Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1)

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blessing
      last edited by blessing

      Hello, everybody,

      i need to trigger reconnects of my wan-interface over remote. in my case, wan-interface is a pppoe interface. i found a lot of topics about this issue, but it looks like most do not work anymore with current pfsense version or are not secure for some reasons.

      the smartest solution i found is with CURL, which triggered the disconnect button on the webfrontend (status -> interfaces ). in my opionion, this solution would be secure i think, because CURL can handle encrypted connection over https and i am able to create a pfsense-user with very limited rights (add acces to the webpage for interfaces and nothing more).

      all how tos i found do not work anymore with current version of pfsense and i wasnt able to write a working command for CURL. i think this has something to do with cookies and websession ids, but i am not sure, because im not experienced in CURL or securitymechanisms of webpages.

      at the moment, i am using plink.exe with the following command:

      -ssh -batch -l USERNAME -pw PASSWORD 1.1.1.1 "/usr/local/sbin/pfSctl -c 'interface reload wan'"

      its working fine, but in my opinion, the created user is way to powerful, because i have to give it the privilege "User - System: Shell account access". thats to much to store the username and password uncrypted in a batch-file or something like that.

      So, here are my questions:

      Can one please tell me a working CURL-command (or simmilar like WGET) for this problem
      or
      tell me, how to limit privileges at the shell to only do a reconnect?

      Kind regards

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why would you need to do this? Clearly your connection is up if your trying to do it remote..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          blessing
          last edited by

          Sorry for the missunderstanding.

          With remote, i mean from an other pc/server on lan-site, not on wan-site.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your what trying to give command to some non admin to be able to reset the internet connection? Thats not a good idea no matter how secure the method of connection was or if they could just do the reset of the internet.. They could trigger the reset whenever they wanted, for that matter could run it ever 30 seconds, etc.

            You shouldn't have to be resetting your internet connection in the first place - prob better to look to why your needing to reset, vs making it "easier" to do ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              blessing
              last edited by blessing

              I am using this in a schedule and eventbased, but i think its not a good idea to store the username and password in these schedules/tasks in plain text.

              So, it would be nice to limit the rights of this user to do reconnects only, which might not be possible over ssh privileges, but over the privileges "WebCfg - Status: Interfaces"

              I just need a more secure way (or better the most secure way available) to do a reconnect over schedules / event based tasks.

              BTW: My wan-connection is flawless. I need the reconnect to change the IP-address.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Why would you not just schedule that via cron on pfsense?

                I need the reconnect to change the IP-address

                Why would you want your IP to change?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  blessing
                  last edited by blessing

                  The wan-connections is with reconnect every 24h and with dynamic IPs. Sometimes, we are not able to use a service after a reconnect,, because the new IP or IP-range seems to be blocked. In this case, a script is performing a reconnect with plink.exe over ssh.

                  This cant be solved with cron, because its eventbased and not time based.

                  So, it would be nice to replace the ssh solution with curl (or wget, ...), but i wasnt able to write a command with current pfsense version.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    @blessing said in how to trigger reconnects of (wan-)interfaces nowadays in a secure way? (V2.4.4 Release p1):

                    because we think the new IP or IP-range seems to be blocked

                    So you can only not connect to specific service? I would really look into blocked ip idea, and get with your ISP that they are handing out blocked IPs.. Or get with the service provider to why they are blocking xyz IP that your ISP is giving you, etc.

                    p1 isn't current.. I would update to p2, and check your script.. Post it and we can take a look see and can see I can duplicate what your wanting to do.. I don't have pppoe, but could prob do the same "interface reload wan" command

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      blessing
                      last edited by blessing

                      I contacted both. My ISP will not chance any ip-settings for my connection . The customer service of this specific service cant (or isnt willing to) change anything.

                      Also, its not simply a block at layer3. The block is on layer7! So, a script on pfsense will not help.

                      Im verry happy that you are trying to help me, but i think i asked a clear question and all i get is more and more questions.

                      Im here to ask if someone knows how to do a reconnect over curl (or something like that) or to make sure, that a user can only do a reconnect and nothing more over ssh (maybe, this is a privileges thing).

                      All commands and methods i currently use are described in the initial post.

