It's not difficult to build rules to exclude devices from specific interfaces in pfsense. I've found several guides online. I've built rules to route Netflix and Hulu traffic outside of the my vpn as well as specific devices with static ip addresses. When building rules for services like Netflix and Hulu, you'll need comprehensive lists of the ip's they use.
That was my bad. Sorry. Did some quick edits earlier and mucked em up :-/ Should be working now.
1 Like
You can sometimes get away with creating an alias from the domain name and using that instead of a list of IPs. The alias will be resolved by the dns server periodically so most of the time it will be the right ip, especially if the dns cache is active. But with some things, especially stuff that uses CDNs, there will be multiple IPs that won't get resolved properly and the rules won't work.
I can see how that would work with Hulu because the domains are either hulu.com, huluim.com, or huluad.com. The list of Netflix ip's are never ending and they use AWS servers. Luckily, there are a couple posts on the pfSense forums where someone was kind enough to put together a list of all the Netflix ip addresses for the US. So it's pretty easy to make an aliases with all the ip's simply by copy/pasting them in to pfSense.
1 Like
I've tried that and while the interface will get reset the vpn will stay active. I use a cron job to reset the whole openvpn module. What I really want though is it to hop between various vpn servers automatically, and depending on how much info I can get out of the command line I would really love to have automatically go based on ping.
You can do that with the load balancer, just configure each interface with a different priority and set the fail over condition to latency or packet loss, then in the routing settings go to the advanced options and set whatever ping time you consider too high.
1 Like
I've been thinking about implementing a pfSense firewall in my home network for a while now but while deciding on a system to build it with I have been having trouble finding any supporting data on one thing in particular.
How important is it to have a CPU with AES-NI support? I plan on using the pfSense firewall to make secure/encrypted connections to my home network while I am offsite. Currently my home internet connection is 200Mbps down and 30Mbps up. I'm worried that choosing a CPU without this feature might bottleneck me either with my current download and upload speeds or possibly in the future. I would like to build something that is somewhat future proofed.
I have PIA as well. I dont have any experience with other VPN providers but I will say the speeds arent great. That's probably true for all providers though.
PIA reliability and speeds depend greatly on which server you choose. I find the servers located in new york and texas are the best and "east" is just absolute junk.
I've been considering doing this, however, I have one thing stopping me...
I have google fi phone. If I do whole network VPN, my vpn can be instantly correlated to me because my phone talks to google so much. (phone will be on wifi going through vpn.)
What if I put etho through VPN (whole network), but the wireless AP through regular traffic? Does that sound like good solution?
If it's a modern CPU you should be fine at those speeds. If you have access to a comparable CPU you could run some aes benchmarks or something like that and see.
If you assign the phone a static IP then you can just have that IP go over the wan and everything else on the VPN. You don't need to have different subnets for vpn and non-vpn traffic.
Once you have the VPN client working; when you create a firewall rule in the advanced options you can select a gateway, so make a rule for your phone and set it's gateway to lan, have this rule above the default allow any rule and set that rule's gateway to the VPN.
One thing to keep in mind however is that if you have multiple subnets and you want to route traffic between them then those rules need to use the default gateway, so you will need to have separate rules for local and internet traffic. But this only applies if you have more than wan and LAN networks.
well... how about other people's phones when they come over? Maybe best to flip it... static route my desktop to VPN and all else to wan.
Yeah that works too. When you're configuring the rules just keep in mind that rules are processed from top to bottom and applied on first match. So have rules for specific devices above the rule that catches everything.
When it comes to setting the gateway for different devices and traffic you can do it for anything that you can define in a firewall rule, so you can set it for IPs, ports, protocols, or any combination of those things. That means that for your desktop (for example) you can have ports 80 and 443 (web) go through the VPN and everything else (ie games) go through the wan.
It's when you get down to specific applications that doing it at the router doesn't work so well, as the router can't tell the difference between a Web browser using port 80 and the steam client, etc.
1 Like
Beautiful, Definitely check that out when my new box arrives.
Same here. This is one of the many reasons I subscribe to Wendell's channels!
1 Like
This is possible. But in my experience in running a config of this nature, the latency is pretty high. Moreover, I've experience high amounts of downtime with every single VPS provider I've ever gone used. Since moving to a config like Wendell and Ryan demonstrate in this video, I've had a much better experience. And I don't have my wife complain that her Facebook is loading really slowly.
Do you know about the VPN comparison chart?:
https://thatoneprivacysite.net/vpn-comparison-chart/
It's very comprehensive on what VPN does what. It's handy for comparing the vpns.
2 Likes
Another site with good information on VPNâs, security and privacy in general is https://privacytoolsio.github.io/privacytools.io/. A VPN is good but if your browser is leaky, well.
Some things to keep in mind when using a VPN:
My bank & other sites freaks out when I forget to turn off the VPN.
It my bring attention to you.
Ask yourself; what are you trying to protect & who do you want to protect it from?
Just thought I would share the site it has some good info. And links to other.
yes it is very possible as i have done just that.
I pay for a VPS (debian) and set up a openvpn server on it. the provider has a pretty good privacy policy; they wont share info unless required to repair a issue or it is needed in the course of providing the service.
/*edit*/
fix typos
/*endedit*/