Newbie to pfsense, got typo in WAN host name How to fix?

markp4289

John; I'm seeing the hostname in the arp table

johnpoz

Well that is what the PTR for that IP resolves to on the public internet..

;; QUESTION SECTION:
;242.125.218.74.in-addr.arpa. IN PTR

;; ANSWER SECTION:
242.125.218.74.in-addr.arpa. 86400 IN PTR tezcelinc.net.

You need to FIX it there.. not on pfsense.

NS for that are listed as
;; AUTHORITY SECTION:
125.218.74.in-addr.arpa. 3600 IN NS dns4.rr.com.
125.218.74.in-addr.arpa. 3600 IN NS ns1.biz.rr.com.
125.218.74.in-addr.arpa. 3600 IN NS ns2.biz.rr.com.

Let me know if you decide you don't want that IP listed and will edit my post to hide it.

markp4289

John;
It is suppose to vpn.texcelinc.net

johnpoz

Well get with the owner of the IP.. they control the PTR of IPs in the netblocks they own..

OrgName: Time Warner Cable Internet LLC

I am thinking you don't understand how PTRs work maybe ;)

You can control the forward for any domain you register and have control of the NS listed. But a PTR for an IP is going to be controlled by the owner of the netblock.. And they control the dns, ie the SOA..

In an arp table you have an IP.. to resolve said IP you would query the PTR of said IP..

Ie as listed in my query you see above.

;; AUTHORITY SECTION:
125.218.74.in-addr.arpa. 3045 IN SOA ns1.biz.rr.com. dnsadmin.rr.com. 2003101324 10800 3600 604800 3600

markp4289

John;
Calling TWC right now.

johnpoz

If you have a biz connection then yeah they prob update it for you - the TTL is 24 hours... So anyone that has that cached you will have to wait on, etc..

But that really shouldn't have any effect on someone resolving a fqdn vpn.domain.tld to get to your IP... That would be what you control if you are the owner of said domain.tld Nor would it have anything to do with what fqdn or SAN is listed in a cert... Where they mostly come into play is say an email server sending email saying hey my name is smtp.domain.tld... And when the recv smtp server tries to look up the PTR for that IP it gets back something.else.tld - which screams the owner of smtp server doesn't have a clue - this is prob spam ;) heheeh For what your most likely doing getting users to access vpn.domain.tld the PTR doesn't really matter.. But if they will change it then yeah its good idea to have forwards and reverse for an IP match up when possible.

Example - here is arp table for my pfsense wan at home.

This is the PTR of that IP owned by my ISP.. But I can point any forward (a record) I want to it.. vpn.mydomain.tld if I own the domain.. Or can have records edited, etc..

markp4289

John;
our registar is bluehost I just

johnpoz

@markp4289 said in Newbie to pfsense, got typo in WAN host name How to fix?:

vpn.texcelinc.net

Yeah I see that..
;; AUTHORITY SECTION:
texcelinc.net. 300 IN SOA ns1.bluehost.com.

That resolves just fine - but WOW what a short ttl on a SOA record... Uggghhh!! That resolves just fine - but that has zero to do with PTR

johnpoz

BTW - let me know if you want me to clean up the public IPs and fqdn that resolve to this IP - some people have issues with posting such info on public forum.. I only posted it because you had already done so, etc. but be happy to clean up the whole thread replacing with placeholder names..

markp4289

pfsense is suppose to protect me so you can leave it alone

johnpoz

hehee - ok.. pfsense doesn't stop someone doesn't like something you say here on the board and pointing some bot net at your ip to flood your connection with a ddos... Just saying...

Bot nets can be hired for pennies these days..

stephenw10

Never really dug too deep into that but is it not possible dhclient sent that to the provider?
Unless that was similarly typo'd at some other point.

In which case I would expect it to expire at some point.

But either way the issue here appears to be that the VPN server certificate was created with the old host name and clients are refusing it right?

In which case just regenerate the server cert.

Steve

johnpoz

@stephenw10 said in Newbie to pfsense, got typo in WAN host name How to fix?:

Never really dug too deep into that but is it not possible dhclient sent that to the provider?

No... I don't think so - never seen a provider update their PTR records with hostname via dhcp client.. Not saying it not possible.. And not really a good idea to be honest.. Since its quite possible you wouldn't want the PTR to reflect host name of the router, but the forward name of say a smtp server you have behind that public IP, etc.

If his ISP is allowing him have a PTR of his choice - then a simple call to them should get it fixed up. You could also just have your dns look like it owns the netspace.. So for example just created record in unbound for my pfsense for my public IP.. And now it shows this in the arp table.

But that has zero to do with how anyone else on the planet would resolve it... Just makes anyone using my unbound as their dns resolve that PTR. Simple local-data-ptr in the custom box easiest way to do it ;)

And as discussed this would have nothing to do with any sort of cert not complaining about a common or san name in a cert.

jimp

If it's what you see in the ARP page, that should be what is resolved locally, so either the hostname under System > General or maybe a host override.

If it's the GUI cert that has an unexpected hostname, then you can make a new cert manually, or use pfSsh.php playback generateguicert after correcting the hostname, or (Even better) use ACME to get a real trusted cert.

If it's a VPN cert, make a new server cert.

If you can't find where else the wrong hostname is present, download a config.xml backup and then open it in a text editor. Do a search inside for the incorrect name.

markp4289

Hmmmm; My WAN link is static IP and config that's why I thought it was my typo. I just got off the phone with TWC took an about to get to the Level III that knew what I was talking about. This is the 4 th TWC problem that I've had in 7 days.

johnpoz

Looks like they BROKE it to me.. now all you get back is SOA when you query the SOA for that PTR ;)

So vs them fixing it to the actual fqdn you wanted to be returned, they just removed the record completely ;)

stephenw10

Nice.

Though still not clear to me why that should be an issue. If this is just VPN clients refusing the cert just regenerate it.

Steve

johnpoz

Its not an issue what his PTR reports or doesn't report has ZERO to do with his overall problem.. I believe what he saw in his arp table just confused him..

markp4289

After TWC deleted PTR records.

johnpoz

yup that is what I show for those IPs PTR ;)

I don't see any vpn one though? the forward points to .242 but the PTR is just gone.