Autoupdate of WAN address doesn't seem to work

yoogie · Feb 2, 2007, 8:47 AM

Hi there,

I have a problem with the pfSense 1.01 installed and configured as a internet gateway through pppoe (in germany).
My problem is the following. I have 3 rules on the WAN interface configured:

- block RFC1918 networks
- from one fixed external ip address to "WAN address" on port 443(HTTPS) (this is for the web-interface)
- from the same external ip address to "WAN address" on port 22(SSH)

This should ensure that the administration only works from one dedicated ip address.

I have configured DynamicDNS updates which work like a charme.

But, my german DSL provider disconnects the line every 24 hours. After the disconnect, I am not able any more to access the firewall from an external address. I assume that this is because the firewall doesn't update the rules to the new ip address and access is only allowed to the old one, it had before the disconnect.

The dynamicDNS updates work as stated above. The pppoe connection is configured as follows:

- MTU 1492
- Type PPPoE
- PPPoE Username: xxxxxxx
- PPPoE Password: xxxxxxx
- no Service Name
- Dial on demand disabled
- Idle timeout disabled
- FTP Helper disabled
- Block private networks enabled

(the firewall should stay connected all the time and reconnect after the forced line cut)

Any help is very much appreciated.

Manuel

hoba · Feb 2, 2007, 1:53 PM

I'm in germany too on dynamic IP with 24h forced disconnects. I don't see the problem here. Are you absolutely sure your DynDNS account updates are working?

yoogie · Feb 2, 2007, 1:55 PM

Yes, I did an nslookup (from an external computer) and got the actual wan address of the firewall.

hoba · Feb 2, 2007, 2:18 PM

Can you verify by looking at /tmp/rules.debug (diagnostics>edit file) that there is a problem with the firewallrules after your IP has changed? Also please upgrade to the latest snapshot to see if the problem was not already fixed in the meantime.

yoogie · Feb 5, 2007, 8:28 AM

Should this file be generated each time I get a new ip address?

The reason why I am asking is that the file is 3 days old now and I got a new address a few hours ago.

I will try the trunk and report here.

Thanks for your answer.

Cheers, Manuel

sullrich · Feb 5, 2007, 3:20 PM

@yoogie:

Should this file be generated each time I get a new ip address?

The reason why I am asking is that the file is 3 days old now and I got a new address a few hours ago.

I will try the trunk and report here.

Thanks for your answer.

Cheers, Manuel

Sounds like checkreloadstatus is exiting. We added a fix but it requires updating to a recent snapshot, download the configuration file and in the <cron>area insert:

<minute>/5</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday>*</wday>
<who>root</who>
<command></command>/usr/local/bin/checkreload.sh

Then re-upload the config file.</cron>

yoogie · Feb 6, 2007, 11:34 AM

Hm,

I have made a backup of the configuration from within the web interface. Unfortunately there is no section called cron.

Should I add it somewhere?

Cheers,
Manuel

hoba · Feb 6, 2007, 11:44 AM

Add it at the very bottom like:


...
   <cron><minute>*/5</minute>
         <hour>*</hour>
         <mday>*</mday>
         <month>*</month>
         <wday>*</wday>
         <who>root</who>
         <command></command>/usr/local/bin/checkreload.sh</cron>

You have to be at the latest snapshot version for this to work.

sullrich · Feb 6, 2007, 3:09 PM

Try uptdaing to the latest snapshot. This entry should be auto added when it updates the config.

JeGr · Feb 7, 2007, 7:21 AM

What's strange to me (as I'm in germany too and these things described work like charme in earlier versions of pfSense up until the recent snapshot without problems at all) is:

- Dial on demand disabled
- Idle timeout disabled

I have configured my boxes to DialOnDemand enabled with an idle timeout of 0 (as this is none at all so stay connected and redial if disconnected by provider) and with the new snapshot I added Daniels brilliant Cron Setting for disconnecting at a specific time to workaround the 24h disconnect (I set it up for 0500 every morning).

With this config I have pfSense running until a pre-1.0 Release and hadn't had a problem on the way with DynDNS or connecting from an external IP (setup exactly like yoogie with SSH and HTTP(s) from an external static IP).

Just an idea…

Greets Grey

yoogie · Feb 7, 2007, 12:57 PM

Hi there,

thanks for your help.

I have recently rebuilt the whole system and reconfigured all the stuff. We will see tomorrow if it is solved or not. I will report.

Cheers,
Manuel

yoogie · Feb 7, 2007, 1:58 PM

Ok, another problem running "1.0.1 built on Mon Nov 13 05:22:16 UTC 2006".

I have configured the DSL line, the transparent squid and captive portal. The rules are set properly, but now I cannot connect from inside to outside at all. It seems that squid doesn't generate the transparent nat rule…

Weird.

Should I roll back to 1.0.1 stable and check the options, grey has suggested? What do you think?

Cheers,
Manuel

hoba · Feb 7, 2007, 2:00 PM

I suggest running the latest snapshot (your built time is 2006 Nov 13) which is pretty old. It should work fine with the latest snapshot I think.

yoogie · Feb 7, 2007, 2:03 PM

Oh damn, my fault… I am sorry.

I got that image from the swiss mirror. The date on the server was 6th feb 07. I am pretty sure...

Well I will give it another try.

hoba · Feb 7, 2007, 2:12 PM

You want to use http://snapshots.pfsense.com/FreeBSD6/RELENG_1/

yoogie · Feb 7, 2007, 2:13 PM

Great thanks. Will do that tomorrow or friday

Cheers,
Manuel

yoogie · Feb 9, 2007, 12:08 PM

Hi there,

it seems to work now. Thank you very much for your help.

BTW: The new web-interface looks gorgeous ;)

Cheers,
Manuel