                      1 Reply Last reply Reply Quote 0
                      • B
                        blessing
                        last edited by

                        BTW: Updated to 2.4.4_2 right now.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Not sure where you got the idea this was ask and answer site? This is discussion forum... Quite often users come here and ask nonsense and have gone down the wrong path in the first place..

                          Without understanding your actual problem, its not possible to give you "correct" solution.. And its not just your specific question, its the next guy looking for the same sort of key words, etc..

                          So if you were going down the wrong path, discussion of the actual problem could help countless other people get on the correct solution path, etc.

                          More than happy to help.. But if your looking for what is answer to 2+2, try reddit or facebook ;)

                          Now if its something simple like hey where do this in the gui, or something like that you prob just get told to RTFM ;)

                          We are here to discuss and support each other in running a great product - not just answer you questions your too lazy to google ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • B
                            blessing
                            last edited by

                            Im sorry for beeing rude. This is because iam frustrated. It took us a long time to find out where the problem is located, and spent useless time to communicate with the ISP and the service.

                            I also understand that you are trying to understand my problem and its environment. Iam also dedicated in some forums to help people where i am one of the main contributors. My philosphy is not to only understand every problem right down to the last detail from beginning, but to give a first quick or complete answer to the questions from beginning if the question is clear enough AND i try to the get to the buttom if there might be dependencies. In many cases, this gives a quick help and if not, people can answer questions to go to the next level.

                            This also gives the next guy who is looking for this keyword the decission to try the first answer, but also the ability to read more and more of the thread. And i think, my initial question is very detached. Its not a "why cant i reach net 1 from net 2 through vpn"-question which could possibly have thousands of reasons.

                            I am also not a lazy guy... Additionaly to the first sentence of this post, i spent the whole weekend to solve this problem. The result is the current (in my opinion unsecure) solution over plink.

                            I googled a lot and found some topics (in the netgate forum 1 2 and other sources), but the solutions do not work. This might be because the topics are to old (for examplet, i think some do not work anymore because pfsense implemented CRSF-protection over the time), maybe i am to stupid to apply the solution, maybe the solutions are faulty or incomplete... i dont know.

                            So, i understand if you cant tell me how to control pfsense over the webinterface with commands, because this is not method which is supported by pfsense. But i think you might tell me more about my second question (securing the ssh privileges, if possible).

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Just because its "not" supported doesn't mean its not possible... Lets see this command you were running that you said worked on previous version? Like what version? 2.3.x?? 2.2, 2.1?

                              To be honest if this command is coming from your own network.. I am not sure I understand the security concern.. I would assume the box the command is running from is secure, etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • B
                                blessing
                                last edited by

                                I think its version 1.2 or something like that. I didnt bookmarked the sources i found, but if you follow Link 1 in my last post, youll find this command (from 2008). All other commands i found was nearly the same:

                                to disconnect
                                curl "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Disconnect"
                                to connect
                                for "http://user:pw@ip/status_interfaces.php" -d "interface=wan&submit=Connect"
                                

                                We are not talking about a commercial environment, but about a private environment where several people have access to this device. I just want to make sure that none of the users can get access to pfsense with high level permissions. This could cause a bit more damage than be able to trigger reconnects.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  1.2? UGGGGHHHH!!!

                                  Yeah lots of changes since then that is for sure ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    blessing
                                    last edited by blessing

                                    Oh yeah, and this one is also from netgate forums but from 2013:

                                    https://forum.netgate.com/topic/54430/curl-command-for-script/4

                                    login (replace the url username & password:
                                    curl -k -L -b cookies.txt -c cookies.txt –verbose -d "usernamefld=yourusernamehere&passwordfld=yourpasswordherer&login=Login" "https://192.168.1.1/index.php"
                                    
                                    To do a post:
                                    
                                    curl -k -L -b cookies.txt -c cookies.txt --verbose -d "action=Disconnect&if=wan" "https://192.168.1.1/status_interfaces.php"
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      here
                                      https://docs.netgate.com/pfsense/en/latest/backup/remote-config-backup.html

                                      This should help!!

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 2
                                      • B
                                        blessing
                                        last edited by

                                        Thanks, this seems to be a good assistance. :-) Will try to adapt this to my issue in the next couple of days.

                                        As i said, im not into web/Http/html and so one. Maybe, i will ask for help one more time .

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.