Route specific sites over separate WAN interface



  • Hi there,

    my current situation is as follows: We've got a 4 Mbit/s DSL on WAN1 and an LTE router with about 40 Mbit/s on WAN2. What I'd like to accomplish is to route all traffic over LTE, except traffic-heavy sites specified by me (like Youtube or Vimeo, because I've only got about 10GB traffic volume on the LTE).

    I already figured out that this could be done via aliases and corresponding firewall rules ("using gateway: WAN2"), but it's kind of fiddly to get all the IPs for these sites (as Youtube uses dozens or even hundreds of different IPs, while also using subdomains that do not fit into *.youtube.com).

    Ideally, pfSense could detect some sort of flash/HTML5 video traffic and dynamically route it via the DSL link. Or maybe there is another way?

    What would be, in your opinion, the most efficient way of achieving this?  ???

    Thank you in advance for your help, it's really appreciated!  :)



  • I'm currently trying to do the same thing. I have a capped connection that is fast (50mbps) but only has 350GB per month. I keep going over and getting charged more. I also have an unlimited slow DSL connection (8mbps) that I'd like to use for sites like youtube. I was able to obtain all of youtube's ip addresses, but there is currently 5812 of them. I can set up PFSense to pull a text file of these addresses and create an alias for "Youtube", but I'm worried about the performance of this setup. The aliases page specifically says this: Use only with small sets of IP addresses (less than 3000).

    I've already done this with Facebook as they have < 80 ip addresses.
    Using this command, I have whois return all the available ip addresses for facebook.com.
    whois -h whois.radb.net – '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq > facebook.txt
    I tested it by blocking this alias, and it works great. However, youtube has way more ip addresses than facebook. When I tried to do this with Youtube, it only imported 2998 ip addresses instead of 5812.

    Anyone got any other options?



  • Hi all,
    With  in_finity command you can use too PFBLOCKER module.
    Regards.



  • @wildcard:

    I'm currently trying to do the same thing. I have a capped connection that is fast (50mbps) but only has 350GB per month. I keep going over and getting charged more. I also have an unlimited slow DSL connection (8mbps) that I'd like to use for sites like youtube. I was able to obtain all of youtube's ip addresses, but there is currently 5812 of them. I can set up PFSense to pull a text file of these addresses and create an alias for "Youtube", but I'm worried about the performance of this setup. The aliases page specifically says this: Use only with small sets of IP addresses (less than 3000).

    I've already done this with Facebook as they have < 80 ip addresses.
    Using this command, I have whois return all the available ip addresses for facebook.com.
    whois -h whois.radb.net – '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq > facebook.txt
    I tested it by blocking this alias, and it works great. However, youtube has way more ip addresses than facebook. When I tried to do this with Youtube, it only imported 2998 ip addresses instead of 5812.

    Anyone got any other options?

    how to get fb ips using this command whois -h whois.radb.net – '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq > facebook.txt?

    where to put that in pfsense? thanks



  • My test systems are on pfSense 2.2-BETA now, so I did:

    > pkg install whois
    

    That got me a program called "mwhois" - just like way back here in 2009: https://forum.pfsense.org/index.php?topic=14093.msg74950#msg74950

    Then I can do:

    mwhois -h whois.radb.net -- '-i origin AS32934' | awk '/^route:/ {print $2;}' | sort | uniq > /tmp/facebook.txt
    

    and I get a nice list of IPv4 subnets in the file.

    I guess you can install the pfSense Cron GUI package and use that to add this command as a regular Cron job to keep the list as up-to-date as you wish.

    I don't expect that "mwhois" will cause any nasty side-effects on a pfSense - but of course there is no warranty when you manually install extra FreeBSD packages.