Problem using Source Aliases



  • I'm running 2.1-RC1 Sept 1 firmware. In my rule to allow OpenVPN traffic I have created an alias for the source.  That alias is a URL for a dynamic IP. I'd like the rule to only accept connections from the IP address of the alias url. My plan is to update the IP address of the alias URL from my laptop from whatever location I'm at.

    After I update the IP address I do a DNS lookup to make sure it has propagated and then try to connect. It connects fine to the VPN. However, one time I forgot to do the update from a new location and the VPN connected anyways. I checked my public IP and then the IP address of the dynamic IP URL and they, of course, did not match. From further testing any internet address can connect to the OpenVPN daemon and not just the address of the source URL.

    So it seems like PfSense is not respecting the alias I have put in for the source field in my OpenVPN firewall rule. How often does PfSense rules resolve the URLs in the alias settings? Is it periodically or when a connection is made to the port?

    Am I missing something? If this is only a issue with 2.1 and not older releases my apologies for posting this under "Firewall" instead of "2.1 Feedback."

    Jake



  • I do a similar thing and it works, on 2.1-RCn. Each of my remote office pfSense keeps a dynamic DNS name up-to-date with the current public IP address. The main office server has a rule on WAN only allowing incoming connects to the OpenVPN server listening port from an alias that has all the remote office dynamic DNS names in it.
    pfSense checks the names in an alias every 5 minutes, and updates the corresponding table in pf. But I don't think that old entries are removed, so if you go back to behind some public IP you have used "recently" it will allow access.
    I know mine works, because when a remote office comes online with a new public IP, the OpenVPN connects are blocked for 5 minutes or so, then the main office end pf table gets updated, and the next minute the connect is allowed and the site-to-site link establishes.
    It should work the same for Road Warrior like you describe.
    First thing to check - the rule should be on WAN. Next, what other rules are on WAN that might accidentally let access through.
    In Diagnostics-Tables you can see what IP addresses are actually in the pf table for the alias.



  • Thanks so much for your response. It helps me understand how the firewall rules work.

    I have exaggerated  :P my claim that any internet address is allowed through the OpenVPN rule. I have really only tried from places that I've previously connected from. I've checked over my other rules and everything seems to be fine.

    As I've looked over the table for my alias entry it does have that last few IP addresses I've used and that would explain it.

    My next question would be is there a way to periodically flush IP address from the alias table or better yet only allow one IP entry at one time?



  • I think I've answered my own question. Just create a cron job either through the console or with the cron package.

    This is from the cron package:

    */15  *  *  *  *  root  /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 900 "aliasname"

    With the "aliasname," without the quotes, being the alias and/or name of the table you want cleared. I put every 15 minutes to clear out the table.

    Hope this helps someone and I hope this is the best way of doing this.

    Jake



  • I added this issue to redmine: https://redmine.pfsense.org/issues/3199


Log in to reply