allowed hostnames not being converted to IPs



  • I've set up a pair of pfsense boxes from fresh. Have got the captive portal up and running minimally. I'm now trying to add hostnames that can be accessed before authentication to allow onboarding for other networks.
    I've added about a dozen hostnames to the list, but they're not all working. Logging into the shell and running "ipfw table all list" only shows me a few of the IPs I'd expect. Adding the IP addresses that some of those hostnames resolve do does succeed, but that's rather missing the point of adding hostnames.
    Anything I've missed to work out why this isn't working?


  • Rebel Alliance

    as far as I know, only hostnames pointing to one IP are supported. if an FQDN has multiple A records, then only one is selected.

    this is a limitation within the
    gethostbyname() function that pfsense is using for retrieving IPs associated to hostnames.

    i am not using allowed hostnames myself, but i think that the point to use allowed hostnames instead of IP is to track for IP changes of an hostname in the DNS?



  • Hi,

    I have this hostname like "brit-hotel-fumel.fr"
    A simple host name, and I'm the one that controls the name servers behind it.

    In the DNS Resolver log I have these :

    Nov 23 17:04:50 	filterdns 		adding entry 188.165.53.87 to ipfw table cpzone1_allowed_up for host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		adding entry 2001:41d0:2:927b::3 to ipfw table cpzone1_allowed_up for host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		adding entry 188.165.53.87 to ipfw table cpzone1_allowed_down for host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		adding entry 2001:41d0:2:927b::3 to ipfw table cpzone1_allowed_down for host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		COULD NOT clear entry 2001:41d0:2:927b::3 from ipfw table cpzone1_allowed_down on host brit-hotel-fumel.fr will retry later
    Nov 23 17:04:50 	filterdns 		clearing entry 2001:41d0:2:927b::3 from ipfw table cpzone1_allowed_down on host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		clearing entry 188.165.53.87 from ipfw table cpzone1_allowed_down on host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		COULD NOT clear entry 2001:41d0:2:927b::3 from ipfw table cpzone1_allowed_up on host brit-hotel-fumel.fr will retry later
    Nov 23 17:04:50 	filterdns 		clearing entry 2001:41d0:2:927b::3 from ipfw table cpzone1_allowed_up on host brit-hotel-fumel.fr
    Nov 23 17:04:50 	filterdns 		clearing entry 188.165.53.87 from ipfw table cpzone1_allowed_up on host brit-hotel-fumel.fr 
    

    The related process is running :

    ps ax | grep 'dns'
    

    Btw : this is a typical "one host is one IPv4 and one IPv6" scenario.
    hostnames like google.com or facebook.com won't work I guess - I agree with @free4 here.
    Have a lookup yourself first for one of those hostnames that "doesn't work".

    Also : we could test for you, but the info is missing.



  • I've been using a guide at (https://community.jisc.ac.uk/groups/eduroam/document/walled-garden-onboarding-user-devices-eduroam) . Plus some local systems which definitely do resolve to multiple IPv4 addresses.
    If the limitation in Allowed Hostnames is using gethostbyname(), is it possible to request having that replaced by something that does handle multiple addresses? (e.g. getaddrinfo())