How can I route all subdomains of a certain domain through a specific WAN?

scilek · Jul 5, 2023, 5:56 PM

I have two WANs: WAN_SPECIAL and WAN_EVERYTHING_ELSE and I am tasked with routing everything that is outbound to special.com (including all the subdomains!) through WAN_SPECIAL and everything else through WAN_EVERYTHING_ELSE.

Now, I know that is a relatively easy thing to do: put all the domain names in a text file and have the firewall handle the rest.

My problem is that I don't know all the subdomains, and even if I did, another one might be created later on.

I have done some research and know that pfBlocker-NG is the way to go. But I wonder if that could be done without using it. It looks so complicated and also I wouldn't know how to route certain outbound traffic through a specific WAN.

What is the logic behind pfBlocker-NG anyway? How does it incorporate itself into the standard firewall that comes with pfSense?

What do YOU recommend?

mcury · Jul 5, 2023, 6:06 PM

@scilek pfBlockerNG is not hard.
For that purpose, you won't need all the features.

Go to: https://bgp.he.net/ or any other site you know to check ASN.

Install pfBlockerNG, skip wizard.

Go to Firewall > pfBlockerNG > IP > IPv4
Click ADD

Then, include the AS as per below.

In this example, I'm using teamviewer AS:

In the image above, there is a field that is not appearing, Update Frequency, make sure you set it to Once a day.

Click Save IPv4 Settings, then go to update tab and click update (make sure pfblockerNG is enabled).

Once the update finishes, you can use that alias as a destination in a firewall rule, change the gateway in advanced options in that specific firewall rule.

scilek · Jul 5, 2023, 6:10 PM

@mcury Thank you very much. But what is an "ASN"? What if I were trying to do that for googlevideo.com? (FYI, it is the domain from which all YouTube videos are served and has many many subdomains.) Wouldn't it be easier to use RegEx?

mcury · Jul 5, 2023, 6:22 PM

@scilek Autonomous System, is a term used in BGP, in which routes are exchanged between neighbors.

hmm, Googlevideo, let me check..

Googlevideo.com

142.251.46.164 > 142.251.46.0/24 > AS15169 > Google LLC
142.251.46.164 > 142.250.0.0/15 > AS15169 > Google LLC
2607:f8b0:4005:802::2004 > 2607:f8b0:4005::/48 > AS15169 > Google LLC
2607:f8b0:4005:802::2004 > 2607:f8b0::/32 > AS15169 > Google LLC

Google.com

142.250.189.238 > 142.250.189.0/24 > AS15169 > Google LLC
142.250.189.238 > 142.250.0.0/15 > AS15169 > Google LLC
2607:f8b0:4005:80e::200e > 2607:f8b0:4005::/48 > AS15169 > Google LLC
2607:f8b0:4005:80e::200e > 2607:f8b0::/32 > AS15169 > Google LLC

I don't think it is possible to use ASN for this..

Also, firewall rules with hostname alias wouldn't work, this servers are always changing IPs..

As I see it, the only way possible to accomplish this is by using a proxy, such as Squid, but it is not trivial, mostly for advanced users.

scilek · Jul 5, 2023, 6:29 PM

@mcury I have used squid to that end before. Unfortunately, it creates more problems than it solves. I knew what an AS is, but this is the first time I have heard of an ASN. But that is not the issue.

Can I do this using RegEx?

mcury · Jul 5, 2023, 6:49 PM

@scilek said in How can I route all subdomains of a certain domain through a specific WAN?:

Can I do this using RegEx?

As mentioned, only with squid.

You can create a .pac file, saying that only that regex will go through the proxy, like this:

Transparent proxy disabled.

function FindProxyForURL(url, host) {
//REGEX BYPASS
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.googlevideos.com"))
return "PROXY pfsense.local.lan:3128";
else 
return "DIRECT";
}

But this will only work with computers, if you are trying to force mobile phones to use this .pac file, you will get into problems for sure..

Like this, the only regex forwarded to the proxy will be .googlevideos.com

scilek · Jul 5, 2023, 6:54 PM

@mcury I see. Thanks.