Firewalla Policy & Content Based Routing

Follow

Comments

12 comments

  • Avatar
    Sukumar Patel

    It would be great if we could redirect specific apps using PBR. Ex: Netflix via VPN1, and Amazon via VPN2, etc

    3
    Comment actions Permalink
  • Avatar
    John sieve

    I’m looking at a policy that routes based on what wan is less latent, is that possible? Peplink has this but everything else has me convinced firewalla is the better choice

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @sukumar, the VPN redirection can be done on 1.972.  

    @John, latency based routing is possible; Is the problem you are facing the ISP is getting congested?   

    0
    Comment actions Permalink
  • Avatar
    John sieve

    I have two LTE connections, one has much more throughput, but worse latency, I’d like to have gaming/remote work go through the less latent path, and video to go over the other connection, and fail over still functional, I see some vendors have “lowest latency” which tracks on the 2nd/3rd hop, and the other, (and preferable) is “fastest response time” this would be ideal, because it could choose the connection based quickest path, which may end up being the other link, I know persistence can be a issue, and would also consider using this for web browsing.

    1
    Comment actions Permalink
  • Avatar
    Sukumar Patel

    @firewalla, I am on 1.972 early access and 1.44 beta, how do I enable app based VPN routing for Netflix etc?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Sukumar, Hulu doesn't like Dual WAN so I used PBR to channel andy traffic to hulo.com to my WAN1. You should be able to do the same with Netflix.

     

     

    1
    Comment actions Permalink
  • Avatar
    networker5

    Is it possible to use PBR to a (dynamic) virtual device group??? That would solve many problems I'm having:

    1. target devices based on policy criteria (e.g. alll IOT domains)
    2. A single device can be treated in different groups
    3. Lack of VLAN capabilities.

    I can describe more of what I mean but bottom line is that device groups are great but not flexible enough and may change based on context (e.g. netflix or porn). 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I'm not sure if I exactly understand your question, but PBR can be applied to Groups. If a device changes groups then the PBR would shift with that. 

    Is that what you are looking for?

    0
    Comment actions Permalink
  • Avatar
    FF

    What about when you want to limit the routing to ALL DEVICES EXCEPT specific ones? 

    ie: 

    • I have a primary WAN for the whole house using cablemodem
    • I also setup a backup WAN using the cheapest tmobile  5g plan I could find with a data CAP. TMOBILE_WAN_BACKUP
    • I would like to only allow our working PC/laptops to be able to route through the TMOBILE_WAN_BACKUP when the CABLEMODEM_WAN is down.

    right now I can create a rule forcing ALL the devices to only use CABLEMODEM_WAN, which effectively block them from using the TMOBILE_WAN_BACKUP. but that prevent my work PC from using the backup_WAN

    in theory I could create 1 route per device except the 2 work PC/laptop but that's not very practical...  Or create 1 group with every devices except the 2 work PC/laptop but that's also not very practical... 

    I can easily create a route for the 2 work PC to use the backup_WAN but that defeat the purpose since I want them to only do that when the primary is down, not all the time!

    We basically need a NOT operator somewhere in the filter logic...  

    suggestions: 

    allow to use an "except" operator in the new route filter screen... like:

    • set target = internet
    • on device = except "PC_work_group"
    • interface = CABLEMODEM_WAN

     

     

    0
    Comment actions Permalink
  • Avatar
    FF

    On a side note, I noticed that even though I did setup the route:

    • set target = internet
    • on device = ALL devices
    • interface = CABLEMODEM_WAN

    from my laptop I can still access the IP address of the 5g router behind firewalla's TMOBILE_WAN_BACKUP port which is very convenient and logical since the 5g router is not considered internet (192.168.1.1) and visibly firewall keeps routing 192.168.1.0 through TMOBILE_WAN_BACKUP port... 

     

    0
    Comment actions Permalink
  • Avatar
    R dub *

    My Firewalla gold will not complete installation in bridge mode while connected to UDM Pro. It’s being blocked by the firewall. I added a static route for domain Firewalla.com. and that almost did the job, but it’s still stuck at the end. Which domain am I missing from the route list?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Why is UDMP blocking firewalla? Start with looking at the rules there.

    0
    Comment actions Permalink

Please sign in to leave a comment.