Firewall rule to route a website



  • so i have load balancing, but i want youtube to only go through one modem
    youtube…
    lol I have 50 firewall lan rules with so many youtube ip addresses.

    How can I Just add a host?
    because it still gets through even with 50 ip addresses, since youtube has so many.



  • ip or network alias  ;)


  • Netgate Administrator

    Youtube is difficult to work with since it has so many points of presence, as you have found.
    To tidy up your rules you can add a youtube alias and use that in a single rule. That won't help traffic getting past though.
    I don't know of anyway to do this easily. You could do it using squid.
    Just wondering if you do it with a DNS overide, hmmm.

    Steve

    You could try using dig to see what your dns cache has for youtube, assuming you have dns forwarding enabled.

    [2.0.1-RELEASE][root@pfsense.fire.box]/root(6): dig youtube.com
    
    ; <<>> DiG 9.6.2-P2 <<>> youtube.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7473
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;youtube.com.                   IN      A
    
    ;; ANSWER SECTION:
    youtube.com.            178     IN      A       173.194.41.136
    youtube.com.            178     IN      A       173.194.41.132
    youtube.com.            178     IN      A       173.194.41.135
    youtube.com.            178     IN      A       173.194.41.130
    youtube.com.            178     IN      A       173.194.41.128
    youtube.com.            178     IN      A       173.194.41.137
    youtube.com.            178     IN      A       173.194.41.134
    youtube.com.            178     IN      A       173.194.41.131
    youtube.com.            178     IN      A       173.194.41.133
    youtube.com.            178     IN      A       173.194.41.129
    youtube.com.            178     IN      A       173.194.41.142
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Jun 10 22:03:30 2012
    ;; MSG SIZE  rcvd: 205
    
    


  • I don't know if this idea would be remotely useful, but maybe make an alias for a network mask. You might get a few false positives going over, but you will certainly hit on youtube. For example. if youtube lives on 172.16. and it appears to be a /16 network, you could set an alias for 172.16..
    This would ensure that youtube gets shlepped over, at the minor cost of some other innocent ips in the 172.16/16 block.
    It certainly would make for quicker times in the firewall table.

    brainbubble fixed


  • Netgate Administrator

    Yes, that's a good point.
    In this case some false positives on the policy routing rule will probably not be a problem unlike if you were trying block youtube all together.

    Steve



  • @mostlyharmless:

    if youtube lives on 178.1. and it appears to be a /16 network, you could set an alias for 172.1..

    So nobody takes the previously quoted set of IP addresses as definitive, I'll point out that in my part of the world (Australia) youtube seems to live on a different range of IP addresses:

    [2.0.1-RELEASE][admin@pfsense.example.org]/root(7): dig youtube.com

    ; <<>> DiG 9.6.2-P2 <<>> youtube.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25338
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;youtube.com. IN A

    ;; ANSWER SECTION:
    youtube.com. 248 IN A 74.125.237.104
    youtube.com. 248 IN A 74.125.237.96
    youtube.com. 248 IN A 74.125.237.102
    youtube.com. 248 IN A 74.125.237.97
    youtube.com. 248 IN A 74.125.237.103
    youtube.com. 248 IN A 74.125.237.98
    youtube.com. 248 IN A 74.125.237.101
    youtube.com. 248 IN A 74.125.237.110
    youtube.com. 248 IN A 74.125.237.99
    youtube.com. 248 IN A 74.125.237.105
    youtube.com. 248 IN A 74.125.237.100

    ;; Query time: 4 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Jun 11 13:33:37 2012
    ;; MSG SIZE  rcvd: 205

    [2.0.1-RELEASE][admin@pfsense.example.org]/root(8):



  • Whoops. tyoped my example, I'll fix it. 172.16.x.x is a class b under RFC1918, that's what I meant, to put, not 178.1. Those won't be real youtube ips unless you are doing it very, very, wrong.  ;)


  • Netgate Administrator

    @wallabybob:

    So nobody takes the previously quoted set of IP addresses as definitive

    Yes, re-reading my previous post I failed to make it clear that anyone doing this must do it themselves locally in order to get a useful set of IPs. The IPs used by Youtube (or any large distribution network) will vary geographically. Wallabybob and I are about as geographically separated as possible but you get the idea.  ;)

    Steve


Locked