Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dynamic dns question

    Scheduled Pinned Locked Moved General pfSense Questions
    25 Posts 4 Posters 8.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pman860507
      last edited by

      I set up a Domain name with DynDNS which i want to use for my router so i can set up my vpn and everything i need remotely since i have a dynamic ip address.  I also have a HP MediaSmart server that has a domain name. one thing that i did not realize is that my external ip address is the same for all my computers. When i type in my DynDNS domain name one the local network it comes up with my pfSense interface (http or https). though when i type it in remotely the http gets connection error and if i use https i am connected to my home server web page.

      what do i need to do to be able to access it remotely? At the moment i cant even ping either one of my domain names. Though I'm able to connect to my home server though the web browser.

      Pretty much all i want to do is be able to access my vpn over my phone/laptop when im not at home.

      1 Reply Last reply Reply Quote 0
      • T
        tommyboy180
        last edited by

        Setup your firewall pin holes.

        When you connect to your own DynDNS from within your network the NAT is reflected and your source IP is not your public IP but the IP of the pfsense box. Using a proxy or VPN will 'show' you how the traffic is really being handled from the outside.

        -Tom Schaefer
        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

        Please support pfBlocker | File Browser | Strikeback

        1 Reply Last reply Reply Quote 0
        • P
          pman860507
          last edited by

          I'm still new to this whole thing so what do you mean by firewall pin holes?

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            @pman860507:

            I'm still new to this whole thing so what do you mean by firewall pin holes?

            Firewalls typically allow traffic from the LAN side to the WAN side and block traffic from the WAN side to the LAN side. When some access to the internet is initiated, the firewall keeps some state information so that it can allow responses through the firewall. (It wouldn't be very useful to block ALL traffic fro the WAN.)

            If you are running some sort of service behind the firewall you need to have a small "hole" in the firewall to allow that specific access through the firewall. The previously described mechanism won't work because this sort of access is not initiated from the LAN side.

            If the "modem" between your pfSense box and the internet is acting as a router/firewall you will probably need to configure it to allow vpn access from the internet and forward such access to your pfSense box.

            The articles http://en.wikipedia.org/wiki/Port_forwarding and http://en.wikipedia.org/wiki/Firewall_pinhole explain in a bit more detail.

            1 Reply Last reply Reply Quote 0
            • P
              pman860507
              last edited by

              Thanks for explaining. i will check out the site.

              1 Reply Last reply Reply Quote 0
              • P
                pman860507
                last edited by

                so i forwarded ports 50 AND 51 TCP AND 500 UDP then pointed them to my router but i still can't connect to it. via my Iphone also its asking me for a secret which i dont have.

                1 Reply Last reply Reply Quote 0
                • T
                  tommyboy180
                  last edited by

                  It's not prompting you for the pfsense user and pass is it?

                  -Tom Schaefer
                  SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                  Please support pfBlocker | File Browser | Strikeback

                  1 Reply Last reply Reply Quote 0
                  • P
                    pman860507
                    last edited by

                    @tommyboy180:

                    It's not prompting you for the pfsense user and pass is it?

                    i set all that information in before i tried connecting to it.

                    1 Reply Last reply Reply Quote 0
                    • T
                      tommyboy180
                      last edited by

                      Can you post a screen shot of you NAT rules and firewall rules?

                      -Tom Schaefer
                      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                      Please support pfBlocker | File Browser | Strikeback

                      1 Reply Last reply Reply Quote 0
                      • P
                        pman860507
                        last edited by

                        wan rules (i still think this to limited im seeing a lot of things blocked in my logs.)

                        Nat

                        ipsec rules (dont know what to do here)

                        1 Reply Last reply Reply Quote 0
                        • T
                          tommyboy180
                          last edited by

                          Your NAT and FW entries are correct.

                          Is your http server on another network (DMZ)?
                          I tried to connect to your server on port 80 from your external address (68.103.185.3) and it seems like it's trying to pass packets and by that I mean it doesn't take forever to time out it just drops. So it makes me wonder if 172.30.1.101 is reachable and if it has a firewall enabled that is dropping traffic.

                          Also out of curiosity, what is the blue info icon next your FW entries?

                          -Tom Schaefer
                          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                          Please support pfBlocker | File Browser | Strikeback

                          1 Reply Last reply Reply Quote 0
                          • D
                            dszp
                            last edited by

                            The "blue i circle" icon means logging is enabled for that rule.

                            David Szpunar

                            1 Reply Last reply Reply Quote 0
                            • P
                              pman860507
                              last edited by

                              @tommyboy180:

                              Your NAT and FW entries are correct.

                              Is your http server on another network (DMZ)?
                              I tried to connect to your server on port 80 from your external address (-) and it seems like it's trying to pass packets and by that I mean it doesn't take forever to time out it just drops. So it makes me wonder if -*****- is reachable and if it has a firewall enabled that is dropping traffic.

                              Also out of curiosity, what is the blue info icon next your FW entries?

                              i can connect to my home server remotely by going to the site -- but i cant figure out how to go to -**- to point to my router. since i only have 1 external address which both -- and -- are pointed to.  the blue info icons are for logging though im not sure how to access them.

                              1 Reply Last reply Reply Quote 0
                              • T
                                tommyboy180
                                last edited by

                                I'm not sure why you are confused. parman.dyndns.org points to 68.103.185.3 and parman.homeserver.com points to 68.103.185.3.
                                https is working correctly.

                                Are your trying to say you want a different port besides 443 to be redirect to another internal address? You can have as many public DNS records as you want, but if your ISP only gave you one public IP then you will only be able to use a port pin hole only once per internal IP.
                                Both DNS records do point towards your router, but your router is forwarding the traffic based on your NAT and FW entries. Just pick another port to use to access your router *by the way this is a really bad idea

                                -Tom Schaefer
                                SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                Please support pfBlocker | File Browser | Strikeback

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pman860507
                                  last edited by

                                  Yeah i figured it was a terrible idea. I really need more then one ip from my ISP.  So then why am i not able to connect ipsec vpn remotely im told the port forwarding is correct?

