Trouble with NAT / Firewall rules, and dynamic WAN IP



  • Hi -

    I'm running pfSense 1.0.1. My ISP gives me a dynamic IP address each time I get connected, and disconnects me every 24hrs to force me changing my IP address (crappy, yeah).

    I'm having trouble with NAT, let me explain. When I create a NAT rule (which automatically adds a firewall rule), redirection works OK, until I get disconnected and reconnected, which mean my WAN IP changes.

    The problem is that, as pfctl -sn shows, redirections are applied to the WAN IP address :

    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = 9258 -> 192.168.0.129 port 23
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = spc -> 192.168.0.3
    rdr on ng0 inet proto udp from any to 82.120.171.165 port = 6112 -> 192.168.0.3
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ssh -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = telnet -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = ftp -> 192.168.0.128
    rdr on ng0 inet proto tcp from any to 82.120.171.165 port = http -> 192.168.0.128

    So when I get disconnected and reconnected, it doesn't seem to be updated accordingly, because pf doesn't match any redirections, and ends up matching one of these rules:

    block drop in log quick all label "Default block all just to be sure."
    block drop out log quick all label "Default block all just to be sure."

    I can see that through tcpdump running on pflog0.

    I don't know if the issue is related to a misconfiguration by me or if it's a known bug.
    What is the right script to run in order to update the rules table to match the new WAN IP?

    Thanks!



  • Well, here's the hack I used to solve my problem:

    1/ Write a little script, say /etc/rc.update.all:

    #!/bin/sh
    
    # Reload filter rules to match the new WAN IP
    /etc/rc.filter_configure
    /etc/rc.filter_configure_sync
    
    # Update the DynDNS
    /etc/rc.dyndns.update
    

    2/ Adds at the end of /usr/local/sbin/ppp-linkup a line to run the script.

    It seems to work when I manually disconnect and reconnect, I hope it will too when I get disconnected by my ISP (i.e. mpd will run the ppp-linkup script).



  • This is almost certainly not an issue in 1.2, lots of things related to that have been fixed.



  • Really?
    Thanks, I'm going to upgrade!


Log in to reply