Firewall Rules on Dynamic WAN Interface - Auto-Adjusting?

  • Hi, Everyone!

    I have been using pfSense for the past year or so, and have found I really do enjoy the extra security and stability that the FreeBSD + pf platform provides.
      The extra security aspect does bring up one question I'm not sure about, however: how do you define firewall rulesets for machines whose WAN IP's change on occasion?  By this I mean every few weeks, not every day or so…

    For instance:

    With IPCop I used to allow https on a nonstandard port for all the world to access in order to administer the box remotely.  Obviously, not completely safe, but it worked for my needs.
      Now with pfSense I want to allow almost the same--but I wish to restrict to certain networks.  Excellent, I have that done, and understand how it works.  I feel much better with the limited networks allowed to attempt to reach the webGUI.  This works great with static IP's.

    My question, then, is on how this works on machines with dynamic IP's.
      On a machine with a static WAN IP, this is easy.  But how do you define this on a machine whose WAN IP might change?  Is there a "localWAN" or "fxp1" variable I can use rather than the actual IP address--in case the IP address changes? 
      Or does the firewall understand to update the table to accomodate a change in WAN IP?

    Hopefully this makes some kind of sense.  I just wish to ensure there's a solution for this prior to setting up boxes for my family across the country...

    Thanks in advance for any insight.  Sorry if this is a n00b question, but I couldn't find it in an hour of searching the forum.

  • Edit a firewallrule and have a look at the destination dropdownfield. You will Find a "WAN Adress" there that will be updated everytime your IP changes (like on PPPoE or DHCP lines).

  • Awesome.  Will try this and test a few with it.

    Thanks for your quick response!  Looks like it's time to make a donation to the project…  :)

  • Here in Germany most ISPs cut the line every 24h and you get a new dynamic IP on dial in (PPPoE). My line has that ugly annoying "feature" too. The autoupdate of the Rules/services works just as expected  ;)

  • Weird.

    Not sure if it's a thing new to 1.0-release, or the new change, or if I'm having another issue…

    I no longer can access my box remotely.

    Checked under rules...

    I have changed my once-specific rule to allow access from anywhere on the net (temporarily) and still can't get in to the web interface.

    I am using https, changed it to a nonstandard port, and created a rule that does this:

    Action = Pass
    Not disabled
    Interface WAN
    Protocol TCP
    Source (temp.) = *
    Port = *
    Destination = WAN address
    Destination Port Range = custom port
    Gateway = *

    This used to work.
      Just tried changing the Destination back to single host/network and manually put my static IP back in there...  no change when trying to access from another box (using RDP to try from another location).

    Local machines can connect to the internal ip https://lanip:custom port  without issue.

    Hmm, did I miss something here?  I hope I didn't do something fabulously stupid  ???

  • for port 10000 set it up like this:
    Action = Pass
    Not disabled
    Interface WAN
    Protocol TCP
    Source = *
    Port = *
    Destination = WAN address
    Destination Port Range = custom port 10000
    Gateway = *

  • Right–that's exactly how it's set.

    I'll try getting another drive and reinstalling from scratch, to make sure something didn't get corrupted in the upgrade from 1.0rc3 to 1.0-release.

    Hopefully this will work, then!

  • OK, installed on a different drive and installed from scratch, rewriting at least a few of the rules…

    ... no problems.

    Looks like something didn't come over quite right from 1.0rc to 1.0-release.  Not a biggie, but curious if anyone else might have run into this same situation.

  • maybe you skipt rc3a,b,c,d,e and f

  • Yes, I imagine that probably was the cause.

    Didn't see much info on the extra patches for 1.0rc3 until after I'd already updgraded to 1.0-rel.

    Oops.  :)

  • Reloaded from scratch on my home machine and STILL could not access it from the office.
    (the other tests were between two offices)

    Turns out my residential ISP was blocking the custom port.  Lovely.

    Well, after a change to another custom port, all is well.

    Thanks for the help, everyone!

Log in to reply