• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trouble with NAT / Firewall rules, and dynamic WAN IP

Scheduled Pinned Locked Moved NAT
4 Posts 2 Posters 3.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    deather
    last edited by Jul 3, 2007, 9:11 AM

    Hi -

    I'm running pfSense 1.0.1. My ISP gives me a dynamic IP address each time I get connected, and disconnects me every 24hrs to force me changing my IP address (crappy, yeah).

    I'm having trouble with NAT, let me explain. When I create a NAT rule (which automatically adds a firewall rule), redirection works OK, until I get disconnected and reconnected, which mean my WAN IP changes.

    The problem is that, as pfctl -sn shows, redirections are applied to the WAN IP address :

    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = 9258 -> 192.168.0.129 port 23
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = spc -> 192.168.0.3
    rdr on ng0 inet proto udp from any to 82.120.171.165 port = 6112 -> 192.168.0.3
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ssh -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = telnet -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ftp -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = http -> 192.168.0.128

    So when I get disconnected and reconnected, it doesn't seem to be updated accordingly, because pf doesn't match any redirections, and ends up matching one of these rules:

    block drop in log quick all label "Default block all just to be sure."
    block drop out log quick all label "Default block all just to be sure."

    I can see that through tcpdump running on pflog0.

    I don't know if the issue is related to a misconfiguration by me or if it's a known bug.
    What is the right script to run in order to update the rules table to match the new WAN IP?

    Thanks!

    1 Reply Last reply Reply Quote 0
    • D
      deather
      last edited by Jul 5, 2007, 3:22 PM

      Well, here's the hack I used to solve my problem:

      1/ Write a little script, say /etc/rc.update.all:

      #!/bin/sh

# Reload filter rules to match the new WAN IP
/etc/rc.filter_configure
/etc/rc.filter_configure_sync

# Update the DynDNS
/etc/rc.dyndns.update

      2/ Adds at the end of /usr/local/sbin/ppp-linkup a line to run the script.

      It seems to work when I manually disconnect and reconnect, I hope it will too when I get disconnected by my ISP (i.e. mpd will run the ppp-linkup script).

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by Jul 6, 2007, 8:38 AM

        This is almost certainly not an issue in 1.2, lots of things related to that have been fixed.

        1 Reply Last reply Reply Quote 0
        • D
          deather
          last edited by Jul 6, 2007, 10:02 AM

          Really?
          Thanks, I'm going to upgrade!

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received