Newbie to pfsense, got typo in WAN host name How to fix?
-
HI; when installing I saved an WAN hostname with a typo by mistake I fixed it in the GUI and saved it but it shows up in the host table as permanent and I cannot seem to change it.
WAN 74.218.125.242 88:43:e1:c2:59:32 tezcelinc.net Permanent ethernet -
It should change if you reboot and it's been corrected in the config.
Though I would usually assume you had tried that already...
Steve
-
Yes Steve I did reboot and it did not change
-
Steve; Some background this erreo does not affect the passing of data through the Firewall. It does effect the VPN because the hostname in the certificate does not agree with the permanent saved hostname.
-
where exactly are you seeing this? If you change the boxes name - then yes you would have to create, install a cert to reflect the name your using to access it.
-
John; I'm seeing the hostname in the arp table
-
Well that is what the PTR for that IP resolves to on the public internet..
;; QUESTION SECTION:
;242.125.218.74.in-addr.arpa. IN PTR;; ANSWER SECTION:
242.125.218.74.in-addr.arpa. 86400 IN PTR tezcelinc.net.You need to FIX it there.. not on pfsense.
NS for that are listed as
;; AUTHORITY SECTION:
125.218.74.in-addr.arpa. 3600 IN NS dns4.rr.com.
125.218.74.in-addr.arpa. 3600 IN NS ns1.biz.rr.com.
125.218.74.in-addr.arpa. 3600 IN NS ns2.biz.rr.com.Let me know if you decide you don't want that IP listed and will edit my post to hide it.
-
John;
It is suppose to vpn.texcelinc.net -
Well get with the owner of the IP.. they control the PTR of IPs in the netblocks they own..
OrgName: Time Warner Cable Internet LLC
I am thinking you don't understand how PTRs work maybe ;)
You can control the forward for any domain you register and have control of the NS listed. But a PTR for an IP is going to be controlled by the owner of the netblock.. And they control the dns, ie the SOA..
In an arp table you have an IP.. to resolve said IP you would query the PTR of said IP..
Ie as listed in my query you see above.
;; AUTHORITY SECTION:
125.218.74.in-addr.arpa. 3045 IN SOA ns1.biz.rr.com. dnsadmin.rr.com. 2003101324 10800 3600 604800 3600 -
John;
Calling TWC right now. -
If you have a biz connection then yeah they prob update it for you - the TTL is 24 hours... So anyone that has that cached you will have to wait on, etc..
But that really shouldn't have any effect on someone resolving a fqdn vpn.domain.tld to get to your IP... That would be what you control if you are the owner of said domain.tld Nor would it have anything to do with what fqdn or SAN is listed in a cert... Where they mostly come into play is say an email server sending email saying hey my name is smtp.domain.tld... And when the recv smtp server tries to look up the PTR for that IP it gets back something.else.tld - which screams the owner of smtp server doesn't have a clue - this is prob spam ;) heheeh For what your most likely doing getting users to access vpn.domain.tld the PTR doesn't really matter.. But if they will change it then yeah its good idea to have forwards and reverse for an IP match up when possible.
Example - here is arp table for my pfsense wan at home.
This is the PTR of that IP owned by my ISP.. But I can point any forward (a record) I want to it.. vpn.mydomain.tld if I own the domain.. Or can have records edited, etc..
-
John;
our registar is bluehost I just -
@markp4289 said in Newbie to pfsense, got typo in WAN host name How to fix?:
vpn.texcelinc.net
Yeah I see that..
;; AUTHORITY SECTION:
texcelinc.net. 300 IN SOA ns1.bluehost.com.That resolves just fine - but WOW what a short ttl on a SOA record... Uggghhh!! That resolves just fine - but that has zero to do with PTR
-
BTW - let me know if you want me to clean up the public IPs and fqdn that resolve to this IP - some people have issues with posting such info on public forum.. I only posted it because you had already done so, etc. but be happy to clean up the whole thread replacing with placeholder names..
-
pfsense is suppose to protect me so you can leave it alone
-
hehee - ok.. pfsense doesn't stop someone doesn't like something you say here on the board and pointing some bot net at your ip to flood your connection with a ddos... Just saying...
Bot nets can be hired for pennies these days..
-
Never really dug too deep into that but is it not possible dhclient sent that to the provider?
Unless that was similarly typo'd at some other point.In which case I would expect it to expire at some point.
But either way the issue here appears to be that the VPN server certificate was created with the old host name and clients are refusing it right?
In which case just regenerate the server cert.
Steve
-
@stephenw10 said in Newbie to pfsense, got typo in WAN host name How to fix?:
Never really dug too deep into that but is it not possible dhclient sent that to the provider?
No... I don't think so - never seen a provider update their PTR records with hostname via dhcp client.. Not saying it not possible.. And not really a good idea to be honest.. Since its quite possible you wouldn't want the PTR to reflect host name of the router, but the forward name of say a smtp server you have behind that public IP, etc.
If his ISP is allowing him have a PTR of his choice - then a simple call to them should get it fixed up. You could also just have your dns look like it owns the netspace.. So for example just created record in unbound for my pfsense for my public IP.. And now it shows this in the arp table.
But that has zero to do with how anyone else on the planet would resolve it... Just makes anyone using my unbound as their dns resolve that PTR. Simple local-data-ptr in the custom box easiest way to do it ;)
And as discussed this would have nothing to do with any sort of cert not complaining about a common or san name in a cert.
-
If it's what you see in the ARP page, that should be what is resolved locally, so either the hostname under System > General or maybe a host override.
If it's the GUI cert that has an unexpected hostname, then you can make a new cert manually, or use
pfSsh.php playback generateguicertafter correcting the hostname, or (Even better) use ACME to get a real trusted cert.If it's a VPN cert, make a new server cert.
If you can't find where else the wrong hostname is present, download a config.xml backup and then open it in a text editor. Do a search inside for the incorrect name.
-
Hmmmm; My WAN link is static IP and config that's why I thought it was my typo. I just got off the phone with TWC took an about to get to the Level III that knew what I was talking about. This is the 4 th TWC problem that I've had in 7 days.
