• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Direct Windows update to a certain wan

Scheduled Pinned Locked Moved Firewalling
8 Posts 5 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rvandam
    last edited by Sep 1, 2015, 7:36 AM

    I want to route all trafic for Windows update to a certain wan. The problem is that Microsoft changes ip address of the update service very often for security reasons. The only way is to make firewall rules on domain name instead of ip address.

    Is this possible in Pfsense? I tried but I get errors trying to add a doamin name.

    For anybody interested here is the list:

    http://windowsupdate.microsoft.com
    http://.windowsupdate.microsoft.com
    https://
    .windowsupdate.microsoft.com
    http://.update.microsoft.com
    https://
    .update.microsoft.com
    http://.windowsupdate.com
    http://download.windowsupdate.com
    http://download.microsoft.com
    http://
    .download.windowsupdate.com
    http://wustat.windows.com
    http://ntservicepack.microsoft.com
    http://stats.microsoft.com
    https://stats.microsoft.com

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Sep 1, 2015, 1:37 PM

      This won't work 100%.  Companies like MS will use many IPs under one domain for load-balancing reasons.  Each resolution request can return a different IP address.  The only real way to do it is to get your hands on a complete list of IP addresses used by MS for WU.  Or better yet, get a WSUS server, make your rules source-based instead of destination-based and be done with it.

      1 Reply Last reply Reply Quote 0
      • M
        muswellhillbilly
        last edited by Sep 1, 2015, 1:54 PM

        Alternately, create a separate internal NIC on a different VLAN from your clients, route that through to the other external WAN address and make that the default gateway for your servers only.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Sep 2, 2015, 8:16 PM

          1. Use WSUS or whatever its current equivalent is called.
          2. Route traffic from that server out the WAN you want.

          :-)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            rvandam
            last edited by Sep 26, 2015, 2:15 PM

            Sorry for my late reply.

            I run a network with all private computers, and running a WSUS server seems to be a bit overkill. I just want to manage the traffic.

            I found a list with ip adresses owned by Microsoft. However this list is 464 adresses long. Way too long to insert manually. I wrote a little script to make config.xml rules based on the ip adresses. This resulted in 14384 lines.

            This raises a few questions:

            • Is it ok to add firewall rules manually into config.xml?
            • will it lead to performance issues, having 464 extra firewall rules?

            I have added a file with the rules as attachment.

            rules-pfsenseforum.txt

            1 Reply Last reply Reply Quote 0
            • H
              Harvy66
              last edited by Sep 26, 2015, 3:40 PM

              WSUS servers are meant for private networks. How is that "overkill"? The list of IPs could change at any moment.

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Sep 26, 2015, 4:20 PM

                ^ What he said.

                Also, don't use multiple firewall rules, put all those addresses in an alias if you insist on doing it that way. Don't be surprised when it doesn't work because they use a CDN that isn't in the block.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • K
                  KOM
                  last edited by Sep 28, 2015, 1:14 PM

                  If you have enough computers that you need to worry about bandwidth used by WU, then you likely need a WSUS.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received