Http://checkip.dyndns.org/ gives me my lan address (192.168.0.20). What did I do

davros123

Hi Guys,
I have spent the last week getting to grips with pfsense…and I am slowly getting there.

On the way, I appear to have set some dns settings that are now giving me a challenge!

I setup DNS forwarder as I do want to be able to navigate to say my sprinkler system webpage by just typing in sprinkler (it's hostname allocated via DHCP) into a browser.

However when I type my domain name into a browser, I am directed to my internal LAN address, 192.168.0.254 and not to the external IP for my domain.
Is there a way to make it go "outside" and back in when i type my domain name?

Also....
When I go to http://www.whatismyip.com/ I get my real IP

When i go to http://checkip.dyndns.org/ I get my lan ip.

If I nslookup bill.com I get
C:\Windows\System32>nslookup bill.com
Server: firewall.home.lan
Address: 192.168.0.254

Non-authoritative answer:
Name: bill.com
Address: 112.241.129.229

Thanks.

davros123

bump

johnpoz

http://checkip.dyndns.org gives you a private IP address? I find this pretty hard to believe. Can you post a screenshot of that? Are you using any sort of proxy or caching software?

As to what bill.com resolves too – not sure your issue as you show it, that shows that it returns a non rfc1918 address. Are you saying its not correct.

I show it resolving to
;; QUESTION SECTION:
;bill.com. IN A

;; ANSWER SECTION:
bill.com. 60 IN A 216.146.46.11
bill.com. 60 IN A 216.146.46.10

I show the nameservers for bill.com as

Tech Email: whoiscontact@hq.bill.com
Name Server: NS1.P09.DYNECT.NET
Name Server: NS2.P09.DYNECT.NET
Name Server: NS3.P09.DYNECT.NET
Name Server: NS4.P09.DYNECT.NET

Are you wanting to resolve a host.bill.com ?

If you want to use a public IP or fqdn that resolves to public that is on the outside of your pfsense to be forwarded to something inside your network then you need to enable nat reflection.

But its quite often a better solution to just have your internal dns return the internal address for the fqdn that you want to resolve, and people outside your network would resolve your public IP.

phil.davis

If I nslookup bill.com I get
C:\Windows\System32>nslookup bill.com
Server: firewall.home.lan
Address: 192.168.0.254

Non-authoritative answer:
Name: bill.com
Address: 112.241.129.229

That bill.com output is perfectly normal. The first lines "Server" and "Address" are telling you which DNS server answered your request, that was the DNS server on your pfSense - to be expected.
The second section tells you that bill.com is 112.241.129.229 - looks at least like a reasonable public IP address.

tsrattan

Hi it means you are using ddns from this provider
http://checkip.dyndns.org/

davros123

Two apologies guys.

1. Apologies firstly for the delay in replying…I have been trying to secure employment.
2. Apologies for the not indicating that bill.com is infact a "dummy" domain name…I was using it as an example instead of my own domain name....I should have made that clear.

Let me try and be clearer.

Let's call my domain name mydomainna.me.
I am using zoneedit to point to my home server (dynamic IP).
This zoneedit IP is updated by pfsense and is the correct WAN IP (I can see this via the zoneedit gui).
I can successfully navigate to mydomainna.me from an external internet connection…say my iPhone on 3G.

….so to me that says this is clearly a pfsense proxy/nameserver thing.

I am using Squid proxy in pfsense.

What I do not understand is two things…

1. Why do I get directed to 192.168.0.254 (my pfsense server/gateway address) when I enter mydomainna.me into a browser on my LAN.
2. Why does going to checkip.dyndns.org give a LAN IP address?

I'd appreciate some help on what i might need to look at/show you guys to get to the bottom of this.

http://checkip.dyndns.org gives you a private IP address? I find this pretty hard to believe. Can you post a screenshot of that? Are you using any sort of proxy or caching software?

Pinging mydomainna.me [203.212.141.221] with 32 bytes of data:
Reply from 20x.212.141.221: bytes=32 time<1ms TTL=64
Reply from 20x.212.141.221: bytes=32 time<1ms TTL=64
Reply from 20x.212.141.221: bytes=32 time<1ms TTL=64
Reply from 20x.212.141.221: bytes=32 time<1ms TTL=64

Ping statistics for 203.212.141.221:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\System32>

C:\Windows\System32>nslookup mydomainna.me
Server:  firewall.home.lan
Address:  192.168.0.254

Non-authoritative answer:
Name:    mydomainna.me
Address:  20x.212.141.221

The above domainname and IP have been masked

http://checkip.dyndns.org/

C:\Windows\System32>nslookup http://checkip.dyndns.org/
Server:  firewall.home.lan
Address:  192.168.0.254

*** firewall.home.lan can't find http://checkip.dyndns.org/: Non-existent domain

C:\Windows\System32>


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : home.lan
   Description . . . . . . . . . . . : Intel(R) Gigabit CT Desktop Adapter
   Physical Address. . . . . . . . . : 00-1B-22-53-8A-D3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::85c0:eab1:e6b5:9b6a%22(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, 19 December 2013 1:57:29 PM
   Lease Expires . . . . . . . . . . : Thursday, 19 December 2013 6:57:28 PM
   Default Gateway . . . . . . . . . : 192.168.0.254
   DHCP Server . . . . . . . . . . . : 192.168.0.254
   DHCPv6 IAID . . . . . . . . . . . : 452991777
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-A6-D2-C5-50-B5-49-44-26-02

   DNS Servers . . . . . . . . . . . : 192.168.0.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

tsrattan

hi ,
you are using dynamic ip mapping and mapping service is provided by (http://checkip.dyndns.org/ ) them. thats why you see lan ip which is shown by pfsense. when you use some other site which has no link with your ddns provider you see actual wan ip.

regarding other problem open one port for your web address and point it to your web server or add a host name in front of domain name and create the entry for it on ddns web provider account online

davros123

Thanks for the response tsrattan.

