Outbound policy for Apple Updates

I have an outbound policy for my AppleTV based on the MAC address that routes it through the OpenVPN WAN – works great but wanted to tweak things a bit and allow Apple TV updates to be outbound any WAN, except the OpenVPN WAN. I’ve poked around a bit to create some higher priority rules but wasn’t successful using domains and IPs.

Curious if someone has created one or more outbound policies for Apple Updates, and if so can share what they used. Ideally, it would be SO awesome to be able to do it based on a source service that is already being identified in the active session report. I believe this might be a feature request if I recall.

Much appreciated folks!

Apparently they use a single class A for everything. That makes it easy…

Create a Grouped Network for Then use that within your outbound policy to steer Apple traffic.


@brianyoungblood, The easiest would be to set outbound policy for all the Apple domains per priority and exclude the OpenVPN WAN from the list of allowable outbound connections.

Attached are a couple of screenshots showing my outbound for Netflix/Apple updates. Neither really takes very well running through a cloud server (pihole or any DNS is fine, just not cloud servers due to the blocking of IP addresses), so I have rerouted their outbound connections directly to the main network connections instead of the alternative outbound connections of FH or OpenVPN. My outbound OpenVPN connection service does allow Netflix traffic to passthrough, so that would be the only issue you might run into.


1 Like

Do you have the apple/netflix domains as text list?

@jonathan_pitts, Pretty sure you were asking me for the file. The screenshot did cutoff parts of the domains, and it’s also always easier to copy and paste rather than type everything in with the ever changing list.

Unfortunately, this new forum format is only allowing me to upload a photo/config file anyway. I can paste a screenshot of the full sites but you will still have to type it all in.

Not optimal, PM me and I will email you the TXT file directly.

I pm’d you.

Thanks. I’ll try this as well. It would be great to create a group for Hulu as well since this is really the primary use for the openvpn I use – being explicitle on just hulu ips/domains is better than excluding others. I have read that their IPs are all aws based, so I haven’t found a range that is useful. Again, the Pepwave device knows about these, so it would be SO easy to just use their service group detection if it was exposed, yes?

I ended up using my iphone to grab the text from the screen grab, so disregard my dm. Thanks for your help with this. I’m testing this out, but I might need to nuke connections to get them to reroute based on rules. Not sure how to do that…best method to force them to reroute?

Most of these connections should be short lived, so new ones should hit your rules automatically if they are working as expected.

If traffic is still not hitting the rule you expect check you do not have something further up the list that may be matching the traffic first - outbound policy is processed top down in order, so the first rule that matches traffic will be applied to it.

Thank you.