• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Does pfSense support sub domain policy based routing

Scheduled Pinned Locked Moved Routing and Multi WAN
10 Posts 5 Posters 1.8k Views 5 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N Offline
    network-stack-445
    last edited by May 18, 2021, 2:58 PM

    Hi,

    I am new to pfSense; does pfSense support sub domain policy based routing

    example;
    a firewall rule; src - 10.x.x.x, dest - nflxvideo.net routed to WAN2
    will cover and route traffic to wan 2 for; src - 10.x.x.x, dest - ica.ny-32xx.oca.nflxvideo.net ?

    Thankyou

    V K 2 Replies Last reply May 18, 2021, 3:14 PM Reply Quote 0
    • V Offline
      viragomann @network-stack-445
      last edited by May 18, 2021, 3:14 PM

      @network-stack-445
      No, not out of the box. pfSense filters on L3. The hostname is placed in the host header, which is only available on L7.

      You can install the HAproxy package and configure it properly to do this: https://docs.netgate.com/pfsense/en/latest/packages/haproxy.html

      1 Reply Last reply Reply Quote 0
      • K Offline
        KOM @network-stack-445
        last edited by May 18, 2021, 3:38 PM

        @network-stack-445 What you could do is to gather all the IP addresses associated with those domains, put each domain's IPs in an alias and then create two rules that route accordingly based on the aliases as the destination.

        1 Reply Last reply Reply Quote 0
        • N Offline
          network-stack-445
          last edited by May 18, 2021, 3:50 PM

          Thankyou very much guys; appreciate your replies
          Please guide me to a best method, to bypass Netflix traffic (which included AWS too, that's ok to bypass too)

          Though not Source based, only destination based

          Requirement: is for entire LAN to bypass VPN only for Netflix domains/IPs

          I looked at the https://ipinfo.io/AS40027 to get the IP Addresses and put a rule for it
          But that will get out of hand should NFLX change IPs
          (I can write some python and make an Extended Dynamic List as well, trying not to..)

          So I am looking for a dynamic solution

          With HA Proxy are we saying it should be used as a transparent proxy;
          firewall to say src - proxy, route to WAN2 (non vpn)

          Thankyou

          N 1 Reply Last reply May 18, 2021, 3:54 PM Reply Quote 0
          • N Offline
            NogBadTheBad @network-stack-445
            last edited by NogBadTheBad May 18, 2021, 3:56 PM May 18, 2021, 3:54 PM

            @network-stack-445

            I looked at the https://ipinfo.io/AS40027 to get the IP Addresses and put a rule for it
            But that will get out of hand should NFLX change IPs
            (I can write some python and make an Extended Dynamic List as well, trying not to..)

            Use pfBlocker to create an alias based on ASN numbers, no need for any Python scripts.

            Screenshot 2021-05-18 at 16.52.44.png

            Then create a rule to point the traffic out the non VPN gateway.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            N 1 Reply Last reply May 18, 2021, 4:18 PM Reply Quote 0
            • N Offline
              network-stack-445 @NogBadTheBad
              last edited by May 18, 2021, 4:18 PM

              @nogbadthebad

              Thankyou, so the pfBlocker actually downloads the ASN info hourly from the said authority/website, that's pretty cool

              Side question; pfSense software upgrades are always included once the firewall is purchased?

              N J 2 Replies Last reply May 18, 2021, 4:20 PM Reply Quote 0
              • N Offline
                NogBadTheBad @network-stack-445
                last edited by May 18, 2021, 4:20 PM

                @network-stack-445 said in Does pfSense support sub domain policy based routing:

                Side question; pfSense software upgrades are always included once the firewall is purchased?

                I've always got software upgrades FOC.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • J Offline
                  johnpoz LAYER 8 Global Moderator @network-stack-445
                  last edited by May 18, 2021, 5:02 PM

                  @network-stack-445 said in Does pfSense support sub domain policy based routing:

                  Side question; pfSense software upgrades are always included once the firewall is purchased?

                  I have been using netgate appliances for many years.. Oldest device we have is 2440.. Purchase sometime before 2017 when it went eos.

                  Its currently not on latest and greatest - because its in a remote location and due to covid nobody is on site in case something goes belly up on the upgrade.. Hopefully soon that will not be the case.

                  But updates have always been free. And have been using pfsense since really it came out on my own hardware and virtual.. Been here on the forums since 2007.. I have never seen or even heard any rumors of any sort of cost in getting updates. If you need a new appliance - then yeah there would be cost with that. And its possible that OLD appliance may not support whatever is current version at some point, etc. Down the line, you can not expect old hardware to work forever, etc. Our 2440 will most likely be replaced with a 3100 vs upgrading it..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                  N 1 Reply Last reply May 18, 2021, 5:07 PM Reply Quote 0
                  • N Offline
                    network-stack-445 @johnpoz
                    last edited by May 18, 2021, 5:07 PM

                    @johnpoz
                    Thankyou all, really appreciate all the replies and input
                    yes agree, the hardware cannot support new OS forever, just looking to see that feature enablement, IPS signature updates or regular patch updates (unless a major os upgrade happens) is not priced

                    J 1 Reply Last reply May 18, 2021, 5:23 PM Reply Quote 0
                    • J Offline
                      johnpoz LAYER 8 Global Moderator @network-stack-445
                      last edited by May 18, 2021, 5:23 PM

                      @network-stack-445 said in Does pfSense support sub domain policy based routing:

                      IPS signature updates

                      That is something is outside pfsense/netgate - depending on what signatures your using, there well could be a cost associated with those..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received