Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Recommended white list duplicate removal bug work around

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 21 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Online
      Patch
      last edited by

      I often use an alias to white list access. More important sites are often listed in more than one way (resulting in a duplicate). Such white lists are used both to restrict access into a server (port forward IP source address restrictions) and some server destination restrictions (to IP addresses used by the VoIP suppliers I use).

      pfsense appears to use incremental alias IP processing with duplicate removal but lacks duplicate restore. As documented in
      https://redmine.pfsense.org/issues/13792
      https://redmine.pfsense.org/issues/13793

      These bugs are 3 years old, have been repeatedly pushed to the right, and now have a target version CE-next Plus-next. So it appears they are hard to fix and unlikely to be fixed any time soon in pfsense.

      So that leave how users can best work around it with current software.

      For example if I want to enable access to my server only from say

      • Home (a fixed physical internet connection point with a relatively constant IP but also has a DDNS address)
      • Laptop1 (which has a DDNS, sometimes uses the "Home" internet connection, and sometimes uses the same internet connection as Laptop2
      • Laptop2 (which has a DDNS, sometimes uses the "Home" internet connection, and sometimes uses the same internet connection as Laptop1

      Without the above bugs a clean way of handling this is to create a "Allowed_IPs" alias containing

      • Home current IP address
      • Home DDNS FQDN
      • Laptop1 DDNS FQDN
      • Laptop2 DDNS FQDN

      Then use the "Allowed_IP" alias in the port forward source address. Access from home should be reliable as if the IP address changes or the DDNS goes down, the address should still be in the alias.

      However with the bug the reverse occurs

      • If both laptops are at home then laptop1 leaves, access to my server from home and laptop2 will fail.
      • Similarly if both laptops share a different wifi connection then one leave, again the remaining laptop will loss server access

      Is the recommended solution to avoid duplicate remove / lack of duplicate replacement by ensuring duplicates of potentially changing IP addressees are never created. For the above example does that mean I need 4 port forwards, using one for each DDNS FQDN and one for the fixed IP address(es)

      Or is there a better way?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.