PfSense advanced rule with dynamic DNS for incoming source
-
Hello pfsense users :)
I use the last version pfSense 2.4.4-RELEASE-p3
For security reasons, I created a rule with dynamic DNS for incoming source
This works randomly and I have some bugs.Rule:
Interface : WAN
Address Family : IPv4
Protocol : UDP or TCP (i have some service with tcp, other in udp)
Source : Single Host or Alias (I use an Alias), for Sample ACL_LIST
Source Port Range : External Port
Destination address : pfsense
Destination port : Internal portAlias (ACL_LIST)
I have list all Allowed IP (with IP it's work fine)
But if define a Dynamic DNS like xxxx.ddns.net (NO-IP) , it's work randomly.
NB : Alias use another AliasTests and infos :
- First, I thought the problem was that pfsense had a DynDNS update delay, but I have seen cases where the domain is correctly resolved, but the connection is refused for the IP associated with the domain (dynamic dns).
In this case, if i add IP in Alias it's work fine. - I wonder about the fact that the use of an Alias poses concerns with a DynDNS (domain name instead an IP), not sure...
- Sometimes if I modify the alias, the interface offers me to recreate/refresh the rule and this seems to work.
- To verify that pfsense has updated the IP, I use the Web UI and the ping section, which allows me to check the DNS resolution and the associated IP is fine.
- Sometimes I do nothing and this works as it should (the dynamic IP is modified and the connection is limited to this dynamic IP).
Question:
- Can I with an command line (or another) check the status of the rules ?
- Is it possible to force the refresh of the rules ?
- Suggestions (if you've ever done something like this) ?
For information, I use this security to limit remote access to certain services that can also work in TCP (web interface) or UDP (VPN).
Thank you in advance for your help and suggestions.
- First, I thought the problem was that pfsense had a DynDNS update delay, but I have seen cases where the domain is correctly resolved, but the connection is refused for the IP associated with the domain (dynamic dns).
-
i would take this into consideration (from netgate docs) :
The FQDN will be resolved by DNS every 5 minutes (300 seconds) and updated internally
The interval at which the resolution takes place may be adjusted under System > Advanced on the Firewall / NAT tab
With only a few hosts, a lower value may be used such as 30 seconds
-
Go to >Diagnostics > Tables and look at the alias and what is in it.
-
@kiokoman , @Bob-Dig : Thanks for your help.
I have update to 55 seconds, and i have better results, but i think i found a bugs
System >> Advanced (https:// <pfsenseIP> /system_advanced_firewall.php) Field name : "Alias Hostname Resolve Interval" : 300 (default) updated to 55.For verify tables :
Diagnostics >> Tables ( https:// <pfsenseIP> /diag_tables.php )I have 2 cases.
- i can see tables, all seem fine (90% of cases)
Date of last update of table is unknown. xxx records. <ip....> <ip....> <ip....>- Table is not displayed (and for unknow reason) :-/
No entries exist in this table.-
There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
After a while, everything seem displayed. -
However I think I have found a bug that I can reproduce.
If an Alias has a reference to another Alias and DynDNS, the table is incomplete.
This my alias (to explain the bug) :
IP_USR_1: 192.xxx.xxx.aaa (IP) 192.xxx.xxx.bbb (IP) IP_USR_2: 192.xxx.xxx.ccc (IP) 192.xxx.xxx.ddd (IP) IP_USR_DYN medyndns.noip.tld (Domain) ACL_TEST1: IP_USR_1 IP_USR_2 ACL_TEST2: IP_USR_1 IP_USR_DYNmydyndns.noip.tld DNS resolution is 202.xxx.xxx.202
Diagnostic page show :
ACL_TEST1 (seem fine): 192.xxx.xxx.aaa 192.xxx.xxx.bbb 192.xxx.xxx.ccc 192.xxx.xxx.ddd ACL_TEST2 (incomplete) : 202.xxx.xxx.202The following values are missing for "ACL_TEST2"
192.xxx.xxx.aaa 192.xxx.xxx.bbbIf i change order (Alias list) :
ACL_TEST2: IP_USR_DYN IP_USR_1Diagnostic page display :
ACL_TEST2: 192.xxx.xxx.aaa 192.xxx.xxx.bbbThe following values are missing for "ACL_TEST2"
202.xxx.xxx.202This problem seems to only affect Aliases containing other Aliases with DynamicDNS.
I have 7 pfsense in production and the problem seems to be present on all.
Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.
It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
This could also explain that the table is wrong, but that the rule still works.If you have ideas, they are welcome.
-
@kiokoman , @Bob-Dig : Thanks for your help.
I have update to 55 seconds, and i have better results, but i think i found a bugs
System >> Advanced (https:// <pfsenseIP> /system_advanced_firewall.php) Field name : "Alias Hostname Resolve Interval" : 300 (default) updated to 55.For make tests :
Diagnostics >> Tables ( https:// <pfsenseIP> /diag_tables.php )I have 2 cases.
- I can see tables, all seem fine (90% of cases)
Date of last update of table is unknown. xxx records. <ip....> <ip....> <ip....>- Table is not displayed (and for unknow reason) :-/
No entries exist in this table.-
There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
After a while, everything seem displayed. -
However I think I have found a bug that I can reproduce.
If an Alias has a reference to another Alias and DynDNS, the table is incomplete.
This my alias (to explain the bug) :
IP_USR_1: 192.xxx.xxx.aaa (IP) 192.xxx.xxx.bbb (IP) IP_USR_2: 192.xxx.xxx.ccc (IP) 192.xxx.xxx.ddd (IP) IP_USR_DYN medyndns.noip.tld (Domain) ACL_TEST1: IP_USR_1 IP_USR_2 ACL_TEST2: IP_USR_1 IP_USR_DYNmydyndns.noip.tld DNS resolution is 202.xxx.xxx.202
Diagnostic page show :
ACL_TEST1 (seem fine): 192.xxx.xxx.aaa 192.xxx.xxx.bbb 192.xxx.xxx.ccc 192.xxx.xxx.ddd ACL_TEST2 (incomplete) : 202.xxx.xxx.202The following values are missing for "ACL_TEST2"
192.xxx.xxx.aaa 192.xxx.xxx.bbbIf i change order (Alias list) :
ACL_TEST2: IP_USR_DYN IP_USR_1Diagnostic page display :
ACL_TEST2: 192.xxx.xxx.aaa 192.xxx.xxx.bbbThe following values are missing for "ACL_TEST2"
202.xxx.xxx.202This problem seems to only affect Aliases containing other Aliases with DynamicDNS.
I have 7 pfsense in production and the problem seems to be present on all.
Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.
It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
This could also explain that the table is wrong, but that the rule still works.If you have ideas, they are welcome.
-