As per my last post, I am using zoneedit for my dns mapping. I am simply going to http://checkip.dyndns.org/ to get my WAN IP address (as is displayed with http://www.whatismyip.com/ )

I was not aware that dyndns and zoneedit were associated.

Even if this is the case, I do not understand how navigating to http://checkip.dyndns.org/ would provide my LAN IP. I would need to do some packet capture on the WAN side, but I'll bet it is not actually routing to the WAN ie. http://checkip.dyndns.org/ and even if it is, I have no idea how it would be presented with my LAN address.

I clearly have a lot to learn so can someone explain that part in detail?

tsrattan

Hi
No it's not going to wan it is just getting it from pfsense
I think both providers are actually same company

I had same problem of showing local address on my geektool script so I start checking my wan ip using different URL and was showing me right wan address
Thanks

davros123

so how is pfsense presenting this webpage? Is it because it is cached by squid?

Also, I do not think the companies are linked…I could not find anything suggesting Dynamic Network Services owns zoneedit....which is good, because I like zoneedit :)

johnpoz

So are you using squid, I assume its adding the a x-forwarder tag that lists the IP the proxy forwarded traffic for?

http://en.wikipedia.org/wiki/X-Forwarded-For

I don't use the squid package currently, maybe there is a check box in the gui, or advanced options. But try turning that off.. Something like

request_header_access X-Forwarded-For deny all

in the config I would think. There should be no possible way for a page that says what IP you came from to list your private IP - since it is impossible for you to talk to that website from a private IP. So your proxy most be adding that info and the page is using that.

mikeisfly

Here are some of the sites that I use:

www.ipchicken.com
www.whatsmyip.net

I too have a DNS server at home and I have it configured so that if someone does a query for freepbx.mydoimain.com it will return the private IP for the server. I then configured dyndns.org so that if someone out side the network does a query for freepbx.mydomain.com it will return my public IP address. Of course you will have to forward the request to the appropriate IP address on the inside of your network.

Are you using the Dynamic DNS service in PfSense that should give you a public IP address. I would think running the dynamic DNS client on your computer would return a private IP address. PfSense does support Zoneedit.

tsrattan

System: Advanced: Admin Access

WebGUI redirect Disable webConfigurator redirect rule
When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.

your webgui is listening at port 80 ? pls. check

davros123

@johnpoz:

So are you using squid, I assume its adding the a x-forwarder tag that lists the IP the proxy forwarded traffic for?

…
There should be no possible way for a page that says what IP you came from to list your private IP - since it is impossible for you to talk to that website from a private IP. So your proxy most be adding that info and the page is using that.

Thanks john…I suspected this was the case...and on reading more about NAT last night, I can see that it simply must have been the proxy because as you say, there is no way the "real" http://checkip.dyndns.org/ could be seeing and displaying a page to my private IP.

I reviewed the options and the simplest solution was to place http://checkip.dyndns.org/ in the "bypass proxy for these IP's" list.

All good. Now I get my public IP. Ahhh, the joys of a cache :)

Thanks to the other posters...however the issue was clearly the proxy serving up a cached page for http://checkip.dyndns.org/

Cheers.

johnpoz

Again how could it ever have been cached with your local IP?? Its NOT Possible for that site to see you coming from a 192.168 address its just NOT.

So did you turn off the x-forwarder option in squid.. That is the ONLY thing that the site could of used to see a private IP address.

davros123

John, you are right again 8)

I removed the bypass entry and ticked the "Disable X-Forward -
If not set, Squid will include your system's IP address or name in the HTTP requests it forwards."

I again did some reading an now understand the use of this field. This header was specifically introduced to provide the originating ip of traffic passing through a proxy.

So, contrary to my prev. posts, this was going out to the real http://checkip.dyndns.org/. Squid was adding the x-forward-for header with my LAN ip, and checkip.dyndns.org was using this as the originating ip. Simple really :)

I am learning more about this space…but it seems each step only opens up more complexity. Fun.

Stewart

I know this topic is very old but I ran into this issue today for an LTS security system. A solution that worked for me was to run the host command on checkip.dyndns.org from the CLI to get the list of IPs associated with it. In this case they were: 216.146.43.71, 162.88.100.200, 216.146.38.70, 162.88.96.194, 131.186.113.135, 131.186.113.136. I then created an alias to contain those IPs and placed that alias in the Bypass lines for Squid. I also placed the NVR IP in the bypass. That allowed the correct IP to be pulled.

To be honest I don't really know the ramifications of disabling the x-forward and this is similar to the solution I use to get the Intuit downloaders to work for Quickbooks so I thought it would be a good shot. Hope this helps someone along the way.