OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: gotschi on January 06, 2022, 04:23:04 pm

Title: Help needed with Domain based routing
Post by: gotschi on January 06, 2022, 04:23:04 pm

Hi,

I would like to route specific domains via a vpn site.
OpnSense runs my Wireguard server which has a WG client (site) connected to it.

I then create a Firewall - Alias:
- Name: Proxied
- Type: Host(s)
- Content: domain.com

I'm not sure what the next steps would be, but I tried:
adding a Firewall - NAT - Outbound rule
- Iface: WAN
- Destination: Proxied
- (I tried translation to WG site adress / router)

adding a Firewall Rule - Rules - WAN:
- iface: WAN
- direction: out
- destination: proxied
- gateway: site router address

traceroute shows that the domain gets catched but it refuses to go over the VPN;

can anyone here tell me how to achieve this routing? Thank you!

Title: Re: Help needed with Domain based routing
Post by: 8191 on January 06, 2022, 04:53:37 pm

Not sure if I understand correctly what you want to achieve, but I assume you want to route HTTP traffic for certain websites via a different site (to connect to the HTTP server using a different public IP).

I assume the VPN tunnel is not foreseen to have other IP addresses than internal ones (local net and remote net are typically private IPs), but the domain.com resolves to a public IP which is not part of the tunnel network.
If so, then extend your VPN tunnel ranges.

If I'd get the task, I'd do it a slightly other way:

• Override the DNS entry of domain.com on the local OPNsense instance to any IP internal address which can traverse the VPN
• On the remote side make sure to have a outbound NAT rule which matches also the local LAN (not only the remote LAN)

Title: Re: Help needed with Domain based routing
Post by: gotschi on January 06, 2022, 06:43:02 pm

Quote

but I assume you want to route HTTP traffic for certain websites via a different site

totally correct.

I would like to keep my Adguard DNS out of play here, I think this should be doable with routes and aliases?

I just have no experience where to put the rule?
WAN?
Floating?
LAN?

In the meantime I added the remote site Gateway in Opnsense, "Far Gateway" is set.
I can now use this gateway for my rules, just need to try till I get it working...

The connection to domain.com is already caught by Opnsense but

Code: [Select]

traceroute domain.com does not leave OpnSense to the remote site yet

Title: Re: Help needed with Domain based routing
Post by: 8191 on January 06, 2022, 08:20:39 pm

Can you share your VPN configuration? Especially the networks in the tunnel.

Title: Re: Help needed with Domain based routing
Post by: gotschi on January 06, 2022, 08:54:59 pm

there's really not much to the VPN config,

local lan is 10.0.57.0/24
OPNSense is 10.0.57.1/32,
WG server resides on 10.0.59.1,
Site 1 is PTP connected as 10.0.59.2/32

Site 1 has routes for my Lan (10.0.57.0/24 via 10.0.59.2 on 10.0.55.4)

I sure will share my config if you need specifics but the whole config has too much sensible info to it :D

Title: Re: Help needed with Domain based routing
Post by: lfirewall1243 on January 06, 2022, 08:58:39 pm

Make sure Client and OPNsense are using the same DNS Server

Create a Gateway with the Remote VPN Tunnel IP

Create an Alias with the FQNDs you want to route.

Create a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with

Source; Interface Network
Destination: the created Alias
Gateway: The created Gateway

Title: Re: Help needed with Domain based routing
Post by: gotschi on January 06, 2022, 09:47:36 pm

EDIT: attached my full config, maybe someone can spot the culprits.

Quote

Make sure Client and OPNsense are using the same DNS Server

I use different DNS Servers in each site (adguard home in local lan on 10.0.57.28, google 8.8.8.8 on site1), is there a reason why they should use the same? Edit: Oh, I guess you mean the lan client and opnsense - yes they all point to my local adguard home server (10.0.57.28)

Quote

Create a Gateway with the Remote VPN Tunnel IP

Did that - Gateway pointing to 10.0.55.254 (site 1 router), enabled "far gateway" because the subnet is not my local lan ofc. Should I make use of Virtual IPs?

Quote

Create an Alias with the FQNDs you want to route.

Did that. Alias with Host(s) "domain.com"

Quote

Create a Firewall Rule on the first Interface where the traffic matches (normally LAN) (rule must be before your normal Allow Rule) with

Did that, put a rule on LAN,
Source: LAN net
Direction: in
Gateway: Site1 - 10.0.55.254 (Site 1 Router)

I can see the rule in effect in the Logs but it only shows UDP data packets.
Traceroute shows that the requests do not leave Opnsense however...

Code: [Select]

traceroute domain.com
traceroute to domain.com (xx.xx.xx.xx), 64 hops max
  1   10.0.57.1  2,601ms  1,650ms  1,371ms
  2   10.0.57.1  1,531ms  1,429ms  1,193ms
  3   *  *  *
  4   10.0.57.1  1,880ms !H  1,483ms !H  1,412ms !H

Will make a backup and share it here, seems there is something fishy in my config...
Thank you guys!!