DNS server and gateway by IP address and destination?



  • I am wondering if it is possible to make the following setup work?

    For certain devices on my network, I would like to use a certain gateway and a certain DNS server but only when they are accessing certain services.  For all other web traffic from these devices, I want to use a different gateway and DNS servers.

    For example:

    • source IP = DEVICES (alias for all the IP addresses on my LAN that I want to use this approach for - alternatively, these could be setup as static IPs if needed)
    • for all traffic to Netflix from DEVICES, DEVICES should use 208.122.23.23/208.122.23.22 for DNS lookups (these are the DNS servers for unblockus) and traffic should exit on the WAN gateway
    • for all traffic to anywhere else from DEVICES, DEVICES should use [other DNS servers] for DNS lookups and traffic should exit on the OpenVPNclient gateway.
    • for all traffic to anywhere not from DEVICES (i.e. !DEVICES), my ISP DNS servers should be used and traffic should exit on the WAN gateway.

    Is this sort of setup possible?  And if so, how would I implement it?

    Any help would be appreciated.


  • Rebel Alliance Global Moderator

    Well simple solution is to just have your devices use the dns you want them to use, and setup policy based routing so those devices use your vpn.  Just setup those devices be it static or with dhcp reservations to use the dns you want them to use.



  • I want the devices in question to use DNS A / WAN gateway in some cases, and the same devices to use DNS B / VPN gateway in other cases, solely determined by the destination address they are trying to reach.  Is the method you outlined going to accomplish that?


  • Rebel Alliance Global Moderator

    Yeah good luck with that ;)

    How do you know what destination they are trying to reach when what they are asking is a FQDN ie www.something.tld

    If you want to query a specific domain name via a specific name server then setup a domain override in your forwarder or resolver that points domainX.tld to ns1 and ns2, etc..



  • That would definitely do the trick for the DNS lookups. But is there a way to force traffic destined for the domains in question over one gateway, while all other traffic from the same ip addresses on the Lan goes through a different gateway?


  • Rebel Alliance Global Moderator

    Again where does the domain go??  You can for sure policy route on dest IP or protocol even.  But its kind of hard to route to something you don't know.

    If you want client 1 to gateway x when talking to netblock 1.2.3.0/24 you can do that - if you want client 1 to use gateway x when talking port X-Z sure.. or you can use the ! not as well..  IF you can come up with a rule in the firewall to use a specific gateway then sure you can send them through that gateway.

    You could use a alias in the destination that resolves to a specific IP…  In case that IP changes.



  • So what you are saying is that in the case of Netflix (for example), my alias would already have to include every IP address (by number, not by name) that Netflix might be using (i.e. DNS would not need to be queried) for this to work?  I want to make sure I am understanding you correctly.


  • Rebel Alliance Global Moderator

    you can put in netblocks… Sure so if you know the networks that you would be going for netflix then you could put those into your alias.

    Might be simpler to use a ! not rule -- so for example if there are site you know you want to go to that you don't use the vpn, then use a NOT rule that says hey if not going here, then use the vpn sort of rule.

    If you want to circumvent regional restrictions for your devices that play netflix for example.. its just much easier to put in a policy so they use your vpn based upon their IP.



  • The problem is that Netflix is now blocking traffic coming from VPNs.  So I would like to make use of a "smart DNS" service only to access Netflix, using my WAN interface, so that I can access content.  For the remainder of the traffic to/from my set-top boxes (other than Netflix), I want to use my VPNclient interface and its associated DNS servers. Apart from Netflix, I do not want any other DNS lookups going to the "smart DNS" servers (concern re privacy/security/etc), and the traffic for Netflix cannot go out over the VPN interface.  That's what I am trying to make work.


  • Rebel Alliance Global Moderator

    then point your client to your smartdns and don't route its traffic over your vpn..



  • Unfortunately, I still want the remainder of the traffic to exit via the VPN.  I guess this is not possible, and the best course of action is to use a different device (with a different IP address on my LAN) to access netflix, and that device can use the WAN interface instead of the VPN.



  • The problem is that Netflix is now blocking traffic coming from VPNs.

    From known VPN providers.  Rent yourself a VPS for $5/month, configure OpenVPN on it and then connect to that instead of using a global provider.  Netflix is only trying to appease content providers, so as long as you're not using a well-known VPN provider or one that advertises specifically for getting around geoblocking, you should be good.



  • Hmm.  Very interesting suggestion.  What are the privacy implications of this method? (I would suppose that all the traffic exiting from the VPS could easily be snooped and traced back to you, since it is not mixed with anyone else's traffic as it would be with a commercial VPN provider)



  • @pfsensory:

    Hmm.  Very interesting suggestion.  What are the privacy implications of this method? (I would suppose that all the traffic exiting from the VPS could easily be snooped and traced back to you, since it is not mixed with anyone else's traffic as it would be with a commercial VPN provider)

    Depends on what type of VPS it is. I have a few largely for test purposes from lowendspirit.com which are NAT-only IPv4 (with a handful of ports forwarded), public IPv6. In that case there are hundreds if not thousands of VPSes going out the same IPv4 IP.



  • What kind of throughput can you get if the VPN server is hosted on one of these VPS, and pfSense is the client?



  • It depends. I don't use them for VPN performance testing, or for VPN at all on any routine basis, but generally can get multi-hundred Mbps Internet and maybe 100 Mb VPN. At ~$5 USD/year per VPS, you can't expect consistently top notch performance.



  • I will definitely look into this possibility.



  • I just tested download throughput from my VPS and it almost saturated my 30 Mbps link.  VPN would add some overhead to that, but it's still good enough for me.


  • Rebel Alliance Global Moderator

    I run multiple vps, low end can be had for a lot less than $5 a month… I have multiples in the $15 a year range, couple at $12 a year and 1 even at $6 a year (but they no longer sell at this price).

    Installing openvpn access server on them is click click.. You don't need all that much to move some packets around.. My $15 a year vps come with 500GB a month xfer..

    Happy to send your some referral links if you want, the $15 a year comes with IPv6 as well.



  • Happy to send your some referral links if you want, the $15 a year comes with IPv6 as well.

    Please post them publicly.  I'd be interested in not just cheap VPS but reliable from your point of view.