how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1)



  • Hello, everybody,

    i need to trigger reconnects of my wan-interface over remote. in my case, wan-interface is a pppoe interface. i found a lot of topics about this issue, but it looks like most do not work anymore with current pfsense version or are not secure for some reasons.

    the smartest solution i found is with CURL, which triggered the disconnect button on the webfrontend (status -> interfaces ). in my opionion, this solution would be secure i think, because CURL can handle encrypted connection over https and i am able to create a pfsense-user with very limited rights (add acces to the webpage for interfaces and nothing more).

    all how tos i found do not work anymore with current version of pfsense and i wasnt able to write a working command for CURL. i think this has something to do with cookies and websession ids, but i am not sure, because im not experienced in CURL or securitymechanisms of webpages.

    at the moment, i am using plink.exe with the following command:

    -ssh -batch -l USERNAME -pw PASSWORD 1.1.1.1 "/usr/local/sbin/pfSctl -c 'interface reload wan'"

    its working fine, but in my opinion, the created user is way to powerful, because i have to give it the privilege "User - System: Shell account access". thats to much to store the username and password uncrypted in a batch-file or something like that.

    So, here are my questions:

    Can one please tell me a working CURL-command (or simmilar like WGET) for this problem
    or
    tell me, how to limit privileges at the shell to only do a reconnect?

    Kind regards


  • LAYER 8 Global Moderator

    Why would you need to do this? Clearly your connection is up if your trying to do it remote..



  • Sorry for the missunderstanding.

    With remote, i mean from an other pc/server on lan-site, not on wan-site.


  • LAYER 8 Global Moderator

    So your what trying to give command to some non admin to be able to reset the internet connection? Thats not a good idea no matter how secure the method of connection was or if they could just do the reset of the internet.. They could trigger the reset whenever they wanted, for that matter could run it ever 30 seconds, etc.

    You shouldn't have to be resetting your internet connection in the first place - prob better to look to why your needing to reset, vs making it "easier" to do ;)



  • I am using this in a schedule and eventbased, but i think its not a good idea to store the username and password in these schedules/tasks in plain text.

    So, it would be nice to limit the rights of this user to do reconnects only, which might not be possible over ssh privileges, but over the privileges "WebCfg - Status: Interfaces"

    I just need a more secure way (or better the most secure way available) to do a reconnect over schedules / event based tasks.

    BTW: My wan-connection is flawless. I need the reconnect to change the IP-address.


  • LAYER 8 Global Moderator

    Why would you not just schedule that via cron on pfsense?

    I need the reconnect to change the IP-address

    Why would you want your IP to change?



  • The wan-connections is with reconnect every 24h and with dynamic IPs. Sometimes, we are not able to use a service after a reconnect,, because the new IP or IP-range seems to be blocked. In this case, a script is performing a reconnect with plink.exe over ssh.

    This cant be solved with cron, because its eventbased and not time based.

    So, it would be nice to replace the ssh solution with curl (or wget, ...), but i wasnt able to write a command with current pfsense version.


  • LAYER 8 Global Moderator

    @blessing said in how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1):

    because we think the new IP or IP-range seems to be blocked

    So you can only not connect to specific service? I would really look into blocked ip idea, and get with your ISP that they are handing out blocked IPs.. Or get with the service provider to why they are blocking xyz IP that your ISP is giving you, etc.

    p1 isn't current.. I would update to p2, and check your script.. Post it and we can take a look see and can see I can duplicate what your wanting to do.. I don't have pppoe, but could prob do the same "interface reload wan" command



  • I contacted both. My ISP will not chance any ip-settings for my connection . The customer service of this specific service cant (or isnt willing to) change anything.

    Also, its not simply a block at layer3. The block is on layer7! So, a script on pfsense will not help.

    Im verry happy that you are trying to help me, but i think i asked a clear question and all i get is more and more questions.

    Im here to ask if someone knows how to do a reconnect over curl (or something like that) or to make sure, that a user can only do a reconnect and nothing more over ssh (maybe, this is a privileges thing).

