Two VPN connections, one for all traffic and the other for specific domains. Possible?

Comments

5 comments

  • Avatar
    Michael Bierman

    Can I have all traffic go through A (default) while specific domains go over B?

    Yes! You can route specific domains, IPs, Regions, etc. over a particular VPN. 

    https://help.firewalla.com/hc/en-us/articles/4408977159187-Using-Firewalla-Policy-Based-Routing-with-VPN-and-Multi-WAN-Features

    See Force DNS over VPN https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client 

    0
    Comment actions Permalink
  • Avatar
    Dan

    Thank you for your reply. 

    Yes, I've referred to that page a few times before. My problem is that if I try the following it won't work:

    I created VPN A and VPN B (clients on my FWG).

    On the app I go to VPN client > VPN A, and I choose the LAN (LAN 1 in my case) to cover all the devices.
    (This will be the default traffic route for all devices. It works and all devices will route via VPN A).

    Now I want some exceptions (certain domains) for all devices to go over a different VPN (B).
    On the app I go Routes and I add a domain (say ipinfo.io) and then under select a device I choose "all devices". And for interface I choose VPN B.

    (This won't work, ipinfo.io will still go over VPN A). I've also tried LAN 1, same.

    It'll only work if I choose a single device for ipinfo.io domain.

     

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    It sounds like you have one rule at the LAN level and another one at the global level, and you are expecting the global rule to override the LAN level rule. That doesn't work, as LAN level rules take precedence.

    Either create your routing rule at the LAN 1 level, or change VPN A to apply to all devices.

    Also, note that you can define the VPN to not apply to any devices, and just routes to handle all the routing to the VPN clients. That might make things simpler, because then all the rules are in one place.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @David is right. 

    The priority list for device scope is Device > Group > Network > Global(All devices).

    1. When there is conflict, device/group rules will take precedence over Network rules.  
    2. When there is conflict, Network rules will take precedence over Global rules.

    For targets, the priority list is IP/Port > CIDR > Domain > Target List/Category > Region > Internet.

     

    1
    Comment actions Permalink
  • Avatar
    Dan

    @David

    You nailed it! Once I made both work on the LAN level it behaved as I want it to. Didn't try that before because I want to exclude some devices (servers). I guess I'll move them to their own LAN for better control.
    This router never ceases to amaze. Love it.

    I will pay more attention to the precedence of the rules in the future :) Thanks a lot.

     

    @Michael

    Thank you so much for summarizing it this way. I've copied/pasted this to my password manager's Firewalla notes for future reference :)

     

    0
    Comment actions Permalink

Please sign in to leave a comment.