pfSense Content Based Routing

Does anyone know how to get the pfsense to do content-based routing or if it’s even possible on the system?

I’m not talking about traditional policy based router where if packets are destined to a specific IP they are routed. I’m referring more to if packets are routed to something.

Like if traffic is destined to Netflix then route it this way but if it’s going to Youtube send it over the VPN. Routing based on the content of the traffic rather than the source and destination.

I know this is possible with other firewalls like PaloAlto but I wasn’t sure if it was possible with pfSense.

But even then, you’re still only routing based on Dst address.

Thanks but not quite what I was looking for. Better examples would be things like blocking Google Drive upload while allowing Google drive itself or Blocking Facebook messenger but allowing Facebook.

I think that’s very hard to achieve in general, with any firewall system. If you know of any such device in existence I’d be excited to hear about it, but I cannot imagine how that could possibly work from a technical perspective. Unless the Facebook website / API and Messenger run on disjunct sets of IP addresses (which I cannot imagine is the case, as they will likely be hosted in the same data centers or POPs), how would a firewall be able to distinguish them? All traffic is end-to-end encrypted with TLS. Apart from meta data like traffic volume, packet frequency, etc., firewalls have no clue what payload is in a packet. The meta data approach might work to detect video streaming as I can imagine that has a distinct signature to it, but other than that I wouldn’t get my hopes up.

Or take your Google Drive upload example: How would a firewall be able to reliably distinguish between a packet that contains an HTTP GET request to display the Google Drive page and a packet that contains an HTTP POST request which uploads a small file? It’s encrypted, so the firewall cannot see the content, and the payload sizes might be in the same general area, so the meta data might look identical.

Again, if I’m missing something and you, or anyone, knows of a product that can do those things, please let me know. That would be very interesting to learn about.

Palo Altos have the best app filtering available.

1 Like

The Palo Altos can do it.

fortigate or palo alto. Not possible in pfsense for now.

Ok, so from what I could find online, the mentioned solutions that can do what was asked (like blocking Google Drive upload, but not the website itself) all rely on TLS decryption and installing a CA in the users’ devices. That’s not transparent to the user, which I asumed was an implicit requirement (wrongly so, apparently).

Generally speaking, you can control what you send and the direction you attempt to send it. You can’t do “come from” routing. That requires a man-in-the-middle, working for you or otherwise. Remember that nothing in the protocols requires paths to be symmetric. Packets going from A to B and packets going from B to A can take vastly different paths and there is very little you can do to influence it. Lest you wonder, this is not a bug. It may not always appear to be a feature, until it saves your ass when things go very pear-shaped.