Assign specific WAN based on L7 rule.



  • WAN = Cable
    Opt1 = DSL

    I want all bittorrent traffic to be placed on the OPT1 connection and never ever access the WAN connection.
    Since bittorrent outgoing connections are pretty much on every port possible, I can't just do redirecting based on ports. So I was thinking to use a mix of traffic shaping and forwarding.

    I created a L7 rule for bittorrent traffic
    Then I created a firewall rule (Odd, action for l7 is to block, but when you create a firewall rule to use the L7 rule, i can't choose block).

    Here's what I did

    Whether I choose WAN or OPT1 as the gateway, it won't do anything. Everything goes to WAN.

    If there is already a thread with the solution, just link me to it.
    If not, I just need the specific setup needed for doing exactly what I want: All bittorrent traffic to OPT1. (Forget about ports plz, it can't work, and I won't make a dedicated machine just for bittorrent just so I can simply NAT the machine's IP to the OPT1)

    Let's see what PFsense can do :P



  • few quick thougts

    1. What version you have
    2. What interface this rule is set to be
    3. Is anything above this rule
    4. Why not create rule to force torrent out secondary gateway than blockin primary gateway



  • @Metu69salemi:

    few quick thougts

    1. What version you have
    2. What interface this rule is set to be
    3. Is anything above this rule
    4. Why not create rule to force torrent out secondary gateway than blockin primary gateway

    1. PFSense 2.0 RC3
    2. Firewall\rules\floating (I tried also firewall\rules\LAN)
    3. Nope (even in firewall\rules\lan)
    4. That's what I want. How do I do that? You can't specify torrent traffic without L7. Port range is too wide (aside for incoming)



  • Assign to lan
    pass tcp/udp from lan subnet to any
    advanced options Gateway optgateway and L7 filter

    make it above anything. reset states and should work



  • @Metu69salemi:

    Assign to lan
    pass tcp/udp from lan subnet to any
    advanced options Gateway optgateway and L7 filter

    make it above anything. reset states and should work

    Ok I'm at work right now, so I can't test it nor verify in the configuration menus if I understand this right but…

    I go in Firewall rules, and select LAN as the incoming interface
    Then I select TCP/UDP and subnet LAN as the source network
    In advanced I select the gateway OPT1 and my L7 filter.

    Ok I'll give it a shot tonight when I'm home.

    Question, if this works, would the L7 filter detect all bittorrent data, as in, the client connecting to trackers and not just the peer connections? (Connecting to trackers means giving out the correct WAN IP)



  • It wont capture encrypted bittorrent traffic and i don't think it will capture trackers that use HTTP. But since your traffic will be using different gateways, it shouldnt be able to track if its using http



  • Ok well I will see the result of that.
    Anyway incoming connections generated by the cable modem's IP being advertised on trackers will be refused as the port won't be forwarded on that side.



  • If you're having only one client or minimum amount of torrent pc's then you can create rule that any trafic what those produce to internet is going to use opt1 gateway

    if you have multiple pc's it's lot easier to use ip alias to determine those, if ip's isn't chancing (dhcp static mappins)



  • @Metu69salemi:

    If you're having only one client or minimum amount of torrent pc's then you can create rule that any trafic what those produce to internet is going to use opt1 gateway

    if you have multiple pc's it's lot easier to use ip alias to determine those, if ip's isn't chancing (dhcp static mappins)

    Ya I can't do that because the very same PC would be used for web browsing and web video streaming (as a client) and those would lag badly if Bittorrent is saturating the OPT1 connection. Unless Netflix and other web video streams are all on standard 443, 80,8080 ports.



  • @Metu69salemi:

    Assign to lan
    pass tcp/udp from lan subnet to any
    advanced options Gateway optgateway and L7 filter

    make it above anything. reset states and should work

    OK I just did that.
    Now all my traffic goes through OPT1, not just bittorrent….



  • What your L7 rule says?



  • My L7 rule

    And my Firewall rule under LAN tab

    When that firewall rule is enabled, suddenly everything on the computer 192.168.0.10 will go through OPT1 (opt1=dsl)



  • Your L7 says action block.

    what did you want? block it or allow it?



  • @Metu69salemi:

    Your L7 says action block.

    what did you want? block it or allow it?

    I want to allow it, but there are no other options other than block.
    And if my option selection was supposed to BLOCK it, well… it doesn't block it because as I said, EVERYTHING (including bittorrent) is being redirected to the DSL connection with the firewall rule.



  • Interesting..

    Maybe someone else may provide some more details/help on this case



  • Emarl would be the guru if its possible. Thinking a code change would be needed to allow a feature like this. Do you have access to all the clients running bit-torrent software? You could set static ports then create an alias to direct all that traffic thru the gw you want. Thats what I did for my network



  • @Cino:

    Emarl would be the guru if its possible. Thinking a code change would be needed to allow a feature like this. Do you have access to all the clients running bit-torrent software? You could set static ports then create an alias to direct all that traffic thru the gw you want. Thats what I did for my network

    Well that's what I'm doing now. I basically put the before-last-rule to be that ALL traffic of the bittorrent machine (192.168.0.10) be NATed to the DSL connection. Above that rule, I put that port 80,80,443 (and a few other ports) from 192.168.0.10 be sent to the cable connection.

    So far it works ok, but the problem is with the trackers running on HTTP will be contacted by my cable connection. So getting incoming connections on my DSL for bittorrent is a bit slow, as the DHT and peer-sharing functions need to kick in for my DSL connection to be known to the other peers.

    but it works none the less and maybe I'll leave it like that since I don't want to take the chance that L7 layer filtering (if I'd get it to work) would fail one day and reship everything to the cable connection, costing me a pretty penny in overages.


Log in to reply