Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewall Rules on Dynamic WAN Interface - Auto-Adjusting?

    Firewalling
    3
    11
    3477
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      strick1226 last edited by

      Hi, Everyone!

      I have been using pfSense for the past year or so, and have found I really do enjoy the extra security and stability that the FreeBSD + pf platform provides.
        The extra security aspect does bring up one question I'm not sure about, however: how do you define firewall rulesets for machines whose WAN IP's change on occasion?  By this I mean every few weeks, not every day or so…

      For instance:

      With IPCop I used to allow https on a nonstandard port for all the world to access in order to administer the box remotely.  Obviously, not completely safe, but it worked for my needs.
        Now with pfSense I want to allow almost the same--but I wish to restrict to certain networks.  Excellent, I have that done, and understand how it works.  I feel much better with the limited networks allowed to attempt to reach the webGUI.  This works great with static IP's.

      My question, then, is on how this works on machines with dynamic IP's.
        On a machine with a static WAN IP, this is easy.  But how do you define this on a machine whose WAN IP might change?  Is there a "localWAN" or "fxp1" variable I can use rather than the actual IP address--in case the IP address changes? 
        Or does the firewall understand to update the table to accomodate a change in WAN IP?

      Hopefully this makes some kind of sense.  I just wish to ensure there's a solution for this prior to setting up boxes for my family across the country...

      Thanks in advance for any insight.  Sorry if this is a n00b question, but I couldn't find it in an hour of searching the forum.

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Edit a firewallrule and have a look at the destination dropdownfield. You will Find a "WAN Adress" there that will be updated everytime your IP changes (like on PPPoE or DHCP lines).

        1 Reply Last reply Reply Quote 0
        • S
          strick1226 last edited by

          Awesome.  Will try this and test a few with it.

          Thanks for your quick response!  Looks like it's time to make a donation to the project…  :)

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            Here in Germany most ISPs cut the line every 24h and you get a new dynamic IP on dial in (PPPoE). My line has that ugly annoying "feature" too. The autoupdate of the Rules/services works just as expected  ;)

            1 Reply Last reply Reply Quote 0
            • S
              strick1226 last edited by

              Weird.

              Not sure if it's a thing new to 1.0-release, or the new change, or if I'm having another issue…

              I no longer can access my box remotely.

              Checked under rules...

              I have changed my once-specific rule to allow access from anywhere on the net (temporarily) and still can't get in to the web interface.

              I am using https, changed it to a nonstandard port, and created a rule that does this:

              Action = Pass
              Not disabled
              Interface WAN
              Protocol TCP
              Source (temp.) = *
              Port = *
              Destination = WAN address
              Destination Port Range = custom port
              Gateway = *

              This used to work.
                Just tried changing the Destination back to single host/network and manually put my static IP back in there...  no change when trying to access from another box (using RDP to try from another location).

              Local machines can connect to the internal ip https://lanip:custom port  without issue.

              Hmm, did I miss something here?  I hope I didn't do something fabulously stupid  ???

              1 Reply Last reply Reply Quote 0
              • J
                jeroen234 last edited by

                for port 10000 set it up like this:
                Action = Pass
                Not disabled
                Interface WAN
                Protocol TCP
                Source = *
                Port = *
                Destination = WAN address
                Destination Port Range = custom port 10000
                Gateway = *

                1 Reply Last reply Reply Quote 0
                • S
                  strick1226 last edited by

                  Right–that's exactly how it's set.

                  I'll try getting another drive and reinstalling from scratch, to make sure something didn't get corrupted in the upgrade from 1.0rc3 to 1.0-release.

                  Hopefully this will work, then!

                  1 Reply Last reply Reply Quote 0
                  • S
                    strick1226 last edited by

                    OK, installed on a different drive and installed from scratch, rewriting at least a few of the rules…

                    ... no problems.

                    Looks like something didn't come over quite right from 1.0rc to 1.0-release.  Not a biggie, but curious if anyone else might have run into this same situation.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jeroen234 last edited by

                      maybe you skipt rc3a,b,c,d,e and f

                      1 Reply Last reply Reply Quote 0
                      • S
                        strick1226 last edited by

                        Yes, I imagine that probably was the cause.

                        Didn't see much info on the extra patches for 1.0rc3 until after I'd already updgraded to 1.0-rel.

                        Oops.  :)

                        1 Reply Last reply Reply Quote 0
                        • S
                          strick1226 last edited by

                          Reloaded from scratch on my home machine and STILL could not access it from the office.
                          (the other tests were between two offices)

                          Turns out my residential ISP was blocking the custom port.  Lovely.

                          Well, after a change to another custom port, all is well.

                          Thanks for the help, everyone!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post