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tommyboy180
                                    last edited by

                                    I don't have an answer for IPSEC, however may I suggest something more easy?
                                    If all your looking at is remotely managing your router then SSH might be the perfect solution. Also, if you needed to remote desktop into one of your home computers you could easily setup tunneling with ssh.

                                    -Tom Schaefer
                                    SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                    Please support pfBlocker | File Browser | Strikeback

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pman860507
                                      last edited by

                                      @tommyboy180:

                                      I don't have an answer for IPSEC, however may I suggest something more easy?
                                      If all your looking at is remotely managing your router then SSH might be the perfect solution. Also, if you needed to remote desktop into one of your home computers you could easily setup tunneling with ssh.

                                      maybe you could point me in the right direction for remotely ssh i know the concept but im not 100% sure how it works when you not on the local network. i also want to be able to access and open my files on my server remotely i used to use a pptp vpn from my home server and it worked great.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tommyboy180
                                        last edited by

                                        Sure.
                                        Setup SSH on a server or the pfsense box. Change the default port to something other than 22. I also recommend certificate based authentication only, but if you use passwords make sure they are strong.

                                        Use a client like putty setup the connection. Use your DynDNS record. Setup Tunneling. (http://oldsite.precedence.co.uk/nc/putty.html for more info)
                                        For example I want to connect to a RDP session within the SSH tunnel.  My source port could be 555 while destination is 192.168.1.100:3389 Remote.
                                        SSH in to your network. Now open Remote Desktop Client and connect to 127.0.0.1:555. Perfect. (Same concept with other resource access)

                                        SSH only requires a single TCP connection which is really FW friendly. If you are only going to be accessing a limited amount of resources then I highly recommend SSH over using a VPN. SSH does require attention to security however. Just like any other remote service always watch the logs. Install Denyhosts to help protect. Change your default port and enforce certificate authentication.

                                        I use SSH to remote desktop, x-fer files, access the web *So much secure this way when on the road, maintain my websites, access email, and more. A VPN would be kind of overkill for just one person and a hassle just to setup.

                                        -Tom Schaefer
                                        SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                        Please support pfBlocker | File Browser | Strikeback

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pman860507
                                          last edited by

                                          Thanks man! It actually worked the first time.  You have taught me a lot and I'm a greatly appreciative. how do you manage the to access files and do remote desktops. FYI most of this stuff i do on my Iphone/laptop but 99% is iphone.

                                          fyi i have never really understood shh.

                                          this this the where you do the remote desktop and stuff?

                                          • In the 'Destination' box (see Figure 3) enter the address followed by a colon and the port number that you wish the NetManager to forward requests to (use localhost if you want to refer to the NetManager itself). For example, to access the NetManager's web pages you would enter 'localhost:80' or to access a Citrix server you might enter 'appserver:1494'. A list of useful ports are shown in the table below:

                                          Port No. Service
                                                25 SMTP Mail
                                                80 Apache Web Server
                                                110 POP3 Mail Server
                                                143 IMAP Mail Server
                                                880 NetManager web based administration pages
                                                1494 Citrix ICA
                                                3389 Microsoft RDP

                                          * Once you have entered the source port and destination details you must click the 'Add' button.
                                              * You may add as many source and destination details as you want. Remember to click the 'Add' button each time.
                                              * Click on 'Open'. This will open a Window and ask you to log on to your server. Log on as 'ncadmin' or any other interactive user. If the window closes straight away when you type in the password, the account is not interactive. Use the NetManager web-based administration pages to modify the user account, so that they have an interactive account.
                                              * Once you have logged on, the tunnelled connection will be live.
                                              * When configuring your client software (e.g. web-browser or email package), always enter localhost (i.e. the local computer) as the remote address instead of the IP address of your NetManager. If you do not do this, the computer will connect as normal instead of over the ssh tunnel. For example, if you have configured your source port to be '8000' and the destination to be 'localhost:80', you will be able to access the web pages served by your NetManager from a web browser on your local machine by using the URL 'http://localhost:8000/'. Similarly, if you have specified the source port as '1494' and the destination as 'appserver:1494', you will be able to configure the Citrix ICA client to connect to 'localhost'. The NetManager at the other end of the ssh tunnel will forward the traffic to machine 'appserver' on the remote network.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            tommyboy180
                                            last edited by

                                            Yes.
                                            As an example lets say your desktop IP is 192.168.1.100 and it runs Microsoft Remote Desktop which listens on port 3389. You want to remote desktop to this PC with SSH from an external network such as work.

                                            In Putty expand 'ssh' and then 'tunnels'. You would add the following settings for the above example,
                                            Source Port: 555
                                            Destination: 192.168.1.100:3389
                                            Selection radio option 'Remote' and 'Auto'

                                            When you successfully log into your SSH server open up Remote Desktop client and connect to 127.0.0.1:555
                                            Now you have a completely secure and encrypted VPN connection to remote desktop. You can do the same with FTP, email, web, and so much more. SSH is a VPN solution but with a lot less hassle.
                                            (Note: You don't have to use port 555 every time. This is just an easy port to remember but you don't want to use the same port number twice or it wont work)

                                            It's a lot of fun when you start playing around, and it is really powerful. Just don't forget to watch your SSH logs for hacking attempts. By changing the default port from 22 to something like 222 you can greatly reduce the amount of attacks on your SSH server.

                                            -Tom Schaefer
                                            SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                                            Please support pfBlocker | File Browser | Strikeback

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.