DNS server and gateway by IP address and destination?
-
I want the devices in question to use DNS A / WAN gateway in some cases, and the same devices to use DNS B / VPN gateway in other cases, solely determined by the destination address they are trying to reach. Is the method you outlined going to accomplish that?
-
Yeah good luck with that ;)
How do you know what destination they are trying to reach when what they are asking is a FQDN ie www.something.tld
If you want to query a specific domain name via a specific name server then setup a domain override in your forwarder or resolver that points domainX.tld to ns1 and ns2, etc..
-
That would definitely do the trick for the DNS lookups. But is there a way to force traffic destined for the domains in question over one gateway, while all other traffic from the same ip addresses on the Lan goes through a different gateway?
-
Again where does the domain go?? You can for sure policy route on dest IP or protocol even. But its kind of hard to route to something you don't know.
If you want client 1 to gateway x when talking to netblock 1.2.3.0/24 you can do that - if you want client 1 to use gateway x when talking port X-Z sure.. or you can use the ! not as well.. IF you can come up with a rule in the firewall to use a specific gateway then sure you can send them through that gateway.
You could use a alias in the destination that resolves to a specific IP… In case that IP changes.
-
So what you are saying is that in the case of Netflix (for example), my alias would already have to include every IP address (by number, not by name) that Netflix might be using (i.e. DNS would not need to be queried) for this to work? I want to make sure I am understanding you correctly.
-
you can put in netblocks… Sure so if you know the networks that you would be going for netflix then you could put those into your alias.
Might be simpler to use a ! not rule -- so for example if there are site you know you want to go to that you don't use the vpn, then use a NOT rule that says hey if not going here, then use the vpn sort of rule.
If you want to circumvent regional restrictions for your devices that play netflix for example.. its just much easier to put in a policy so they use your vpn based upon their IP.
-
The problem is that Netflix is now blocking traffic coming from VPNs. So I would like to make use of a "smart DNS" service only to access Netflix, using my WAN interface, so that I can access content. For the remainder of the traffic to/from my set-top boxes (other than Netflix), I want to use my VPNclient interface and its associated DNS servers. Apart from Netflix, I do not want any other DNS lookups going to the "smart DNS" servers (concern re privacy/security/etc), and the traffic for Netflix cannot go out over the VPN interface. That's what I am trying to make work.
-
then point your client to your smartdns and don't route its traffic over your vpn..
-
Unfortunately, I still want the remainder of the traffic to exit via the VPN. I guess this is not possible, and the best course of action is to use a different device (with a different IP address on my LAN) to access netflix, and that device can use the WAN interface instead of the VPN.
-
The problem is that Netflix is now blocking traffic coming from VPNs.
From known VPN providers. Rent yourself a VPS for $5/month, configure OpenVPN on it and then connect to that instead of using a global provider. Netflix is only trying to appease content providers, so as long as you're not using a well-known VPN provider or one that advertises specifically for getting around geoblocking, you should be good.
-
Hmm. Very interesting suggestion. What are the privacy implications of this method? (I would suppose that all the traffic exiting from the VPS could easily be snooped and traced back to you, since it is not mixed with anyone else's traffic as it would be with a commercial VPN provider)
-
Hmm. Very interesting suggestion. What are the privacy implications of this method? (I would suppose that all the traffic exiting from the VPS could easily be snooped and traced back to you, since it is not mixed with anyone else's traffic as it would be with a commercial VPN provider)
Depends on what type of VPS it is. I have a few largely for test purposes from lowendspirit.com which are NAT-only IPv4 (with a handful of ports forwarded), public IPv6. In that case there are hundreds if not thousands of VPSes going out the same IPv4 IP.
-
What kind of throughput can you get if the VPN server is hosted on one of these VPS, and pfSense is the client?
-
It depends. I don't use them for VPN performance testing, or for VPN at all on any routine basis, but generally can get multi-hundred Mbps Internet and maybe 100 Mb VPN. At ~$5 USD/year per VPS, you can't expect consistently top notch performance.
-
I will definitely look into this possibility.
-
I just tested download throughput from my VPS and it almost saturated my 30 Mbps link. VPN would add some overhead to that, but it's still good enough for me.
-
I run multiple vps, low end can be had for a lot less than $5 a month… I have multiples in the $15 a year range, couple at $12 a year and 1 even at $6 a year (but they no longer sell at this price).
Installing openvpn access server on them is click click.. You don't need all that much to move some packets around.. My $15 a year vps come with 500GB a month xfer..
Happy to send your some referral links if you want, the $15 a year comes with IPv6 as well.
-
Happy to send your some referral links if you want, the $15 a year comes with IPv6 as well.
Please post them publicly. I'd be interested in not just cheap VPS but reliable from your point of view.
