Google or Facebook Traffic routing

[paatie]

Hi There

I have a firewall with two outgoing connections ( one is default and one is backup) is there a way that I can route google, youtube and facebook traffic to always go through the backup connection. The main problem I have here is that e.g facebook and google uses a pool of different IP addresses so I cannot route just one IP for each domain. so does anyone know any kind of setup that can achieve this.

Thanks in advance

[christian]

Using only one single Zentyal server, I frankly don't know 
Using "balance traffic" in gateways section doesn't work unless you identify all the IP related to these sites, which is not realistic.
If I had to achieve it, I would use another HTTP proxy pointing to backup gateway only and dedicated to such flow and define these domains in wpad.dat file with the right (secondary) proxy.

Of course, this assumes:
- you are not using transparent proxy
- you are using WPAD

but this should work 

[paatie]

Hi Christian thanks for the quick response, I was hoping I could achieve this with transparent proxy multiple zentyal server is not an issue as it is already the case, I have also tried to use the DNS module and force all traffice to the local country IP using a wildcard and then do the routing for that IP but it does not work either the sites just timeout and on google I get SSL errors.

[christian]

SSL errors 

If you have time, look at this thread where we discuss transparent vs. explicit proxy stuff.
It may help you to decide what kind of proxy design you need.
For sure with transparent proxy, there is no way you can achieve it, at least using proxy feature :-) furthermore, if you have SSL errors, then you do not use proxy 
But you can perhaps achieve your goal using something else than proxy.... 

[paatie]

Thanks a lot man, I think I'm going to give up on this I have been searching for a solution for weeks

[christian]

...I think I'm going to give up on this I have been searching for a solution for weeks

and you don't like my solution 

[paatie]

@Christian, I'm going to give your solution a try and see how it goes but it will give me a lot of admin work if I go with it because I wil have to go to 50 users and configure their proxy as it does not work with transparent proxy

[christian]

Sorry if I've not been clear enough: it will not work neither modifying clients to that they point to one proxy or another... what you have to implement is use of WPAD. this is most likely how all your clients are already configured today (except if you already went to each device to set "no proxy"  )
Without WPAD, you can't use this trick that is to define another proxy for some domains only 

This is one step beyond explicit proxy 

Your wpad.dat file should contain something like

Code: [Select]

if (dnsDomainIs(host, ".google.com")) return "PROXY proxy2.yourdomain.com:3128";assuming proxy2 is proxy you want to dedicate to google.com

[paatie]

Ok can you please explain how do you configure WPAD if you don't mind?

[christian]

Sorry, I was just editing my previous message while you posted 

I suggest you have a look at this.

[paatie]

I had a look at the link you gave me and I like it, it will definitely work. I will start with the configuration. thanks a lot man

[christian]

  I've no doubt it works 

However, as discussed with Sam in another thread, be aware that there is not perfect, ideal world in the real like: although deploying explicit proxy with WPAD has more added values than drawbacks (at least to me), you have to know that, e.g., access to non standard HTTPS ports will need to customize proxy configuration and Zentyal does not (currently) handle it via GUI.

Let us know how it works for you once implemented 

[paatie]

Hi Christian, I got wpad to work and it's exactly what I wanted so thanks for pointing me in the right direction. It took me a lot of time though to get it right but it was worth it in the end. Here are the links below that helped me a lot with the configuration. Thanks again to you guys

http://www.findproxyforurl.com/wpad_tutorial.html
http://en.wikipedia.org/wiki/Proxy_auto-config

[christian]

Cool. I'm glad it works (well, I had no doubt  )
Feel free to have a look here too (if not already done) and update it in case it doesn't match what you experienced.