PfSense advanced rule with dynamic DNS for incoming source



  • Hello pfsense users :)

    I use the last version pfSense 2.4.4-RELEASE-p3

    For security reasons, I created a rule with dynamic DNS for incoming source
    This works randomly and I have some bugs.

    Rule:
    Interface : WAN
    Address Family : IPv4
    Protocol : UDP or TCP (i have some service with tcp, other in udp)
    Source : Single Host or Alias (I use an Alias), for Sample ACL_LIST
    Source Port Range : External Port
    Destination address : pfsense
    Destination port : Internal port

    Alias (ACL_LIST)
    I have list all Allowed IP (with IP it's work fine)
    But if define a Dynamic DNS like xxxx.ddns.net (NO-IP) , it's work randomly.
    NB : Alias use another Alias

    Tests and infos :

    • First, I thought the problem was that pfsense had a DynDNS update delay, but I have seen cases where the domain is correctly resolved, but the connection is refused for the IP associated with the domain (dynamic dns).
      In this case, if i add IP in Alias it's work fine.
    • I wonder about the fact that the use of an Alias poses concerns with a DynDNS (domain name instead an IP), not sure...
    • Sometimes if I modify the alias, the interface offers me to recreate/refresh the rule and this seems to work.
    • To verify that pfsense has updated the IP, I use the Web UI and the ping section, which allows me to check the DNS resolution and the associated IP is fine.
    • Sometimes I do nothing and this works as it should (the dynamic IP is modified and the connection is limited to this dynamic IP).

    Question:

    • Can I with an command line (or another) check the status of the rules ?
    • Is it possible to force the refresh of the rules ?
    • Suggestions (if you've ever done something like this) ?

    For information, I use this security to limit remote access to certain services that can also work in TCP (web interface) or UDP (VPN).

    Thank you in advance for your help and suggestions.


  • LAYER 8

    i would take this into consideration (from netgate docs) :
    The FQDN will be resolved by DNS every 5 minutes (300 seconds) and updated internally
    The interval at which the resolution takes place may be adjusted under System > Advanced on the Firewall / NAT tab
    With only a few hosts, a lower value may be used such as 30 seconds



  • Go to >Diagnostics > Tables and look at the alias and what is in it.



  • @kiokoman , @Bob-Dig : Thanks for your help. ๐Ÿ˜

    I have update to 55 seconds, and i have better results, but i think i found a bugs ๐Ÿ˜ง ๐Ÿ˜ฃ ๐Ÿ™„

    System >> Advanced  (https:// <pfsenseIP> /system_advanced_firewall.php)  
    Field name :  "Alias Hostname Resolve Interval" : 300 (default) updated to 55.
    

    For verify tables :

    Diagnostics >> Tables  ( https:// <pfsenseIP> /diag_tables.php )
    

    I have 2 cases.

    1. i can see tables, all seem fine (90% of cases)
    Date of last update of table is unknown.    xxx  records.
    <ip....>
    <ip....>
    <ip....>
    
    1. Table is not displayed (and for unknow reason) :-/
    No entries exist in this table.
    
    • There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
      After a while, everything seem displayed.

    • However I think I have found a bug that I can reproduce.
      If an Alias has a reference to another Alias and DynDNS, the table is incomplete.

    This my alias (to explain the bug) :

    IP_USR_1:
    192.xxx.xxx.aaa (IP)
    192.xxx.xxx.bbb (IP)
    
    IP_USR_2:
    192.xxx.xxx.ccc (IP)
    192.xxx.xxx.ddd (IP)
    
    IP_USR_DYN 
    medyndns.noip.tld (Domain)
    
    ACL_TEST1:  
    IP_USR_1
    IP_USR_2
    
    ACL_TEST2:  
    IP_USR_1
    IP_USR_DYN
    

    mydyndns.noip.tld DNS resolution is 202.xxx.xxx.202

    Diagnostic page show :

    ACL_TEST1 (seem fine):  
    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    192.xxx.xxx.ccc
    192.xxx.xxx.ddd
    
    ACL_TEST2 (incomplete) :  
    202.xxx.xxx.202
    

    The following values are missing for "ACL_TEST2"

    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    

    If i change order (Alias list) :

    ACL_TEST2:  
    IP_USR_DYN
    IP_USR_1
    

    Diagnostic page display :

    ACL_TEST2:  
    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    

    The following values are missing for "ACL_TEST2"

    202.xxx.xxx.202
    

    This problem seems to only affect Aliases containing other Aliases with DynamicDNS.

    I have 7 pfsense in production and the problem seems to be present on all.

    Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.

    It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
    This could also explain that the table is wrong, but that the rule still works.

    If you have ideas, they are welcome.



  • @kiokoman , @Bob-Dig : Thanks for your help. ๐Ÿ˜

    I have update to 55 seconds, and i have better results, but i think i found a bugs ๐Ÿ˜ง ๐Ÿ˜ฃ ๐Ÿ™„

    System >> Advanced  (https:// <pfsenseIP> /system_advanced_firewall.php)  
    Field name :  "Alias Hostname Resolve Interval" : 300 (default) updated to 55.
    

    For make tests :

    Diagnostics >> Tables  ( https:// <pfsenseIP> /diag_tables.php )
    

    I have 2 cases.

    1. I can see tables, all seem fine (90% of cases)
    Date of last update of table is unknown.    xxx  records.
    <ip....>
    <ip....>
    <ip....>
    
    1. Table is not displayed (and for unknow reason) :-/
    No entries exist in this table.
    
    • There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
      After a while, everything seem displayed.

    • However I think I have found a bug that I can reproduce.
      If an Alias has a reference to another Alias and DynDNS, the table is incomplete.

    This my alias (to explain the bug) :

    IP_USR_1:
    192.xxx.xxx.aaa (IP)
    192.xxx.xxx.bbb (IP)
    
    IP_USR_2:
    192.xxx.xxx.ccc (IP)
    192.xxx.xxx.ddd (IP)
    
    IP_USR_DYN 
    medyndns.noip.tld (Domain)
    
    ACL_TEST1:  
    IP_USR_1
    IP_USR_2
    
    ACL_TEST2:  
    IP_USR_1
    IP_USR_DYN
    

    mydyndns.noip.tld DNS resolution is 202.xxx.xxx.202

    Diagnostic page show :

    ACL_TEST1 (seem fine):  
    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    192.xxx.xxx.ccc
    192.xxx.xxx.ddd
    
    ACL_TEST2 (incomplete) :  
    202.xxx.xxx.202
    

    The following values are missing for "ACL_TEST2"

    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    

    If i change order (Alias list) :

    ACL_TEST2:  
    IP_USR_DYN
    IP_USR_1
    

    Diagnostic page display :

    ACL_TEST2:  
    192.xxx.xxx.aaa
    192.xxx.xxx.bbb
    

    The following values are missing for "ACL_TEST2"

    202.xxx.xxx.202
    

    This problem seems to only affect Aliases containing other Aliases with DynamicDNS.

    I have 7 pfsense in production and the problem seems to be present on all.

    Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.

    It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
    This could also explain that the table is wrong, but that the rule still works.

    If you have ideas, they are welcome.