Newbie to pfsense, got typo in WAN host name How to fix?

  • John; I'm seeing the hostname in the arp table

  • LAYER 8 Global Moderator

    Well that is what the PTR for that IP resolves to on the public internet..

    ; IN PTR


    You need to FIX it there.. not on pfsense.

    NS for that are listed as
    ;; AUTHORITY SECTION: 3600 IN NS 3600 IN NS 3600 IN NS

    Let me know if you decide you don't want that IP listed and will edit my post to hide it.

  • John;
    It is suppose to

  • LAYER 8 Global Moderator

    Well get with the owner of the IP.. they control the PTR of IPs in the netblocks they own..

    OrgName: Time Warner Cable Internet LLC

    I am thinking you don't understand how PTRs work maybe ;)

    You can control the forward for any domain you register and have control of the NS listed. But a PTR for an IP is going to be controlled by the owner of the netblock.. And they control the dns, ie the SOA..

    In an arp table you have an IP.. to resolve said IP you would query the PTR of said IP..

    Ie as listed in my query you see above.

    ;; AUTHORITY SECTION: 3045 IN SOA 2003101324 10800 3600 604800 3600

  • John;
    Calling TWC right now.

  • LAYER 8 Global Moderator

    If you have a biz connection then yeah they prob update it for you - the TTL is 24 hours... So anyone that has that cached you will have to wait on, etc..

    But that really shouldn't have any effect on someone resolving a fqdn vpn.domain.tld to get to your IP... That would be what you control if you are the owner of said domain.tld Nor would it have anything to do with what fqdn or SAN is listed in a cert... Where they mostly come into play is say an email server sending email saying hey my name is smtp.domain.tld... And when the recv smtp server tries to look up the PTR for that IP it gets back something.else.tld - which screams the owner of smtp server doesn't have a clue - this is prob spam ;) heheeh For what your most likely doing getting users to access vpn.domain.tld the PTR doesn't really matter.. But if they will change it then yeah its good idea to have forwards and reverse for an IP match up when possible.

    Example - here is arp table for my pfsense wan at home.

    This is the PTR of that IP owned by my ISP.. But I can point any forward (a record) I want to it.. vpn.mydomain.tld if I own the domain.. Or can have records edited, etc..

  • John;
    our registar is bluehost I just

  • LAYER 8 Global Moderator

    @markp4289 said in Newbie to pfsense, got typo in WAN host name How to fix?:

    Yeah I see that..

    That resolves just fine - but WOW what a short ttl on a SOA record... Uggghhh!! That resolves just fine - but that has zero to do with PTR

  • LAYER 8 Global Moderator

    BTW - let me know if you want me to clean up the public IPs and fqdn that resolve to this IP - some people have issues with posting such info on public forum.. I only posted it because you had already done so, etc. but be happy to clean up the whole thread replacing with placeholder names..

  • pfsense is suppose to protect me so you can leave it alone

  • LAYER 8 Global Moderator

    hehee - ok.. pfsense doesn't stop someone doesn't like something you say here on the board and pointing some bot net at your ip to flood your connection with a ddos... Just saying...

    Bot nets can be hired for pennies these days..

  • Netgate Administrator

    Never really dug too deep into that but is it not possible dhclient sent that to the provider?
    Unless that was similarly typo'd at some other point.

    In which case I would expect it to expire at some point.

    But either way the issue here appears to be that the VPN server certificate was created with the old host name and clients are refusing it right?

    In which case just regenerate the server cert.


  • LAYER 8 Global Moderator

    @stephenw10 said in Newbie to pfsense, got typo in WAN host name How to fix?:

    Never really dug too deep into that but is it not possible dhclient sent that to the provider?

    No... I don't think so - never seen a provider update their PTR records with hostname via dhcp client.. Not saying it not possible.. And not really a good idea to be honest.. Since its quite possible you wouldn't want the PTR to reflect host name of the router, but the forward name of say a smtp server you have behind that public IP, etc.

    If his ISP is allowing him have a PTR of his choice - then a simple call to them should get it fixed up. You could also just have your dns look like it owns the netspace.. So for example just created record in unbound for my pfsense for my public IP.. And now it shows this in the arp table.


    But that has zero to do with how anyone else on the planet would resolve it... Just makes anyone using my unbound as their dns resolve that PTR. Simple local-data-ptr in the custom box easiest way to do it ;)

    And as discussed this would have nothing to do with any sort of cert not complaining about a common or san name in a cert.

  • Rebel Alliance Developer Netgate

    If it's what you see in the ARP page, that should be what is resolved locally, so either the hostname under System > General or maybe a host override.

    If it's the GUI cert that has an unexpected hostname, then you can make a new cert manually, or use pfSsh.php playback generateguicert after correcting the hostname, or (Even better) use ACME to get a real trusted cert.

    If it's a VPN cert, make a new server cert.

    If you can't find where else the wrong hostname is present, download a config.xml backup and then open it in a text editor. Do a search inside for the incorrect name.

  • Hmmmm; My WAN link is static IP and config that's why I thought it was my typo. I just got off the phone with TWC took an about to get to the Level III that knew what I was talking about. This is the 4 th TWC problem that I've had in 7 days.

  • LAYER 8 Global Moderator

    Looks like they BROKE it to me.. now all you get back is SOA when you query the SOA for that PTR ;)

    So vs them fixing it to the actual fqdn you wanted to be returned, they just removed the record completely ;)

  • Netgate Administrator

    Nice. 🙄

    Though still not clear to me why that should be an issue. If this is just VPN clients refusing the cert just regenerate it.


  • LAYER 8 Global Moderator

    Its not an issue what his PTR reports or doesn't report has ZERO to do with his overall problem.. I believe what he saw in his arp table just confused him..

  • After TWC deleted PTR records.
    0_1540839738301_After twc deleted ptr-s Capture.PNG

  • LAYER 8 Global Moderator

    yup that is what I show for those IPs PTR ;)

    I don't see any vpn one though? the forward points to .242 but the PTR is just gone.

  • So it looks like the General setup generates the LAN hostname but nowhere is the WAN hostname entered. How do I get the WAN hostname in there?

  • Netgate Administrator

    That is the WAN hostname. Or at least that is the name send by dhclient to an upstream server.


  • LAYER 8 Global Moderator

    Get it in where?? Not sure why you think you need a WAN IP to resolve to something in your arp table for vpn clients to connect to you?

    I am thinking you still don't quite grasp what a PTR or reverse is...

    Your vpn.domain.tld resolves to IP.242 address.

Log in to reply