Redirect one or more URLs to a fixed internet gateway



  • Hi Everybody,

    Now we have 6 internet lines and running on pfSense 2.1.4 (the lines are numbered 1 to 6) and I have a little problem I wanna ask you guy - how to filter one website address (ex: google's gmail service) to reach a fixed internet gateway (we can chose one of six lines above) then other traffic will run on 5 lines left.

    Tks a lots.


  • Netgate Administrator

    You are presumably running a gateway group to balance the load across the existing 6 connections?

    You just need to put in a new firewall rule on LAN above the rules that currently catches traffic for the load balancing group.
    Just specify the IP(s) of the site you need in the destination and then specify the gateway to use in the advanced options.
    Your problem will be be Gmail uses many IPs so you'll have to do some research to get a suitable list.

    Steve



  • Hi,

    You are presumably running a gateway group to balance the load across the existing 6 connections?

    Yes

    But in this case I find that Google have so many IP (s) on the internet, which one i can add to the destination field for the Gmail service!

    You can help me about range IPs for the Gmail service?

    Thank you!


  • Netgate Administrator

    Exactly, it's a problem.  ;)
    You can find all of Googles current IP blocks:

    steve@steve-Satellite-Pro-A300:~$ nslookup -q=TXT _netblocks.google.com 8.8.8.8
    Server:		8.8.8.8
    Address:	8.8.8.8#53
    
    Non-authoritative answer:
    _netblocks.google.com	text = "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ~all"
    
    

    That might (will) change and also includes all of Google not just gmail. Edit: Not sure now.  :-\

    Are you using https to access gmail? It would be much easier to filter IMAP/pop3 requests.

    http://briansnelson.com/How_to_find_GMAIL_IPs_to_allow_at_Firewall

    Steve



  • http://briansnelson.com/How_to_find_GMAIL_IPs_to_allow_at_Firewall

    The Gmail's Netblocks are fine the link above, so can I need add more netblocks for IPV6?

    My demands allow only all local users to access the Gmail website and for the rest I care nothing.

    Thank You!


  • Netgate Administrator

    The ipv6 addresses are at _netblocks2.google.com if you need those too.

    Steve



  • Hi,

    This link does not work now (http://briansnelson.com/How_to_find_GMAIL_IPs_to_allow_at_Firewall) Pls help me to fix it.

    Now I really need the Gmail's Netblock to downsize the range IPs

    Thank You!


  • Netgate Administrator

    Still works fine for me.
    I'm not sure you will ever get a list of gmail servers. Google likely has all sorts of load balancing technology that means the addresses change many often.

    Steve



  • Google, Smoogle….........Nothing like trying to hit a fast moving target.

    Personally I hate google, I am working on "other" avenues and/or providers for email...preferably one's that don't make a habit if email "fishing".

    I know of at least one that would cost around $50-100 and provide you with pretty much unlimited address, is highly encrypted if need be and the "fee" is lifetime, pay it once, use indefinitely.
    There are many that are not that expensive (depending on how many address's you require) and provide all the basic's. Gmail is in my opinion mainly for Google to harvest "advertising and INFORMATION" for their "other" venture's.
    I tried using PGP Desktop for scanning and encryption and it was constantly breaking due to IP's rotating and changing constantly...I gave up, not enough value versus aggrivation! ::)

    At the very least you could trim your IP requirements by several dozen IP's  ;D

    Just my ranting opinion and I'm not in your shoes so take it for what it's worth.....simplfy, simplfy.......I am a proponent of KISS...(Keep It Simple ...Stuff... :o)

    If I had 2 or 3 dozen email accounts or more to take care of I'd be very tempted (if I had several server's running 24/7 anyway) to setup my own mail server internally, only 1 to 2 IP to worry about and I'm in control of backup's AND the information.

    Anyway hope you get everything up like you want..you have excellent help...stephenw is pretty sharp.


  • Netgate Administrator

    I hear what you're saying about Google. As long as you accept that's what they're doing then what they offer in return seems quite a good deal. It just works better than anything else I've tried. Better than Hotmail anyway, or whatever they've re-branded it as these days!  ::)

    Can you force users to use a limited set or servers by using a DNS overide for gmail.com? Does the connection immediately get redirected to countless other servers? That might not matter since you would have caught the traffic in the firewall rule and redirected it through the appropriate gateway by that point anyway.

    What are you hoping to achieve by using a separate connection for gmail? Do you need to match this traffic 100%?

    Steve