Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with NAT / Firewall rules, and dynamic WAN IP

    Scheduled Pinned Locked Moved
    NAT
    2
    4
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      deather
      last edited by

      Hi -

      I'm running pfSense 1.0.1. My ISP gives me a dynamic IP address each time I get connected, and disconnects me every 24hrs to force me changing my IP address (crappy, yeah).

      I'm having trouble with NAT, let me explain. When I create a NAT rule (which automatically adds a firewall rule), redirection works OK, until I get disconnected and reconnected, which mean my WAN IP changes.

      The problem is that, as pfctl -sn shows, redirections are applied to the WAN IP address :

      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = 9258 -> 192.168.0.129 port 23
      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = spc -> 192.168.0.3
      rdr on ng0 inet proto udp from any to 82.120.171.165 port = 6112 -> 192.168.0.3
      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ssh -> 192.168.0.128
      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = telnet -> 192.168.0.128
      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ftp -> 192.168.0.128
      rdr on ng0 inet proto tcp from any to 82.120.171.165 port = http -> 192.168.0.128

      So when I get disconnected and reconnected, it doesn't seem to be updated accordingly, because pf doesn't match any redirections, and ends up matching one of these rules:

      block drop in log quick all label "Default block all just to be sure."
      block drop out log quick all label "Default block all just to be sure."

      I can see that through tcpdump running on pflog0.

      I don't know if the issue is related to a misconfiguration by me or if it's a known bug.
      What is the right script to run in order to update the rules table to match the new WAN IP?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        deather
        last edited by

        Well, here's the hack I used to solve my problem:

        1/ Write a little script, say /etc/rc.update.all:

        #!/bin/sh

# Reload filter rules to match the new WAN IP
/etc/rc.filter_configure
/etc/rc.filter_configure_sync

# Update the DynDNS
/etc/rc.dyndns.update

        2/ Adds at the end of /usr/local/sbin/ppp-linkup a line to run the script.

        It seems to work when I manually disconnect and reconnect, I hope it will too when I get disconnected by my ISP (i.e. mpd will run the ppp-linkup script).

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          This is almost certainly not an issue in 1.2, lots of things related to that have been fixed.

          1 Reply Last reply Reply Quote 0
          • D
            deather
            last edited by

            Really?
            Thanks, I'm going to upgrade!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post