Ignore any IP not resolving to a trusted domaine

Wastapi

WOHOOOO!!! It works! :) :)
Thanks a lot @johnpoz !

Wastapi

@johnpoz
I have an issue. It seems that ANY IP can connect to the open VPN now, even if they are NOT in the alias pool.

I have put the said rule on my WAN interface.
Should I also put it on my openvpn interface?

I would have expected my WAN to simply block it if not in the alias pool, and for the traffic NOT to reach the open VPN because of that.

Thanks for your continued help.

johnpoz

@wastapi without seeing your rules I really can not even guess to what could be going on.

But you can validate what is in the alias via the diagnostic / table menu. For something to talk to your openvpn service listening on your wan IP.. You would need a rule on your wan to allow it. The rules in your openvpn interface would be for what traffic is allowed via that interface - not for connecting to it from wan.

Wastapi

Thanks for pointing diagnostic / table menu

1-Well we have another issue then:
It seems that an IP was added in the table although it has absolutely NO link to ANY domain in my Alias configuration. Any clue?

2-And here is my rule on my WAN interface

3-And here is my rule on my OpenVPN (Which is not an interface)

johnpoz

@wastapi that is not your rules that is 1 rule - without knowing what rules above that, or in floating its just a guess if that rule is the one that will be trigged.

Lets see your wan rules..

example..

And do you have rules in floating - if so lets see them.. Also what do you have set for your port forward "Filter rule association"

If you have that set to PASS vs an association with your wan rule - you could be allowing anything in, etc.

Wastapi

@johnpoz

• l only have ONE allow rule on my WAN. The one I sent.
• I only have ONE allow rule on my OpenVPN. The one I sent.
• I have a few rules on my Bridge interface, but this should not be related. Also none refer to this Alias setup.

No floating rules are currently defined
Nothing found about port forward "Filter rule association"

On my WAN I have the standard "Block bogon networks" & "Block private networks" blocking rules at the top.

johnpoz

@wastapi said in Ignore any IP not resolving to a trusted domaine:

Nothing found about port forward "Filter rule association"

Ah my bad this openvpn running, not a port forward - you can ignore that..

Well how exactly are you saying anything can connect are you logging that rule that allows your openvpn, are you seeing connection attempts in the vpn log?

Wastapi

@johnpoz
An employee with a wan IP not resolving to any known alias is ABLE to connect to our VPN.
And I see his IP in the diagnostic / table for my alias.

First, I don't understand how come his IP is listed there! There is absolutely no relation between his remote WAN IP to any of my alias.

Hence I would have expected my rule to ignore any WAN connection if it is not in the Alias set.

johnpoz

@wastapi said in Ignore any IP not resolving to a trusted domaine:

First, I don't understand how come his IP is listed there

Well if its in your alias table - then yes it would be allowed..

Wastapi

@johnpoz
Hehe... Yes I understand why it allowed the traffic is because the IP is listed in the Alias table. ;) But I don't understand HOW this IP got listed there. ;) In any case I have emptied the table.

It seems the Alias table is really slow to update/refresh.
If I empty it, it will not allow me through anymore. Although the FQDN does point to the right IP in the remote DNS. (tested by nslookup)

I have changed Aliases Hostnames Resolve Interval to 10 seconds. Same problem - it does not update after 10 seconds. Alias table remain empty.

The only way I get this working is by saving my alias setup and applying multiple times (3). unusable.

johnpoz

@wastapi said in Ignore any IP not resolving to a trusted domaine:

I have changed Aliases Hostnames Resolve Interval to 10 seconds

that is just insane.. Default is 5 minutes - that should be fine.. If the filter process has stopped then no they wouldn't update.

This has come up now and then - but I believe this filterdns running is what updates them

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: ps x | grep filterdns
66786  -  Is       0:02.53 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1

Wastapi

@johnpoz
Yes, insane... I used 10 seconds just while testing.
It was 300 seconds before and will be reverted to 300 when I'm done.

Just saying that even at 10 seconds it was not updating. Sometimes I wait 10 minutes it never works. Even manually calling Status > Filter Reload (/status_filter_reload.php) does not update the IPs in the table. :/

Are you suggesting that I set a CRON myself to run this?
And what would the exact command be?

Thanks!

--
ok update: In /var/log/resolver.log I do see this was added.
Nov 22 14:45:12 8p-pfSense filterdns[31164]: Adding Action: pf table: Trusted_DynDNS_Alias host: xxx.dyndns.org

But they don't appear in the Diagnostic > Tables.
And the IP traffic is not allowed when the IP is not in Diagnostic > Tables.

johnpoz

@wastapi no that is the default cron that updates the IPs

Is that running - I don't recall the details, but I do recall some thread or threads about aliases not updating or loading.