Getting in from my mobile phone
-
How can I set up my pfSense firewall so that it accepts packets coming from my mobile phone despite the fact that it's leased random IP addresses?
Can pfSense accept packets coming from a specific host that would always be resolved to my phone via a dynamic DNS client for Android?
Thank you. -
Reserve an ip address for it by Services -> DHCP Server -> LAN -> Edit Static Mapping
Unless your talking about accessing your device from the Internet, if thats the case set up a IPSec or OpenVPN VPN.
-
@nogbadthebad
Thank you, but you're missing the point.
I want to be able to let the firewall accept packets from my mobile phone (from the WAN, of course) only.
What you're suggesting is leaving the VPN port open to the world and I don't want that. -
As
NogBadTheBadOpps - Making_sense_of_pfSense said it would be best to do this with OpenVPN, I think you can set an Alias with a dynamic address set by your phone and then open an WAN port forward with that alias. I'm very new to this and this could be wrong...Dave.
-
@making_sense_of_pfsense said in Getting in from my mobile phone:
@nogbadthebad
Thank you, but you're missing the point.
I want to be able to let the firewall accept packets from my mobile phone (from the WAN, of course) only.
What you're suggesting is leaving the VPN port open to the world and I don't want that.VPN is the safest way to do it.
-
@making_sense_of_pfsense said in Getting in from my mobile phone:
leased random IP addresses?
Not only that.. Might be a ipv6 to ipv4 gateway so the IP could be shared by phone users of the same carrier. What if your on a wifi hotspot at starbucks or something and not coming through your carrier cell to IP network..
Just setup VPN and open to the world.. VPN is pretty freaking secure - worse case would be some noise in the openvpn log.
You could try and setup some dynamic dns thing... But your phones IP could change all the time, and pfsense would only update this alias every few minutes anyway.
You could use say pfblockerng to block IP ranges from hitting your vpn port. So if your only in the US and are not going to travel you could set it up so only IPs listed as being in the US can access your vpn port.
-
The solution to your problem is OpenVPN or IPsec VPN.
-
@making_sense_of_pfsense said in Getting in from my mobile phone:
despite the fact that it’s leased random IP addresses?
What you’re suggesting is leaving the VPN port open to the world and I don’t want that.
Ok, prepare yourself for some double authentication : VPN + firewall enforcement :
Note down the IP your Phone is using.
Use the same phone to call the guy that has local access to pfSense.
Let him enter your IP as the only one allowed in the firewall wall rule on WAN, he'll be changing the "source" address.When he ok'ed, you can enter.
Keep in mind that the IP on your phone could be given to someone in the else in the near future, so when done, call up your guy again, and let him de activate the firewall rule on WAN.
PS : of course everybody opens a VPN server with full world wide access. It's build to handle this situation.
-
I leave my OpenVPN and IPsec mobile servers open to the world without hesitation.
Certainly better than some cooked-up scheme to limit access to arbitrary source IP addresses.
-
@gertjan said in Getting in from my mobile phone:
Use the same phone to call the guy that has local access to pfSense.
Freaking Brilliant idea ;) Completely foolproof and secure to be sure. As long he validates todays codes, don't forget to bring your code book with you. I would prob lock it in a briefcase secured to your wrist with handcuffs..
-
Is this how you welcome newcomers? Congratulations...
-
Huh?? Someone didn't have their coffee this morning?
-
@making_sense_of_pfsense said in Getting in from my mobile phone:
Is this how you welcome newcomers? Congratulations...
To be fair I gave you the solution in my first post, it's up to you if you implement it or not.
Also if you search the forum, this question gets asked many times.
-
@making_sense_of_pfsense Realize you maybe learning your ABC of IP routing... but this IP thing is folly... your firewall only knows the last hop address where the packet is coming from, most likely your ISP's equipment... Bottom line is, this is simple SECURED REMOTE ACCESS, and VPN is it as already mentioned. You will be identified and allowed access based on your VPN password authorizing the encryption key.
-
@sammywoo said in Getting in from my mobile phone:
but this IP thing is folly… your firewall only knows the last hop address where the packet is coming from, most likely your ISP’s equipment…
????
The router's IP address is not contained in the packet, only the source & destination addresses. A router's address may be known via routing tables, but not always. Point to point links, don't need an IP address. On IPv6 the router's address is likely a link local and that only has to be unique on the link. So, a router IP address might be known, but you can't bet on it. On the other hand, the MAC address is likely known, though again there might not be one on a point to point link.
-
@SammyWoo Totally incorrect, please take a read of the IP header specification and you'll notice that it includes a source address and a destination address and neither of those are modified under normal routing, it's only when NAT gets intruduced to the picture either one of them gets modified. Forwarding to a gateway doesn't either modify the headerw, the IP packets are just tossed to the next hop unmodified.
https://en.wikipedia.org/wiki/IPv4#Header