I'm working on setting up policy-based routing for a branch office where I want certain traffic, like web browsers, to appear as if it's coming from the head office. While I have a basic setup going, I'm concerned about making sure only the appropriate traffic is routed through the head office instead of everything. It works for basic website access, but many sites use CDNs, and if those aren't included in my policy rules, the entire network conversation will still seem like it's from the branch office. Are there any tools that can help me identify all the URLs, IPs, domains, and ports that are involved in a network transaction when I input a specific URL?
3 Answers
Actually, finding a simple tool that maps a URL to everything it interacts with is pretty tricky these days. Modern websites use a ton of CDNs, third-party JavaScript, and various APIs, which complicates tracking. For my setups, I've relied on a few methods:
- You can check the Network tab in your browser's developer tools, although it gets pretty cluttered.
- Running `tcpdump` or Wireshark while loading the page from the branch office can also help, especially if you filter it for a specific client.
- If your firewall has application-level inspection, that tends to be one of the easier paths to see what traffic is actually going out.
Additionally, rather than trying to pinpoint every CDN endpoint, it’s often more stable to just route by traffic type. What hardware are you using for your routing? Some options are definitely more user-friendly for this kind of setup.
Here's a straightforward way to do this:
1. Set up a proxy in your head office.
2. Install Firefox in the branch office.
3. Configure Firefox to use the head office proxy.
4. Tell users to use other browsers like Chrome or Edge for their regular browsing, but use Firefox for sites that are geoblocked.
Easy peasy, right?
Have you considered setting up a proxy server? It might be a more effective solution than just relying on routing rules. You can use a PAC file to help direct specific traffic through the proxy.

Thanks for the insight! I suspected Wireshark might be useful. I'm using pfSense for both locations with an OpenVPN tunnel, so I can match traffic pretty well with firewall rules.