Direct Windows update to a certain wan

rvandam · Sep 1, 2015, 7:36 AM

I want to route all trafic for Windows update to a certain wan. The problem is that Microsoft changes ip address of the update service very often for security reasons. The only way is to make firewall rules on domain name instead of ip address.

Is this possible in Pfsense? I tried but I get errors trying to add a doamin name.

For anybody interested here is the list:

http://windowsupdate.microsoft.com
http://.windowsupdate.microsoft.com
https://.windowsupdate.microsoft.com
http://.update.microsoft.com
https://.update.microsoft.com
http://.windowsupdate.com
http://download.windowsupdate.com
http://download.microsoft.com
http://.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://stats.microsoft.com
https://stats.microsoft.com

KOM · Sep 1, 2015, 1:37 PM

This won't work 100%. Companies like MS will use many IPs under one domain for load-balancing reasons. Each resolution request can return a different IP address. The only real way to do it is to get your hands on a complete list of IP addresses used by MS for WU. Or better yet, get a WSUS server, make your rules source-based instead of destination-based and be done with it.

muswellhillbilly · Sep 1, 2015, 1:54 PM

Alternately, create a separate internal NIC on a different VLAN from your clients, route that through to the other external WAN address and make that the default gateway for your servers only.

jimp · Sep 2, 2015, 8:16 PM

1. Use WSUS or whatever its current equivalent is called.
2. Route traffic from that server out the WAN you want.

:-)

rvandam · Sep 26, 2015, 2:15 PM

Sorry for my late reply.

I run a network with all private computers, and running a WSUS server seems to be a bit overkill. I just want to manage the traffic.

I found a list with ip adresses owned by Microsoft. However this list is 464 adresses long. Way too long to insert manually. I wrote a little script to make config.xml rules based on the ip adresses. This resulted in 14384 lines.

This raises a few questions:

Is it ok to add firewall rules manually into config.xml?
will it lead to performance issues, having 464 extra firewall rules?

I have added a file with the rules as attachment.

rules-pfsenseforum.txt

Harvy66 · Sep 26, 2015, 3:40 PM

WSUS servers are meant for private networks. How is that "overkill"? The list of IPs could change at any moment.

jimp · Sep 26, 2015, 4:20 PM

^ What he said.

Also, don't use multiple firewall rules, put all those addresses in an alias if you insist on doing it that way. Don't be surprised when it doesn't work because they use a CDN that isn't in the block.

KOM · Sep 28, 2015, 1:14 PM

If you have enough computers that you need to worry about bandwidth used by WU, then you likely need a WSUS.