Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense advanced rule with dynamic DNS for incoming source

    Firewalling
    advanced rules dynamic dns incoming source
    4
    6
    3.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TKOF
      last edited by TKOF

      Hello pfsense users :)

      I use the last version pfSense 2.4.4-RELEASE-p3

      For security reasons, I created a rule with dynamic DNS for incoming source
      This works randomly and I have some bugs.

      Rule:
      Interface : WAN
      Address Family : IPv4
      Protocol : UDP or TCP (i have some service with tcp, other in udp)
      Source : Single Host or Alias (I use an Alias), for Sample ACL_LIST
      Source Port Range : External Port
      Destination address : pfsense
      Destination port : Internal port

      Alias (ACL_LIST)
      I have list all Allowed IP (with IP it's work fine)
      But if define a Dynamic DNS like xxxx.ddns.net (NO-IP) , it's work randomly.
      NB : Alias use another Alias

      Tests and infos :

      • First, I thought the problem was that pfsense had a DynDNS update delay, but I have seen cases where the domain is correctly resolved, but the connection is refused for the IP associated with the domain (dynamic dns).
        In this case, if i add IP in Alias it's work fine.
      • I wonder about the fact that the use of an Alias poses concerns with a DynDNS (domain name instead an IP), not sure...
      • Sometimes if I modify the alias, the interface offers me to recreate/refresh the rule and this seems to work.
      • To verify that pfsense has updated the IP, I use the Web UI and the ping section, which allows me to check the DNS resolution and the associated IP is fine.
      • Sometimes I do nothing and this works as it should (the dynamic IP is modified and the connection is limited to this dynamic IP).

      Question:

      • Can I with an command line (or another) check the status of the rules ?
      • Is it possible to force the refresh of the rules ?
      • Suggestions (if you've ever done something like this) ?

      For information, I use this security to limit remote access to certain services that can also work in TCP (web interface) or UDP (VPN).

      Thank you in advance for your help and suggestions.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        i would take this into consideration (from netgate docs) :
        The FQDN will be resolved by DNS every 5 minutes (300 seconds) and updated internally
        The interval at which the resolution takes place may be adjusted under System > Advanced on the Firewall / NAT tab
        With only a few hosts, a lower value may be used such as 30 seconds

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        T 1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8
          last edited by

          Go to >Diagnostics > Tables and look at the alias and what is in it.

          1 Reply Last reply Reply Quote 0
          • T
            TKOF
            last edited by

            @kiokoman , @Bob-Dig : Thanks for your help. 😏

            I have update to 55 seconds, and i have better results, but i think i found a bugs 😧 😣 🙄

            System >> Advanced  (https:// <pfsenseIP> /system_advanced_firewall.php)  
Field name :  "Alias Hostname Resolve Interval" : 300 (default) updated to 55.

            For verify tables :

            Diagnostics >> Tables  ( https:// <pfsenseIP> /diag_tables.php )

            I have 2 cases.

            1. i can see tables, all seem fine (90% of cases)
            Date of last update of table is unknown.    xxx  records.
<ip....>
<ip....>
<ip....>
            1. Table is not displayed (and for unknow reason) :-/
            No entries exist in this table.

            • There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
              After a while, everything seem displayed.

            • However I think I have found a bug that I can reproduce.
              If an Alias has a reference to another Alias and DynDNS, the table is incomplete.

            This my alias (to explain the bug) :

            IP_USR_1:
192.xxx.xxx.aaa (IP)
192.xxx.xxx.bbb (IP)

IP_USR_2:
192.xxx.xxx.ccc (IP)
192.xxx.xxx.ddd (IP)

IP_USR_DYN 
medyndns.noip.tld (Domain)

ACL_TEST1:  
IP_USR_1
IP_USR_2

ACL_TEST2:  
IP_USR_1
IP_USR_DYN

            mydyndns.noip.tld DNS resolution is 202.xxx.xxx.202

            Diagnostic page show :

