Allow traffic from dynamic IP address
-
I have a phone system behind a pfsense. I want to open up the proper ports so that i can have remote phones, but i want to limit who can connect to only a few IP addresses. Problem is that one of the people that needs a remote phone uses an ISP that will not give him a static ip address. Is there a way i can create a firewall rule that checks a dyndns (or similar) type of address?
-
There isn't any supported way of doing that. Perhaps he could use a router at home that supports a VPN to connect into your network.
Another possibility that isn't as secure is to make an allow rule for the ISP's subnet that he always ends up in. (eg. 129.128.0.0/22) -
A mobile IPsec tunnel would be great for this kind of situation, and would remain secure.
There are some ways to use hostnames in rules, such as using a hostname in an alias instead of directly in the rule, but there are some drawbacks to that. I forget exactly what they are though. Something about needing a script to update the resolved hostname now and then.
There was a recent discussion on the forums, or perhaps the support list, try searching for some variation of the keywords "dynamic host alias".
-
I find that using a voip phone over an IPSEC VPN tunnel affects the call quality quite seriously. I guess it is the overhead of the encryption.
I have the same problem with a couple of home workers. Will try out the Alias hostname.
Thanks
