Some basic and advanced questions..
-
I've been using 2.0 for sometime now and I'm very happy with this Firewall! I do have some questions that I'm hoping that you guys can help me with. **1) ** I am not running any dns server in my network because I find this somewhat overkill for a home network. Pfsense is used as a DHCP server and the dns is also set to the gateway pfsense ip. I believe pfsense automaticaly uses the WAN dns setting from my Cable modem as the primary DNS. This works perfectly for browsing the net and connecting to other windows machine by hostname. Somehow windows machines can find each other by hostname/dns, but my other non windows machines fail to work with hostnames. For example my apache2 webserver on ubuntu cannot be reached by http://webserver01\. The work around I have right now is manualy editing my host file on this pc.. but this is obviously not a very neat solution. Can you guys tell me if it is possible to configure pfsense to use a select list of ip / hostnames (hosts file?) and if not found –> reroute to the dns of my modem? My goal would be to be able to reach all my servers/clients by hostname without editing host files on the machines etc. I could live with the fact that I have to manualy edit a host file on the pfsense machine so I wouldn't have to install/configure a dns server on the pfsense. But adding other ip's and hostnames to the pfsense hosts file does not seem to work (even after a ipconfig flush on the clients). Anyboy have any idea's on how I could set this up or get this working without setting u a complete dns package/server? **2) ** Is it possible to add a mac address source entry for a firewall rule? To make sure only my laptop and iphone can reach my IP-Cam? Right now I have it set to a specific port : myexternalip:portnumber which makes it harder to find this web-based ip-cam but I still find it somewhat scary that people can logon to it if they do a portscan of guess the portnumber :). I would rather block it entirerly, but I would still like to be able to use my Iphone and view the camera when not at home. Would it be possible to set up macaddress rule to allow only traffic from that device?
-
well for 1) I dont know,
but 2) definetly does not work.
the mac address of your iphone does not get broadcastet over the complete internet, it just gets broadcastet to the next router which is your UTMS provider or smth like that.
simple put up an authentication page infront of your webcam and use a good password :)
-
well for 1) I dont know,
but 2) definetly does not work.
the mac address of your iphone does not get broadcastet over the complete internet, it just gets broadcastet to the next router which is your UTMS provider or smth like that.
simple put up an authentication page infront of your webcam and use a good password :)
-
I forgot to mention that I tried the dns forwarder option.. but this only works with domain names. I want to be able to use http://webserver01 instead of http://webserver.home.local (the last option does work with the dns forwarder btw)
-
I can't modify the webpage software on this ip cam device.. so not much I can do :(
-
-
well for 2nd,
if you have your webserver running all the time, you can setup a proxy-host in apache with an authentication page, which after successfull auth on the apache redirects you to your web-camcheck mod_proxy
-
well for 1) I dont know,
but 2) definetly does not work.
the mac address of your iphone does not get broadcastet over the complete internet, it just gets broadcastet to the next router which is your UTMS provider or smth like that.
simple put up an authentication page infront of your webcam and use a good password :)
-
I forgot to mention that I tried the dns forwarder option.. but this only works with domain names. I want to be able to use http://webserver01 instead of http://webserver.home.local (the last option does work with the dns forwarder btw)
-
I can't modify the webpage software on this ip cam device.. so not much I can do :(
- DNS forwarder is sufficient for this. I use https://fw/ without a problem to connect to firewall and http://srv/ to my webserver.
-
-
Windows machines work because of netbios broadcasting/spamming the network looking for a response.
Under your DHCP settings on pfsense, make sure it is issuing itself as the DNS server to clients. Check your windows/apache boxes to make sure the DNS listed is the pfsense IP address. I use the DHCP forwarding service and I have no problems with using hostname alone.
