 Tommy here from Lauren systems and we're going to do a video about how to do policy routing really simple policy routing in PF sense in terms of if you have a device or a network and you have two different Gateways or two different internet search providers and you'd like to route things out one or the other now This can be expanded it can be worked with more than two internet search writers It can really work with as many as you can get connected to your PF sense This also works and in the demo we're going to be using today Just to keep things simple and I don't have to blur out a bunch of IP addresses and show my office IPs I'm going to be using the PIA gateway as our secondary ISP it actually works the same whether you're using a gateway connected to a privacy internet Which is what I'm going to actually be doing in this video or if you have multiple ISPs that being said if you're curious about setting up privacy and internet I have a link down below to get that going in PF sense And then I have the same segment about policy routing in that also if you're wondering about bonding dual WAN connections together I have another video on SD WAN and how that works because there is a lot of Confusion of how some of the networking works So I put a video together to clarify that particular question on SD WAN bonding connections And how TCP streams actually work and how you can't just have two internet providers and get double your speed It's a little bit more complicated than that But to keep us on topic those videos are linked down below. So let's get started with this particular video here I want to start with a diagram of our layout and it's really simple. We have our PF sense to WANs a LAN This IP address here So when we're gonna be SSH EN2 to do our testing which is 172 16 1641 we have ISP 1 and ISP 2 now I'm using ISP 1 and ISP 2 is kind of placeholders here That's a normal setup or a lot of people have redundant CVF failover But this really comes down to any gateways that you have attached whether they're an ISP or some other gateway as I mentioned in beginning such as Using a privacy internet provider as a gateway The policy routing is still the same because it's done on a per gateway basis in terms of which way you want it to route out We're gonna use a site called IP info It's just a really simple site so we can use curl from the command line in order to pull the IP information and show Where that traffic is landing is basically asking? What's my public IP address and that obviously is gonna change IP info has another handy feature because it will let us pull Which organization it sees is coming from based on the ASN number look up ASA numbers You kind of understand or essentially the ownership blocks related to IPs or groups of IP So you easily identify who the provider of that ASN is and this is an easy way to do a demonstration I listed the IP address of IP dot IP info dot I O because 34 dot 117 dot 59 dot 81 is the IP we're gonna use to create another type of rule Now I want to show you the different methodologies for creating rules So you can know you can do this more than just by source device inside a PF sense But also by destination so we'll do a couple different demos here to show you how that works Now you don't have to create an alias But I prefer to have an alias because usually there's more than one system you want to route out So that is the first step we're gonna cover here. We created an alias called YouTube policy demo demo for YouTube policy routing It's a type host alias There is the demo device as we had and the reason for this as I said if we wanted to add more hosts Whatever those hosts might be for example, my computer is at dot nine. I could say that's Tom's computer And now Tom's computer will be able to go out now when you edit an alias it allows you to Not have to update all the rules where this alias has been applied because if you had other networks such as one two one six eight One dot five you could copy this rule to each different network segment So you could have one place that does all the routing out the different gateways Even though it's across different segments of your network and different subnets and one alias would help cover that But for simplicity sake, we're just gonna keep one device in here the 172 16 16 41 and call up my demo device Just click save now. Let's head over to LTS Tom where this device lives And you'll see that we have just a basic wide open rule that allows things to route out the default gateway You know it's going out the default gateway because there's a little asterisk there Which means whatever the default gateway is set. That's where this is gonna route out now if we go here to add Pass LTS Tom IPv4 change it to any and now we have to choose the source and Single-hoster alias is what we're looking for and when you start typing the aliases will auto complete So there's our YouTube policy demo and any single host listed within that particular alias will then route out and follow these rules Destination and you can go wherever it wants, but we want to go out of specific gateway So we click the advance and just scroll down here at the bottom and change the gateway from default to either forcing it out My WAN DHCP for my wide open West or PI VPN So we'll put it as PI VPN right here and click save Hit apply and now if you mouse over this We can see my demo device and then we can see route is going to be this gateway that PI VPN And you have the rules at the top and they go down That's a very important because if this route out rule was the matching one the first rule it matches It doesn't go any further. So this does need to be on top in order to have that work So let's go ahead and take a look run curl IP info.io and Then it's going to give you the public IP address Coming from my PA VPN Now pretty simple. It's got all the different informations the region the country the org and let's actually focus on the org That's a feature that this particular service has so if we go to curl IP info.org. It'll say just Data cap Limited so pretty simple now. Let's go ahead and switch