Outbound Policies - Domain name

I feel quite inadequate right now.

I thought that I followed instructions only to find that none of my Outbound Policies that specify a domain as the rule to bypass Speedfusion work. I am in Expert Mode and I moved these policies above the VPN line - they don’t work. On a lark, I moved one below the VPN line but ahead of the Speedfusion rule, and it worked… ONCE.

I used “ipconfig /flushdns” to no avail.

This leads me to the question… what is Expert Mode really for? Why don’t these domain-based rules work above the VPN line? I am truly confused.

Do you have Send All enabled sending all your traffic to the Speed Fusion tunnel by default? If you want Domain Based rules to work, I would disable the Send All and only send traffic by outbound policy. Here’s a link to a post that has a working Domain Policy in it…

1 Like

Here is my below the PepVPN line policies. Basically, I send everything to Speedfusion (Fusionhub at Vultr) and fall through to a “Fastest” policy for my locally defined WANs.

Everything else is above the PepVPN line, all exceptions where I don’t want to use Speedfusion (VPN blocking). My IP-based and MAC-based rules work perfectly but they limit the usefulness of a general purpose device. NONE of my domain-based rules work - neither for streaming services (Netflix, YoutubeTV, Amazon, etc.) nor for ornery websites (doityourself.com, puritan.com, autotrader.com, etc.).

I appreciate your help. Thank you.

I don’t use the “Send All” feature - all is going through Outbound Policies.

Ok, so move everything below that PepVPN line. The only things that go up there are deep packet inspection rules.

Also take a look at this post as well…

1 Like

Just to clarify, all of my Source rules that specify IP or MAC address work fine. None of my rules that specify a domain for Destination work. They are currently above the PepVPN line. The domain-based (Source) rules don’t work - wonder why. I’m only using Domain specification in the Destination, Source is “Any.”

I have changed my Speedfusion rule to only include the VPN in the priority list. Then I created a default rule to use the Fastest local WAN. Is this a good strategy?

Also, should my Speedfusion rule be the last rule in the list? I’m assuming yes if I have a default that is for Fastest.

Thank you!

So the rules are processed from the top down… and the first rule that a session matches wins. So if traffic matches the first or second rule, none of the other rules are checked. Because sources are all unique, your traffic matches those first, then stops.

In your screenshot above, that http persist rule will never trigger because all traffic matches the one above it.

Likewise, the fastest response rule willl never trigger because all sources destinations and ports match the rule above it going to SpeedFusion.

1 Like

Yes. This makes sense.

Unfortunately, my Destination=domain rules still don’t work at all, neither for streaming sites or the ornery sites that I mentioned earlier. I flushed the DNS cache before trying.

Should I reboot something before giving up hope?

Well in that regard I will say… give it time. Every time you change the policy, it dumps the ip to domain name relationship… so you then have to get your client device to ask for the domain again and get the lookup to be seen by the router… so you will have to stop making policy changes for let’s say 5 minutes, then do your dnsflush on your computer and try again.

1 Like

Here is the Speedfusion rule in the above list.

OK. Great information. I’ll wait and try.

Fastest response will mess up those sites. Fastest response makes 2 copies of the packet and sends it out both WANs so that whoever responds first wins. That will break any https traffic because the “secure” server sees duplicate requests from 2 different ip addresses.

1 Like

My two cell WANs are very sensitive to time of day with respect to performance/bandwidth. How can I choose the fastest one to use? This would be quite important given my config.

Could I expect a “Lowest Latency” rule to give me the best performing cell WAN?

For https traffic outside the SpeedFusion tunnel, unfortunately you will have to use a priority list and then health checks … so say WAN1 is normally better than 2…
All https to Apple.com goes to WAN1 then WAN2 via priority. Then set the health checks on WAN1 to where they detect the degraded state and fail you over to WAN2 by marking WAN1 as down.

1 Like

I waited, flushed DNS, and tried again. No love whatsoever.
All of the sites report VPN block.

On the client side, have you confirmed through ipconfig -all that they are using the ip of the router for a dns server?

Also new browsers like Firefox use prefetching for DNS, so in that case a restart of the browser or even reboot of the computer would be the safest.

1 Like

OK. I reset the router config to automatically provide DNS rather than use and

Then, I changed all of my rules to “Fall through.”

I changed all of the rules to use a Priority rather than Fastest.

Then I eliminated the default rule of Fastest and changed the Speedfusion rule to Priority.

The domain-based policies now work.

The last thing I want to do is to have the rules choose the fastest cell WAN. How do I do this and still use the Priority routing? You mentioned something earlier but lost me.


What version of the firmware are you on? What device?

I am using one of the RC on a MK2. My rules are just like yours. I use Outbound at the bottom to send all traffic through Speedfusion but have several domain only rules with any source above it using fastest response. I have no issues. It takes maybe 30-60 seconds after pressing apply for it to kick-in. I know its done when my CPU has returned to normal. I have a lot of rules and settings enabled now it used to “apply” a lot faster. I usually just press F5 in my browser and sites that were being blocked due to my Speedfusion coming out of a known data center are no longer blocked (so thats how I know it works).

I also wasn’t aware the using Fastest Response was a problem as C_Metz mentioned. I would like to know more about this. I thought that only an inquiry packet was sent to all of the WANs and the one that responded first was chosen. I guess more happens than that but I would like clarification since, intuitively, this is what I want and thought happened.

yes i think that is how fastest response works. peplink had a detailed explanation of every algorithm on their website at one point. i used fastest response with three WANs all of last year without any issue. websites dont care any more if the packets are going/coming from different IPs/WANs. i only started using speedfusion a couple months ago due to increased WAN instability. i disabled HTTPS persistence from the get-go btw, not a single issue.