that the resolved DNS IP gets refreshed once every while), providing a better firewall rule than just using a static IP.

@johnpoz said in Possible to select gateway based on URL ?:

For starters which is is x133x or x1337x ??

I'm sorry, it's x1337x.ws. It was a typo that I corrected soon afterwards. Still it doesn't work.

You have alias that is different then what you put in the browser

Do a simple traceroute to show you which path your taking

Your msn is going to be difficult because you put in msn.com but that redirects to www.msn.com

which is a cname anyway.

;; ANSWER SECTION:
www.msn.com.            21591   IN      CNAME   www-msn-com.a-0003.a-msedge.net.
www-msn-com.a-0003.a-msedge.net. 3591 IN CNAME  a-0003.a-msedge.net.
a-0003.a-msedge.net.    3591    IN      A       204.79.197.203

Hosted off CDN.. that IPs will change all the time, etc. And the IPs are different..

Firewall Alias :

Firewall Rule For LAN :

Test Results :

x133x.ws,

Please show the firewall rule and gateway settings

However, there's no change when I try to access the website, even a traceroute shows that the gateway being is used is that of the campus internet connection.

see Policy Based Routing:
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html