back. We're just going to temporarily disable the rule hit apply Go back over here Run it again, and now it says wide open West finance. That's my primary inner provider So pretty simple to switch back and forth from something being an alias As soon as you apply these firewall rules It's pretty instant because the request goes out it reaches out sees that it's supposed to route over PI VPN So it does so brings back the info and that's the gateway it routed out So pretty straightforward to get this turned on or turned off for any devices Or if we wanted to and show another demo here We'll open up another tab and run the same thing, but we'll do just the curl IP org so we'll copy that open up a new tab Says wide open West finance. We're doing this directly on my computer so we can go and actually edit that alias. So we'll Re-enable it So that's enabled while it's enabled. We'll just do one more time with my computer. It's going to show finance Go here add a host my computer's actually dot nine Tom's computer you can see that my computer is now in the list go back over here and Now my computer is now routing out PIA pretty simple to get these in and out of here So we want to get rid of that an alias I don't necessarily want my computer routing out that for now But we'll just go ahead and edit the alias again, and we'll hit delete and hit save again Now let's talk about kind of a different way to do this and that's actually doing it by IP address So we can actually choose a destination IP not on the internal but on the outgoing site This could easily be done with an alias as well And we can say we want to make a rule that anything and we'll disable this rule first And we're gonna add a rule anything that's headed to a certain IP address will always Go and retrieve out of a specific gateway So the source and we'll change a protocol to any and we specifically want the destination to be single host or alias We're just gonna use a single IP address Specifically, we're gonna use the IP address right here this three four woman seven fifty nine dot 81 This is the IP info dot IO. So we go here. We're gonna go ahead and Say that's the destination and we'll go display advanced scroll down the bottom change gateway And this is gonna route out the PI VPN. So it apply Now before we do the test Let's just walk through what this rule means and it rule is IPv4 source any system not just these ones We want the destination to be This so if the destination where IP we're going to we're gonna route that one out specifically out of PI VPN So with that rule being said if we go to the curl IP info dot org That's the IP address of that data camp limited. I can actually do this so we'll show all the IP information and if we were to do a ping of IP info dot IO you'll see it's that IP address So it's actually routing out anytime the data is destination for that IP address is gonna route out there Now there's actually something else we can do so we can go curl IP info dot org And by default when you have curl, it's doing this based on HTTP not HTTPS So we'll go ahead and implicitly list that Info dot org or if we do HTTPS info dot org We're gonna get the same response both times. So let's change this rule up a little bit here and We're gonna modify it so the rule works based on not destination IP address But actually based on whether or not you're doing HTTP or HTTPS So you can do this based on a specific TCP port now to get this working. We're gonna go any We're not gonna worry about the destination address. We will go ahead and leave our single horse We'll only want this what doesn't start routing all of my traffic on that particular network out that Gateway and the protocol is gonna change to TCP that opens up these options here And we don't want to save from any we can filter it down to HTTPS So now just to walk through the rules again if it's a TCP call The host alias matches someone on our YouTube policy demo Destination could be anywhere it needs to go but you're asking for 443 as well and That gateway still down here at the bottom. So we look at the rule in summary We see the YouTube policy demo For this IP address routed out VPN if it's 443. So now if we go back over here If we do HTTPS It says data camp limited but if we do HTTP wide open West and That's because well, we didn't say route things looking out port 80 So now you can do it based on that destination port either one of these are Valid ways to do this and maybe you want to have a list of ports or services or destinations Or maybe you have certain devices you want to route certain places You always have to remember the rules are all from top-down matching. So the first rule matched Will be how that works. So if this rule is matched It's gonna go here and then we can have this rule to say nope We want this one routing out here for anything else But you got to think about that from a matching perspective if you have a series of devices But that's all you have to do to get policy routing working I will leave links down in the description right to PF census documentation on this There's actually plenty of documentation on their dual WAN failover I will eventually make a new video or maybe you're watching this in the future I have a newer video on how to create failover groups I will leave link down below videos I have related as topics such as setting up a privacy VPN with the policy routing for that Which does cover this section as well But I wanted to mention those other expanded options you have with it Leave your comments and thoughts down below or head over to my forums for a more in-depth discussion And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up If you would like to see more content from this channel hit the subscribe button and the bell icon If you'd like to hire a short project head over to LawrenceSystems.com and click the hires button right at the top To help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all of our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well randomly so check back frequently and finally our forums forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you