how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1)
-
The wan-connections is with reconnect every 24h and with dynamic IPs. Sometimes, we are not able to use a service after a reconnect,, because the new IP or IP-range seems to be blocked. In this case, a script is performing a reconnect with plink.exe over ssh.
This cant be solved with cron, because its eventbased and not time based.
So, it would be nice to replace the ssh solution with curl (or wget, ...), but i wasnt able to write a command with current pfsense version.
-
@blessing said in how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1):
because we think the new IP or IP-range seems to be blocked
So you can only not connect to specific service? I would really look into blocked ip idea, and get with your ISP that they are handing out blocked IPs.. Or get with the service provider to why they are blocking xyz IP that your ISP is giving you, etc.
p1 isn't current.. I would update to p2, and check your script.. Post it and we can take a look see and can see I can duplicate what your wanting to do.. I don't have pppoe, but could prob do the same "interface reload wan" command
-
I contacted both. My ISP will not chance any ip-settings for my connection . The customer service of this specific service cant (or isnt willing to) change anything.
Also, its not simply a block at layer3. The block is on layer7! So, a script on pfsense will not help.
Im verry happy that you are trying to help me, but i think i asked a clear question and all i get is more and more questions.
Im here to ask if someone knows how to do a reconnect over curl (or something like that) or to make sure, that a user can only do a reconnect and nothing more over ssh (maybe, this is a privileges thing).
All commands and methods i currently use are described in the initial post.
-
BTW: Updated to 2.4.4_2 right now.
-
Not sure where you got the idea this was ask and answer site? This is discussion forum... Quite often users come here and ask nonsense and have gone down the wrong path in the first place..
Without understanding your actual problem, its not possible to give you "correct" solution.. And its not just your specific question, its the next guy looking for the same sort of key words, etc..
So if you were going down the wrong path, discussion of the actual problem could help countless other people get on the correct solution path, etc.
More than happy to help.. But if your looking for what is answer to 2+2, try reddit or facebook ;)
Now if its something simple like hey where do this in the gui, or something like that you prob just get told to RTFM ;)
We are here to discuss and support each other in running a great product - not just answer you questions your too lazy to google ;)
-
Im sorry for beeing rude. This is because iam frustrated. It took us a long time to find out where the problem is located, and spent useless time to communicate with the ISP and the service.
I also understand that you are trying to understand my problem and its environment. Iam also dedicated in some forums to help people where i am one of the main contributors. My philosphy is not to only understand every problem right down to the last detail from beginning, but to give a first quick or complete answer to the questions from beginning if the question is clear enough AND i try to the get to the buttom if there might be dependencies. In many cases, this gives a quick help and if not, people can answer questions to go to the next level.
This also gives the next guy who is looking for this keyword the decission to try the first answer, but also the ability to read more and more of the thread. And i think, my initial question is very detached. Its not a "why cant i reach net 1 from net 2 through vpn"-question which could possibly have thousands of reasons.
I am also not a lazy guy... Additionaly to the first sentence of this post, i spent the whole weekend to solve this problem. The result is the current (in my opinion unsecure) solution over plink.
I googled a lot and found some topics (in the netgate forum 1 2 and other sources), but the solutions do not work. This might be because the topics are to old (for examplet, i think some do not work anymore because pfsense implemented CRSF-protection over the time), maybe i am to stupid to apply the solution, maybe the solutions are faulty or incomplete... i dont know.
So, i understand if you cant tell me how to control pfsense over the webinterface with commands, because this is not method which is supported by pfsense. But i think you might tell me more about my second question (securing the ssh privileges, if possible).
-
Just because its "not" supported doesn't mean its not possible... Lets see this command you were running that you said worked on previous version? Like what version? 2.3.x?? 2.2, 2.1?
To be honest if this command is coming from your own network.. I am not sure I understand the security concern.. I would assume the box the command is running from is secure, etc.
-
I think its version 1.2 or something like that. I didnt bookmarked the sources i found, but if you follow Link 1 in my last post, youll find this command (from 2008). All other commands i found was nearly the same:
to disconnect curl "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Disconnect" to connect for "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Connect"We are not talking about a commercial environment, but about a private environment where several people have access to this device. I just want to make sure that none of the users can get access to pfsense with high level permissions. This could cause a bit more damage than be able to trigger reconnects.
-
1.2? UGGGGHHHH!!!
Yeah lots of changes since then that is for sure ;)
-
Oh yeah, and this one is also from netgate forums but from 2013:
https://forum.netgate.com/topic/54430/curl-command-for-script/4
login (replace the url username & password: curl -k -L -b cookies.txt -c cookies.txt –verbose -d "usernamefld=yourusernamehere&passwordfld=yourpasswordherer&login=Login" "https://192.168.1.1/index.php" To do a post: curl -k -L -b cookies.txt -c cookies.txt --verbose -d "action=Disconnect&if=wan" "https://192.168.1.1/status_interfaces.php" -
here
https://docs.netgate.com/pfsense/en/latest/backup/remote-config-backup.htmlThis should help!!
-
Thanks, this seems to be a good assistance. :-) Will try to adapt this to my issue in the next couple of days.
As i said, im not into web/Http/html and so one. Maybe, i will ask for help one more time .
