Multi-WAN (for Failover) + VPN Routing for US content….
-
I know this topic has probably been beaten to death, but I have a feeling I am missing something stupid and I thought I would ask the pros here for some advice.
First, some background…..
I don't have a ton of experience with BSD, I have mostly used CentOS / Ubuntu based distros in the past. Over the past year, I have been through many of the Linux router based distros. Clarkconnect -> ClearOS -> Centos -> m0n0wall -> Zentyal -> Untangle -> and now pfSense.
My current setup is something like this;
WAN (Cable)
pfSense router - > switch -> Wired connections
WAN (3G failover) -> WNDR3700 (running dd-wrt) (wireless AP)Throw in a StrongVPN OpenVPN account for good measure.
I switched to pfSense because I wanted my router to do the routing, and not have 2 routers operating, with port forwarding and such enabled to make it all work. And dd-wrt is not as stable as a linux router distro.
I also recently changed cable providers. Hence the reason for the failover. 7 days to switch from one cable operator to another is a little too long for me.
So here is what I have done. I created 2 gateway groups. Netflix(with Canadian ISP backup) and WAN (With failover). Netflix gateway has my VPN account as tier 1, and the cable modem interface as tier 2. WAN with failover operates the same way. Cable modem as tier 1, 3g wireless as tier 2.
I have been able to get everything working by itself, but now I am struggling to pull it all together. I had to hose all the firewall rules I had before my cable got reconnected, as it was trying to route the traffic across it, since it wasn't registered as "Down".
I use an alias for all my devices that require US content. 10.0.0.70-10.0.0.79. These are the devices that are going to need to go across the VPN.
All other devices should go through the WAN (with failover) gateway.
I am pretty sure it is a problem with either NAT, Firewall rules, or gateway monitoring.
I attached a few pics. I will gather some more info and keep trying but if anyone has any suggestions of what to try that would be awesome
![Screen shot 2013-07-19 at 9.24.15 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.24.15 AM.png)
![Screen shot 2013-07-19 at 9.24.15 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.24.15 AM.png_thumb)
![Screen shot 2013-07-19 at 9.23.33 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.23.33 AM.png)
![Screen shot 2013-07-19 at 9.23.33 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.23.33 AM.png_thumb)
![Screen shot 2013-07-19 at 9.27.47 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.47 AM.png)
![Screen shot 2013-07-19 at 9.27.47 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.47 AM.png_thumb)
![Screen shot 2013-07-19 at 9.27.52 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.52 AM.png)
![Screen shot 2013-07-19 at 9.27.52 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.27.52 AM.png_thumb)
![Screen shot 2013-07-19 at 9.34.14 AM.png](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.34.14 AM.png)
![Screen shot 2013-07-19 at 9.34.14 AM.png_thumb](/public/imported_attachments/1/Screen shot 2013-07-19 at 9.34.14 AM.png_thumb) -
Did you ever get this working?? I'm looking to do something very similar.
-
@joltman:
Did you ever get this working?? I'm looking to do something very similar.
I did. There was a couple of ways that it can be done. I assigned IP address for certain devices, aliased those devices, and forced them through the VPN. Crude, but it worked.
Later on, I got them to work by using an alias again, but using a host list file that had many IP addresses in it. It wasn't so easy to find out the IP addresses of Netflix, Amazon EC2, Pandora, etc…. But it does work.
-
Would be great if you could share with us that alias :)
-
Yes. Super please. I could really use that alias.
-
Yes I tested this and it should work fine and easily without using proxy. When using this with proxy make sure your proxy works and can do balancing.
Alias list are the following sites that require US IP:
netflix.com
hulu.com
huluplus.com
pandora.com
vudu.com
cbs.com
abc.com
spotify.com
abcfamily.go.com
abcnews.go.com
fox.com
nbc.com
nbcsports.msnbc.com
southparkstudios.com
adultswim.com
tnt.tv
tv.com
thewb.com
mtv.com
tntdrama.com
universalsports.com
rhapsody.com
mog.com
crackle.com
cinemanow.com
blockbuster.com
blockbusternow.com
hgtv.com
foodnetwork.com
usanetwork.com
sho.com
tvland.com
trutv.com
kidlet.tv
fxnetworks.com
gamecenter.nhl.com
mlb.tv
cwtv.com
mylifetime.com
comedycentral.com
amctv.com
bravotv.com
cartoonnetwork.com
video.disney.com
syfy.comspotify.com
rdio.com
vevo.com
songza.com
slacker.com
iheart.comlastly include ip-secrets.com for checking only.
add this for hulu to work huluim.com and static.huluim.com not sure if the later is needed or can be omited
-
I'm more curious how he was able to find all the IP addresses that he needed. A lot of WireShark sniffing?
-
The list above is not perfect. those are some common sites that we know needed US IP to browse or stream properly no sniffing needed. hulu seems it checks your ip by huluim (not so sure about this) as some sites appearing in the lower right when Firefox tried to open the site.