Layer 2 connection issue with Android to PC app

johnpoz

@sessh said in Layer 2 connection issue with Android to PC app:

Would I even be able to select IP ranges to exclude like what was suggested above via the VPN?

Yes.. what uses or doesn't use the vpn would be simple firewall rules on pfsense.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#policy-routing-configuration

Gblenn

@johnpoz said in Layer 2 connection issue with Android to PC app:

@sessh said in Layer 2 connection issue with Android to PC app:

Would I even be able to select IP ranges to exclude like what was suggested above via the VPN?

Yes.. what uses or doesn't use the vpn would be simple firewall rules on pfsense.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#policy-routing-configuration

I guess the one thing that will prove more challenging is the tunneling per "app" that NordVPN can do when installed in the phone/PC.

Should be possible using pfblockerng to get the server IP's from ASN's to use in the policies. But it is a bit of work and at least I have found it challenging and a bit of hit and miss. But perhaps if one can flip it around and use only for a few applications to be excluded, it could work.

sessh

Will get TPLink Omada then when I'm ready to do that. Also this PC is still on Win7 (I've had difficulty pulling myself away from it, I love it) and will next be on Linux Mint, so the NordVPN software for WIn7 does not have the route tunneling feature, only app tunneling. Their software for Linux doesn't even have Split Tunneling at all, so I'd have to switch to something like Surfshark maybe. I was seeing people on Win10 posting stuff about how they couldn't figure out how to whitelist with Nord, but maybe that feature was a newer addition to the software. Either way, I see it's now included on Win10 and 11 in the UI.

Wow really? Tunneling per app is actually possible using pfsense? That's interesting. I only have a few things I use the tunneling for though. If that's possible, a killswitch should be workable too.

johnpoz

@sessh said in Layer 2 connection issue with Android to PC app:

Tunneling per app is actually possible using pfsense?

No, not sure where you got that Idea - you can policy route on anything you can get a firewall to trigger on, source IP or port, destination IP or port, protocol tcp/udp etc. Any combination of those.

But you can't say hey if chrome browser traffic route out a tunnel.. You could say anything going to 443 route out the tunnel.. But pfsense can't know if that is a browser creating that traffic, or some other app. etc.

You could say anything going to 443 to this IP or network route out the tunnel, etc. Anything else going to 443 don't route out the tunnel, etc.

If your so concerned about your isp seeing where your going, why not just route all traffic out the vpn?

Gblenn

@johnpoz I guess it was me who "gave sessh that idea".. talking about the use of pfBlocker, ASN and Alias to route based on destination IP.
Say for example you want to route everything except Netflix and YouTube via the VPN. Then you could exclude any traffic going to their servers. But you need help from pfblocker to figure out all the possible IP's, from their respective ASN's...

And in that way you are at least mimicking the ability to "split tunnel" based on application...

johnpoz

@Gblenn true, if you know what networks application X wants to talk to - sure you can policy route based on that.

sessh

Yeah i was referring to the pfBlocker/ASN/Alias thing Gblenn was talking about. My original intention was to do what you guys are suggesting and put the VPN on the Netgate, but I then realized I would lose some of the perks that the desktop/mobile app gave me (Tunneling, Killswitch etc).. but if those are possible to set up using pfBlocker/ASN/Alias, that sounds fun. When/if I decide to go that route, I may tag you in a new thread here and try to get that working.

I would want to exclude some devices from it, but I see that's possible too. I was considering getting SlingTV along with NHL Center Ice and I'd want to have that going through the VPN to get around local blackouts. Knowing all of this is possible was certainly worth it to learn. Really appreciate you guys taking the time to explain things to me.

johnpoz

@sessh you mention killswitch, that is also possible in pfsense, where if the vpn goes down - traffic that is suppose to go out the vpn will just die and not go out your normal internet connection.

Gblenn

@sessh said in Layer 2 connection issue with Android to PC app:

I would want to exclude some devices from it, but I see that's possible too. I was considering getting SlingTV along with NHL Center Ice and I'd want to have that going through the VPN to get around local blackouts.

It's quite simple as long as it has to do with all traffic related to a device (or it's IP rather). Then it doesn't matter if it's a SlingTV, GoogleTV or a PC even. Policy routing based on it's IP can send all traffic via the VPN, or exclude it from the VPN (if default is to use VPN for the entire home network).

And as johnpoz points out, if the tunnel goes down, traffic can be blocked so that it doesn't "leak"...

The difficult part is when you want to take some of the traffic from one IP, like when it's a PC or even a Google TV but only some selected streaming services and not others.
That's where you need to know the servers they connect to instead, and there can be many IP's... And the task to figure those IP's out can be done by pfblockerng, which can provide Aliases listing all IP's related to the ASN's that you need to provide. Again there can be multiple ASN's for some services even...

I have played around a little with this and found it to be quite the challenge, and basically gave up. I wasn't after routing, but rather blocking and there are other simpler tools to use for that... depending on your needs.

sessh

Man that does sound like a pain. It also doesn't sound possible to really do per app tunneling like a dedicated VPN app can do particularly for things like web browsers whereas with something like Sweech that uses a narrow host address range plus a specific port number, it would be a piece of cake. I suppose I'd have to keep the desktop app for the PC, but the phone should be ok with it since it's just one app that needs to be configured.