            ACL_TEST1 (seem fine):  
192.xxx.xxx.aaa
192.xxx.xxx.bbb
192.xxx.xxx.ccc
192.xxx.xxx.ddd

ACL_TEST2 (incomplete) :  
202.xxx.xxx.202

            The following values are missing for "ACL_TEST2"

            192.xxx.xxx.aaa
192.xxx.xxx.bbb

            If i change order (Alias list) :

            ACL_TEST2:  
IP_USR_DYN
IP_USR_1

            Diagnostic page display :

            ACL_TEST2:  
192.xxx.xxx.aaa
192.xxx.xxx.bbb

            The following values are missing for "ACL_TEST2"

            202.xxx.xxx.202

            This problem seems to only affect Aliases containing other Aliases with DynamicDNS.

            I have 7 pfsense in production and the problem seems to be present on all.

            Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.

            It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
            This could also explain that the table is wrong, but that the rule still works.

            If you have ideas, they are welcome.

            1 Reply Last reply Reply Quote 0
            • T
              TKOF @kiokoman
              last edited by TKOF

              @kiokoman , @Bob-Dig : Thanks for your help. 😏

              I have update to 55 seconds, and i have better results, but i think i found a bugs 😧 😣 🙄

              System >> Advanced  (https:// <pfsenseIP> /system_advanced_firewall.php)  
Field name :  "Alias Hostname Resolve Interval" : 300 (default) updated to 55.

              For make tests :

              Diagnostics >> Tables  ( https:// <pfsenseIP> /diag_tables.php )

              I have 2 cases.

              1. I can see tables, all seem fine (90% of cases)
              Date of last update of table is unknown.    xxx  records.
<ip....>
<ip....>
<ip....>
              1. Table is not displayed (and for unknow reason) :-/
              No entries exist in this table.

              • There is however something strange, it is that when I looked for the tables on this interface, the first time I did not have all the IP addresses.
                After a while, everything seem displayed.

              • However I think I have found a bug that I can reproduce.
                If an Alias has a reference to another Alias and DynDNS, the table is incomplete.

              This my alias (to explain the bug) :

              IP_USR_1:
192.xxx.xxx.aaa (IP)
192.xxx.xxx.bbb (IP)

IP_USR_2:
192.xxx.xxx.ccc (IP)
192.xxx.xxx.ddd (IP)

IP_USR_DYN 
medyndns.noip.tld (Domain)

ACL_TEST1:  
IP_USR_1
IP_USR_2

ACL_TEST2:  
IP_USR_1
IP_USR_DYN

              mydyndns.noip.tld DNS resolution is 202.xxx.xxx.202

              Diagnostic page show :

              ACL_TEST1 (seem fine):  
192.xxx.xxx.aaa
192.xxx.xxx.bbb
192.xxx.xxx.ccc
192.xxx.xxx.ddd

ACL_TEST2 (incomplete) :  
202.xxx.xxx.202

              The following values are missing for "ACL_TEST2"

              192.xxx.xxx.aaa
192.xxx.xxx.bbb

              If i change order (Alias list) :

              ACL_TEST2:  
IP_USR_DYN
IP_USR_1

              Diagnostic page display :

              ACL_TEST2:  
192.xxx.xxx.aaa
192.xxx.xxx.bbb

              The following values are missing for "ACL_TEST2"

              202.xxx.xxx.202

              This problem seems to only affect Aliases containing other Aliases with DynamicDNS.

              I have 7 pfsense in production and the problem seems to be present on all.

              Another strange thing: if I go to the alias section, modify it, click on apply after the modification, rules set seems to be applied, but the diagnostic page displays an incomplete IP list.

              It would be useful if I looked "NAT rules" or "port forwarding rules" that use aliases, if the default behavior is to keep the connections active or delete it.
              This could also explain that the table is wrong, but that the rule still works.

              If you have ideas, they are welcome.

              1 Reply Last reply Reply Quote 0
              • S
                serbus
                last edited by

                Hello!

                https://redmine.pfsense.org/issues/9296

                ?

                John

                Lex parsimoniae

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post