How To Direct Traffic For Specific Website(s) Out Specific Gateway?
-
Hello everyone! Is there a way to direct traffic for specific websites out a specific gateway? I have set firewall rules that direct traffic on certain interfaces out my VPN gateway but streaming websites like Disney+ appear to block VPN traffic (the login page is blank using my VPN). I set a Firewall Alias (Non_VPN_Websites) and added: disneyplus.com to the IP or FQDN section. I then set the Non_VPN_Websites Alias as a firewall destination rule using my default gateway above the VPN gateway rule but it does not appear to work. Is there something else I need to do?
-
@alteredstate pfSense can filter based on IP address, port or protocol and that's about it. It has no concept of URLs. To do what you describe, you would need to provide a complete list of IP addresses used by that particular website. Then you could direct traffic out a specified gateway based on destination IP address.
-
@kom said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:
It has no concept of URLs. To do what you describe, you would need to provide a complete list of IP addresses used by that particular website.
Um, yes it does, kind of... It works with FQDN's and for most users, that would work just fine. I know a URL is more than just an FQDN, so that's why I say "it kind of works". Lots of people don't even know the difference between the two.
If the user can simplify, like I believe he/she has done, it should work. It is most likely that Disney+ uses tons of domains and/or a CDN network with many hundreds of IP addresses to deliver their content, then all bets are off on getting this to work successfully.
So, OP, you could try this - in your alias for Disney+ (I would suggest to make just one for all of this stuff), add all of these domains:
https://support.opendns.com/hc/en-us/articles/360037591112-Domains-to-Allow-for-Disney-Plus
Hope that helps.
-
A easier solution for the streaming channel stuff, is just to policy route out your wan via the source IP.. Just setup your policy route to send traffic from what your playing your channel on out your wan.
Be that a roku/fire stick, apple TV, shieldTV, PS/Xbox, your TV.. etc..
-
@johnpoz I agree, that's how I do it with a couple of streaming things.
-
@akuma1x The problem with that approach is that the domain in question often has many IP addresses associated with it, and they can reference external addresses owned by CDNs that can change on the fly. It's not as simple as just creating a rule that says if DestAddr=www.disney.com then gateway2...
-
@kom According to the HOSTS area in the Alias tab, IP addresses of FQDNs are resolved on some kind of periodic basis.
"Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used"
I don't know how many levels of resolving happens, however, like you're saying in your post.
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Aug 24, 2021, 11:42 PM Aug 24, 2021, 11:35 PM
@akuma1x the default time is 5 minutes. While some TTLs on CDNs can be as low as 60 seconds.. They can and do change quite often.
But that is prob the least of the issues to be honest. Its more the vast amount of domains and fqdn that could be used by a service such as netflix or disney, amazon, etc. Which can also change..
I only block ad related domains, and don't route any traffic out a vpn.. And I ran into an issue where some streaming app wasn't working... Took me few minutes to figure out which freaking domain it was asking for that was killing the app from fully loading..
So attempting to policy route based on something that is resolved and can change on a dime, while you only resolve it every 5 minutes. And quite often its possible said device is hard coding dns an using different dns than pfsense - this can also lead to differences in what is allowed or routed out wan, and what is being attempted to go to..
Seems like a lot of effort.. It would be easier to just let the stick do what it wants out your wan.. Do you care if your isp knows you watch a movie off netflix? ;)
To me it would be much simpler to just route the devices you want to route out the vpn, vs routing everything out it an making exceptions to that rule for only specific domains. Say your running some p2p box on your network... Run it through the vpn.. Let everything else go out your wan..
If your running your dns through the vpn, or using the vpn dns - that can cause some issues as well.. Since they might resolve wrong IPs for your actual connection, or not resolve at all..
While what is being asked can be done sure - its just it can become really quickly a bit more complex than put in this domain in an alias and bobs your uncle ;)
-
Thanks for the suggestion but the problem with this is let's say I want my laptop to always use the VPN gateway but now I want to watch something on Disney+ from my laptop. I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.
-
PFBlockerNG with IPv4 Source Definitions & FW rule with specific GTW
PFBlockerNG :
Create an "alias native" IPv4 into PFBlockerNG :
Populate this new alias with whois source definitions :
Force an update of PFBlockerNG,
Then create your FW rule with a specific existing gateway :
-
@alteredstate said in How To Direct Traffic For Specific Website(s) Out Specific Gateway?:
I would be forced to continually disable and enable the VPN firewall destination rule each time I use Disney+.
Just create another wifi network then, when you want to watch Disney, connect to your non vpn wifi. When you want to do whatever else, just switch to your vpn wifi..
I would just watch on my TV to be honest.. Why would anyone watch on little screen when there is a big screen available?
But if your going to be using a device where you want to split traffic vpn and non vpn - then yeah the policy routing is really the only way to do that. It can be problematic - especially if laptop is not using pfsense for dns, say doh..