Alternatively, you can also set static DNS entries under the DNS forwarder options. (Also required your computers are set to use the pfsense as the DNS server)
MACs can be spoofed just as easily. Like a previous posted mentioned you can put some sort of authentication on the apache server. If you're accessing it from your iphone or other wireless device, maybe just allow a speific subnet. (4.5.0.0/24 or w/e the CIDR range is for something like that, I never got that down pat) How many AT&T iphones are port-scanning and hacking lol? This will at least reduce the odds considerably.
-
- DNS forwarder is sufficient for this. I use https://fw/ without a problem to connect to firewall and http://srv/ to my webserver.
I tried setting this up but it requires me to enter a domain name. In my case this is home.local. (pfsense is fw01.home.local)
I tried adding a static entry with webserver01.home.local but I can only access it with the domain name and not with http://webserver01.
Not sure why it's not working :(
@heavy1metal:
Windows machines work because of netbios broadcasting/spamming the network looking for a response.
Under your DHCP settings on pfsense, make sure it is issuing itself as the DNS server to clients. Check your windows/apache boxes to make sure the DNS listed is the pfsense IP address. I use the DHCP forwarding service and I have no problems with using hostname alone.
Alternatively, you can also set static DNS entries under the DNS forwarder options. (Also required your computers are set to use the pfsense as the DNS server)
MACs can be spoofed just as easily. Like a previous posted mentioned you can put some sort of authentication on the apache server. If you're accessing it from your iphone or other wireless device, maybe just allow a speific subnet. (4.5.0.0/24 or w/e the CIDR range is for something like that, I never got that down pat) How many AT&T iphones are port-scanning and hacking lol? This will at least reduce the odds considerably.
Yeah I figured it was netbios spamming. Dhcp –> the dns ip are blank so it will use it's default pfsense gateway ip.
Authentication on another server is pretty pointless I think because I would have to make a nat entry to the apache server and then forward them to the webcam:ip page. If people were to guess the ip:port combo they could skip the apache page :P. I might aswel leave the apache nat entry out of the picture and just use the ip:port combo and hope they don't scan it ;)
-
1. The DNS forwarder works for me. I have pfSense set to send itself as the DNS entry in DHCP, and then it relays the DNS query out to whatever DNS provider I choose. You can leave it set to your ISPs server or use OpenDNS, as I do. Make sure you check the box that adds your DHCP leases to the DNS server. I forget whether it's in the DHCP or DNS screen.
2. Why not set up a VPN? Then you don't need to enable any outside access, and you can do a lot of other neat things with it as well.
-
-
I have the DHCP register in DNS checked, DNS forwarder enabled, made a static entry and still no go. On my own pc I have even set the dns server manualy in the adapter settings window.
-
VPN is not really an option when you want to quickly check the camera, or the webmail when on a different network, internet cafe, hotel etc. In my opinion VPN is more of a risk because you physicaly connect both networks.. I rather have one NAT entry mapped and the rest closed.
-
-
Applications nslookup and dig are useful for debugging name service problems. They both report the name server used and various levels of information returned by name servers.
Here are a couple of entries from the DNS forwarder on my system:
Host Domain IP Description
pf-wan example.org 192.168.37.36 WAN interface of pfSense box
zyxel example.org 192.168.37.21 Zyxel ADSL modempfSense domain is example.org and on the PCs on my network a DNS lookup of zyxel or zyxel.example.org both return 192.168.37.21
-
maybe DHCP is not setting the correct search domain, you should have "home.local"
on linux its in /etc/resolv.conf file
search home.local
nameserver ip-hereunder windows its called dns-suffix-search-list
ipconfig /all
will list that.
-
To get that working, you have to enable the dns-forwarder and have both options "Register DHCP…" enabled. The dns-forwarder acts as a small dns-server, which will fullfile all requests inside your homenet.
Now you get your webserver via http://webserver01.local at your net. If you now enter at the DHCP-settings-page under "Search domain list" "local" (without the ""), then you will find your webserver via http://webserver01.
Hope that will answer your questions. No host-file-hacking necessary.
Good luck!