    All commands and methods i currently use are described in the initial post.



  • BTW: Updated to 2.4.4_2 right now.


  • LAYER 8 Global Moderator

    Not sure where you got the idea this was ask and answer site? This is discussion forum... Quite often users come here and ask nonsense and have gone down the wrong path in the first place..

    Without understanding your actual problem, its not possible to give you "correct" solution.. And its not just your specific question, its the next guy looking for the same sort of key words, etc..

    So if you were going down the wrong path, discussion of the actual problem could help countless other people get on the correct solution path, etc.

    More than happy to help.. But if your looking for what is answer to 2+2, try reddit or facebook ;)

    Now if its something simple like hey where do this in the gui, or something like that you prob just get told to RTFM ;)

    We are here to discuss and support each other in running a great product - not just answer you questions your too lazy to google ;)



  • Im sorry for beeing rude. This is because iam frustrated. It took us a long time to find out where the problem is located, and spent useless time to communicate with the ISP and the service.

    I also understand that you are trying to understand my problem and its environment. Iam also dedicated in some forums to help people where i am one of the main contributors. My philosphy is not to only understand every problem right down to the last detail from beginning, but to give a first quick or complete answer to the questions from beginning if the question is clear enough AND i try to the get to the buttom if there might be dependencies. In many cases, this gives a quick help and if not, people can answer questions to go to the next level.

    This also gives the next guy who is looking for this keyword the decission to try the first answer, but also the ability to read more and more of the thread. And i think, my initial question is very detached. Its not a "why cant i reach net 1 from net 2 through vpn"-question which could possibly have thousands of reasons.

    I am also not a lazy guy... Additionaly to the first sentence of this post, i spent the whole weekend to solve this problem. The result is the current (in my opinion unsecure) solution over plink.

    I googled a lot and found some topics (in the netgate forum 1 2 and other sources), but the solutions do not work. This might be because the topics are to old (for examplet, i think some do not work anymore because pfsense implemented CRSF-protection over the time), maybe i am to stupid to apply the solution, maybe the solutions are faulty or incomplete... i dont know.

    So, i understand if you cant tell me how to control pfsense over the webinterface with commands, because this is not method which is supported by pfsense. But i think you might tell me more about my second question (securing the ssh privileges, if possible).


  • LAYER 8 Global Moderator

    Just because its "not" supported doesn't mean its not possible... Lets see this command you were running that you said worked on previous version? Like what version? 2.3.x?? 2.2, 2.1?

    To be honest if this command is coming from your own network.. I am not sure I understand the security concern.. I would assume the box the command is running from is secure, etc.



  • I think its version 1.2 or something like that. I didnt bookmarked the sources i found, but if you follow Link 1 in my last post, youll find this command (from 2008). All other commands i found was nearly the same:

    to disconnect
    curl "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Disconnect"
    to connect
    for "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Connect"
    

    We are not talking about a commercial environment, but about a private environment where several people have access to this device. I just want to make sure that none of the users can get access to pfsense with high level permissions. This could cause a bit more damage than be able to trigger reconnects.


  • LAYER 8 Global Moderator

    1.2? UGGGGHHHH!!!

    Yeah lots of changes since then that is for sure ;)



  • Oh yeah, and this one is also from netgate forums but from 2013:

    https://forum.netgate.com/topic/54430/curl-command-for-script/4

    login (replace the url username & password:
    curl -k -L -b cookies.txt -c cookies.txt –verbose -d "usernamefld=yourusernamehere&passwordfld=yourpasswordherer&login=Login" "https://192.168.1.1/index.php"
    
    To do a post:
    
    curl -k -L -b cookies.txt -c cookies.txt --verbose -d "action=Disconnect&if=wan" "https://192.168.1.1/status_interfaces.php"
    

  • LAYER 8 Global Moderator



  • Thanks, this seems to be a good assistance. :-) Will try to adapt this to my issue in the next couple of days.

    As i said, im not into web/Http/html and so one. Maybe, i will ask for help one more time .


Log in to reply