Does pfSense support sub domain policy based routing
-
Hi,
I am new to pfSense; does pfSense support sub domain policy based routing
example;
a firewall rule; src - 10.x.x.x, dest - nflxvideo.net routed to WAN2
will cover and route traffic to wan 2 for; src - 10.x.x.x, dest - ica.ny-32xx.oca.nflxvideo.net ?Thankyou
-
@network-stack-445
No, not out of the box. pfSense filters on L3. The hostname is placed in the host header, which is only available on L7.You can install the HAproxy package and configure it properly to do this: https://docs.netgate.com/pfsense/en/latest/packages/haproxy.html
-
@network-stack-445 What you could do is to gather all the IP addresses associated with those domains, put each domain's IPs in an alias and then create two rules that route accordingly based on the aliases as the destination.
-
Thankyou very much guys; appreciate your replies
Please guide me to a best method, to bypass Netflix traffic (which included AWS too, that's ok to bypass too)Though not Source based, only destination based
Requirement: is for entire LAN to bypass VPN only for Netflix domains/IPs
I looked at the https://ipinfo.io/AS40027 to get the IP Addresses and put a rule for it
But that will get out of hand should NFLX change IPs
(I can write some python and make an Extended Dynamic List as well, trying not to..)So I am looking for a dynamic solution
With HA Proxy are we saying it should be used as a transparent proxy;
firewall to say src - proxy, route to WAN2 (non vpn)Thankyou
-
I looked at the https://ipinfo.io/AS40027 to get the IP Addresses and put a rule for it
But that will get out of hand should NFLX change IPs
(I can write some python and make an Extended Dynamic List as well, trying not to..)Use pfBlocker to create an alias based on ASN numbers, no need for any Python scripts.
Then create a rule to point the traffic out the non VPN gateway.
-
Thankyou, so the pfBlocker actually downloads the ASN info hourly from the said authority/website, that's pretty cool
Side question; pfSense software upgrades are always included once the firewall is purchased?
-
@network-stack-445 said in Does pfSense support sub domain policy based routing:
Side question; pfSense software upgrades are always included once the firewall is purchased?
I've always got software upgrades FOC.
-
@network-stack-445 said in Does pfSense support sub domain policy based routing:
Side question; pfSense software upgrades are always included once the firewall is purchased?
I have been using netgate appliances for many years.. Oldest device we have is 2440.. Purchase sometime before 2017 when it went eos.
Its currently not on latest and greatest - because its in a remote location and due to covid nobody is on site in case something goes belly up on the upgrade.. Hopefully soon that will not be the case.
But updates have always been free. And have been using pfsense since really it came out on my own hardware and virtual.. Been here on the forums since 2007.. I have never seen or even heard any rumors of any sort of cost in getting updates. If you need a new appliance - then yeah there would be cost with that. And its possible that OLD appliance may not support whatever is current version at some point, etc. Down the line, you can not expect old hardware to work forever, etc. Our 2440 will most likely be replaced with a 3100 vs upgrading it..
-
@johnpoz
Thankyou all, really appreciate all the replies and input
yes agree, the hardware cannot support new OS forever, just looking to see that feature enablement, IPS signature updates or regular patch updates (unless a major os upgrade happens) is not priced -
@network-stack-445 said in Does pfSense support sub domain policy based routing:
IPS signature updates
That is something is outside pfsense/netgate - depending on what signatures your using, there well could be a cost associated with those..