Firewall Rules for External Domain Names

[mattlach]

Hey Everyone,

So I have my firewall set up such that it runs WireGuard on it, and routes all traffic through Wireguard on its way out to the WAN.

I have configured WireGuard such that it has it's own gateway, separate from the non-Wireguard WAN gateway.

I have the rules configured in the following order:
- Any rules needing to bypass Wireguard sends traffic to the non-Wireguard WAN Gateway
- Any remaining traffic at the bottom of the list gets sent out using the Wireguard gateway, and out to th epublic internet via Wireguard.

Pretty common setup I think.

My problem is this.   I am trying to bypass the VPN and send traffic through to the WAN gateway based on the destination host.   In my case I do not have a fixed IP for this external host on the WAN, only a domain name.

I have created an url alias using these domain names, but it does not seem to work.   On its way down the firewall rules lists, it never triggers on my bypass rule, and just continues on down to the standard "internet via VPN" rule.

I suspect this is because it is not resolving the domain name in the alias, and thus is not seeing a match.

Is there a proper way to do what I am trying to do, or do I need to figure out every IP address this domain name might resolve to, and add the IP addresses instead?  (this does not sound particularly reliable)

Appreciate any suggestions!

[mattlach]

Hmm.

I replaced the domain names in the alias with their currently returned IP addresses, and it is still skipping over the rule.

When I traceroute to them, I still see it going out over the wrong gateway.

I'm not quite sure what it is I am doing wrong.   

Can I not create incoming local network rules that filter based on external wan destination or something?

I appreciate any input.

Appreciate any

[mattlach]

Alright.

So I just figured out I already have another rule that does this for a different domain name, and that one works.

I duplicated it exactly, and just changed the domain name alias.   The first one works, the second one doesn't.

I suspect the problem might be with the alias.

The alias that works lists "loaded" as 1 (there is just one domain name, pointing to just one IP so this makes sense)

The second one has multiple domain names in it, and lists "loaded" as 0, which suggests something isn't quite working here.

Going to troubleshoot the alias, I guess, as the firewall rule does not appear to be the issue.

[mattlach]

Alright, figured it out.  I feel silly now.

I am going to leave this here in case anyone else goes down this rabbit hole.

You want to use the "host(s)" category in aliases, NOT the Url(s) category.   That seems to be strictly for pulling a list of domain names from an external url.