Does pfsense fail if ips cannot be converted to names!



  • Hi,

    I am currently using linux and shorewall for one of my firewalls/gateway and I am having a re-occurring issue, which I am wondering if I could solve by switching to pfsense.

    One of my networks is restricted to bigbank.com and bigbank.com often seems to be down when my firewall/gateway is booted in the morning.

    When shorewall runs it seems to check the ip address of bigbank.com and use this ip address when it creates the iptables/netfilter rules.

    The problems is that when the bigbank.com is unavailable shorewall fails and none to the networks will allow any traffic through and I cannot even get ssh access to the server (which is headless and is a pain to get at).

    Therefore, how would pfsense deal with this situation. If bigbank.com was unavailable would pfsense refuse to allow any traffic through on any interface or would it only be this one rule that was effected?

    jk



  • in case of multiwan, you can use loadbalancing + failover



  • I use an edge/outer firewall which is on all the time and gives me no issues. The firewall/gateway I am looking at changing to pfsense is an inner gateway that sits behind the outer firewall and does dns, dhcp, squid and firewalling of separate networks. It runs on an Atom based server to reduce power usage, but I still do not like to have it left on overnight as it is a waste of energy. My problems occur when I boot this inner gateway in the morning (approx once a month I have problems).

    I am interested to know how pfsense would behave if it was used to restrict an internal network to access a single external domain and what would happen if the domain was not available when the pfsense machine was booted.

    It may be that you can only use ip addresses in the pfsense firewall rules, which would make may question irrelevant anyway (i haven't had a good look at pfsense yet).



  • The problem you're experiencing may due to the fact that Linux iptables will try to resolve a hostname into an IP at load time. If DNS resolution fails, problems may arise. In the case of a Linux host, you could add that hostname in the /etc/hosts file.

    pfsense allows you to use fqdn (e.g. www.bigbank.com) as an alias, which you can reference in the firewall rules. But pfsense also features a special daemon that periodically tries to resolve an fqdn-alias into IP(s) and will update the relevant pf table.



  • @dhatz:

    The problem you're experiencing may due to the fact that Linux iptables will try to resolve a hostname into an IP at load time. If DNS resolution fails, problems may arise.

    PF does the same thing, but in our case, we handle FQDNs outside of PF including keeping them updated and ensure they resolve so it doesn't blow up the ruleset.

    So if you have example.com in as an alias, and example.com doesn't resolve when the ruleset is being loaded or reloaded, it just omits that from the rules and configures everything else. It won't cause any problems unlike the OP's current setup.



  • @dhatz - you are spot on. Every time a domain name cannot be resolved to an ip address everything fails. The host name stuff is a good idea but the numty big bank also seems to change the ip addresses without much warning - so I would still get some issues from time to time.

    The alias setup sound like what i need to look at. I am also interested in the having a WebGUI instead of command line so I can show someone else how to resolve this issue if it occurs.

    I have an old machine to test on so I will start looking at pfsense.

    Thank you for your replies.


Log in to reply