Problem with aliases in Firewall, works only if alias is set as ip address

Comfine · Aug 21, 2017, 8:30 AM

Hello,

we are using pfsense version 2.3.4-Release in a virtual Hyper-V envirement to connect multiple locations to a virtual Win 2012 R2 terminal server. We have created a hosts aliases list, that contains the public domain addresses of the location that are allowed to access the terminal server through rdp.
The rdp connection is generally blocked, and there is a firewall rule that lets pass the rdp connections from locations listed in the alias list. There is one location where we have an draytec router connected to a cable modem. The router is accessible through his public domain address an this static public ip and the domain resulution works correctly. The problem is, that if we set the domain address in the alias list, the firewall rule that allows the rdp connection to the terminal server, doesn't work. It works only if the ip address of the location is set in the alias list.

Has anyone had the same problem before and solved that, or have you some suggestion to solve the problem.

Thank you in advance for your help.

Alex

TheSypHunterGeneral · Aug 20, 2017, 5:43 AM

I Have the same problem, it seems to be a limitation in PFsense, haven't found away around it,

i am working on a script to run a cron job to query the domain name and save the ip address in a text file on the pf sense box then have the alias reference that text file for the ip address, would love to find time to finish it

Gertjan · Aug 20, 2017, 1:58 PM

First of all : is this https://doc.pfsense.org/index.php/Aliases related ?

Comfine · Aug 21, 2017, 8:06 AM

@Gertjan: Yes, this ist related to.

Derelict · Aug 21, 2017, 8:35 AM

FQDNs in aliases work fine.

The firewall itself must be able to resolve the names correctly. Test in Diagnostics > DNS Lookup.

The actual IP address contents of aliases can be viewed in Diagnostics > Tables.

The actual process that loads tables (aliases) with addresses if they contain FQDNs is filterdns.

Its (automatically-generated) configuration file is /var/etc/filterdns.conf

Its refresh rate (when no changes have been made) is tunable in System > Advanced, Firewall & NAT, Aliases Hostnames Resolve Interval (Default 5 minutes).

Any errors/logs should be present in the DNS resolver log tagged with process filterdns.

Comfine · Aug 21, 2017, 4:02 PM

Hello, thanx for your help!

I've managed to get the firewall rule to work with the aliases. I'm not quite sure what made it work finaly. I've updated pfsense from version 2.3.4 to 2.3.4_1, then set System > Advanced, Firewall & NAT, Aliases Hostnames Resolve Interval to 60 seconds and veryfied that all the ip adresses were in the table under the diagnostics and that the domains were in the /var/etc/filterdns.conf.

Doboy · Jan 6, 2018, 1:11 PM

@Derelict:

FQDNs in aliases work fine.

The firewall itself must be able to resolve the names correctly. Test in Diagnostics > DNS Lookup.

The actual IP address contents of aliases can be viewed in Diagnostics > Tables.

The actual process that loads tables (aliases) with addresses if they contain FQDNs is filterdns.

Its (automatically-generated) configuration file is /var/etc/filterdns.conf

Its refresh rate (when no changes have been made) is tunable in System > Advanced, Firewall & NAT, Aliases Hostnames Resolve Interval (Default 5 minutes).

Any errors/logs should be present in the DNS resolver log tagged with process filterdns.

I have the same issue with the alias's not being resolved consistently in 2.4.2-RELEASE-p1. Works for a few days then craps out.. I have no idea what more i can test, since it does work sometimes..