Allow traffic from dynamic IP address

  • I have a phone system behind a pfsense.  I want to open up the proper ports so that i can have remote phones, but i want to limit who can connect to only a few IP addresses.  Problem is that one of the people that needs a remote phone uses an ISP that will not give him a static ip address.  Is there a way i can create a firewall rule that checks a dyndns (or similar) type of address?

  • There isn't any supported way of doing that. Perhaps he could use a router at home that supports a VPN to connect into your network.
    Another possibility that isn't as secure is to make an allow rule for the ISP's subnet that he always ends up in. (eg.

  • Rebel Alliance Developer Netgate

    A mobile IPsec tunnel would be great for this kind of situation, and would remain secure.

    There are some ways to use hostnames in rules, such as using a hostname in an alias instead of directly in the rule, but there are some drawbacks to that. I forget exactly what they are though. Something about needing a script to update the resolved hostname now and then.

    There was a recent discussion on the forums, or perhaps the support list, try searching for some variation of the keywords "dynamic host alias".

  • I find that using a voip phone over an IPSEC VPN tunnel affects the call quality quite seriously. I guess it is the overhead of the encryption.

    I have the same problem with a couple of home workers. Will try out the Alias hostname.


Log in to reply