[Chugalug] A gentle intro to pfSense?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] A gentle intro to pfSense?

Dan Lyke
Anyone got a gentle intro to pfSense they'd recommend? I'm struggling
with a few things:

1. I went into Firewall / NAT / Port Forward, set up a rule for:

   Interface:      WAN
   Protocol:       TCP
   Source Address: *
   Source Ports:   *
   Dest. Address:  WAN address
   Dest. Ports:    22 (SSH)
   NAT IP:         192.168.37.16
   NAT Ports:      22 (SSH)

   But ssh into the WAN address is not making it to 192.168.37.16 on
   the LAN.

2. I have a static assignment in DHCP leases. I'm using the "DNS
   Forwarder", which I'm led to believe is DNSMasq. I can do
   "host daffodils.flutterby.net" and get 192.168.37. Awesome.

   I have Dynamic DNS set up with Namecheap. The control panel says:

   Interface Service    Hostname                Cached IP
   WAN       Namecheap  daffodils.flutterby.net 104.57.64.70

   So far so good, except that

   host daffodils.flutterby.net DNS1.REGISTRAR-SERVERS.COM

   gives me

   Host daffodils.flutterby.net not found: 3(NXDOMAIN)

Problem #2 could be propagation delay, but usually it only takes a few
minutes to get to from dynamic DNS to the registrar's servers...

Dan
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dave Brockman
On 4/27/2017 5:40 PM, Dan Lyke wrote:

> Anyone got a gentle intro to pfSense they'd recommend? I'm struggling
> with a few things:
>
> 1. I went into Firewall / NAT / Port Forward, set up a rule for:
>
>    Interface:      WAN
>    Protocol:       TCP
>    Source Address: *
>    Source Ports:   *
>    Dest. Address:  WAN address
>    Dest. Ports:    22 (SSH)
>    NAT IP:         192.168.37.16
>    NAT Ports:      22 (SSH)
>
>    But ssh into the WAN address is not making it to 192.168.37.16 on
>    the LAN.

You also need a rule under Firewall->Rules->WAN

  Protocol: IPv4 TCP
  SrcIP: *
  SrcPort: *
  Destination: 192.168.37.16
  DstPort: 22

May or may not have been created for you.  I would also verify that
either SSH is disabled on the firewall itself, or running on an
alternative port.  Do you see the packets hit the firewall logs?

> 2. I have a static assignment in DHCP leases. I'm using the "DNS
>    Forwarder", which I'm led to believe is DNSMasq. I can do
>    "host daffodils.flutterby.net" and get 192.168.37. Awesome.
>
>    I have Dynamic DNS set up with Namecheap. The control panel says:
>
>    Interface Service    Hostname                Cached IP
>    WAN       Namecheap  daffodils.flutterby.net 104.57.64.70
>
>    So far so good, except that
>
>    host daffodils.flutterby.net DNS1.REGISTRAR-SERVERS.COM
>
>    gives me
>
>    Host daffodils.flutterby.net not found: 3(NXDOMAIN)
>
> Problem #2 could be propagation delay, but usually it only takes a few
> minutes to get to from dynamic DNS to the registrar's servers...

Who is authoritative for the zone?  REGISTRAR or Namecheap?  If the
former, do you have something configured between Namecheap and REGISTRAR
to dynamically update the zone?

Regards,

dtb

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dan Lyke
On Thu, 27 Apr 2017 19:54:14 -0400
Dave Brockman <[hidden email]> wrote:
> You also need a rule under Firewall->Rules->WAN

That got automatically created...

I'm not sure what changed, but this morning apparently it works.

> Who is authoritative for the zone?  REGISTRAR or Namecheap?  If the
> former, do you have something configured between Namecheap and
> REGISTRAR to dynamically update the zone?

NS[12].REGISTRAR-SERVERS.COM are Namecheap's DNS servers (or whoever
they outsource their "DNS which comes with name registration" to).

Dan
 
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dave Brockman
On 4/28/2017 11:28 AM, Dan Lyke wrote:
> On Thu, 27 Apr 2017 19:54:14 -0400
> Dave Brockman <[hidden email]> wrote:
>> You also need a rule under Firewall->Rules->WAN
>
> That got automatically created...
>
> I'm not sure what changed, but this morning apparently it works.

pfSense has its quirks.  If I create a new IPSec tunnel, once I apply
the configuration changes, I lose access to the LAN interface for a
period of time.  Traffic keeps passing in both directions, tunnels come
up, and pass traffic.  A different machine (MAC) can access the LAN
interface (and web configurator), but I usually have a 30-40 minute wait
or have to reboot to gain access from the original machine.

>> Who is authoritative for the zone?  REGISTRAR or Namecheap?  If the
>> former, do you have something configured between Namecheap and
>> REGISTRAR to dynamically update the zone?
>
> NS[12].REGISTRAR-SERVERS.COM are Namecheap's DNS servers (or whoever
> they outsource their "DNS which comes with name registration" to).
>

LOL, sorry, I missed that :)  Sometimes our bits still like to bake, I
suppose.  Glad it's all working.  Ping me if you need any help.

Regards,

dtb




_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dan Lyke
On Fri, 28 Apr 2017 12:05:04 -0400
Dave Brockman <[hidden email]> wrote:
> LOL, sorry, I missed that :)  Sometimes our bits still like to bake, I
> suppose.  Glad it's all working.  Ping me if you need any help.

Well, the dynamic DNS stuff isn't... Sigh. But the tunneling is..

Oh, okay, one other thing:

My Internet connection is through a Pace 5268AC. Which sucks and
doesn't do a bridge mode, but I don't want to fight the modem problem.
So I've attached the pfSense box to it, and made the pfSense box the
exposed DMZ host.

Somehow the pfSense box has figured out that, despite having its WAN
interface as a 192.168.1.x address, its exposed address is
104.57.64.70. Great, except...

I'm getting a gazillion log entries saying

  arp: e0:22:03:df:b9:e1 is using my IP address 104.57.64.70 on re0!

Which I guess isn't killing anyone, but it is annoying...

Dan

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

attachment0 (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dave Brockman
On 4/28/2017 12:46 PM, Dan Lyke wrote:
> On Fri, 28 Apr 2017 12:05:04 -0400
> Dave Brockman <[hidden email]> wrote:
>> LOL, sorry, I missed that :)  Sometimes our bits still like to bake, I
>> suppose.  Glad it's all working.  Ping me if you need any help.
>
> Well, the dynamic DNS stuff isn't... Sigh. But the tunneling is..

Usually there is a key installed on the pfSense side, from the DDNS
provider?

> Oh, okay, one other thing:
>
> My Internet connection is through a Pace 5268AC. Which sucks and

Ugh, are you on U-verse?

> doesn't do a bridge mode, but I don't want to fight the modem problem.
> So I've attached the pfSense box to it, and made the pfSense box the
> exposed DMZ host.
>
> Somehow the pfSense box has figured out that, despite having its WAN
> interface as a 192.168.1.x address, its exposed address is
> 104.57.64.70. Great, except...
>
> I'm getting a gazillion log entries saying
>
>   arp: e0:22:03:df:b9:e1 is using my IP address 104.57.64.70 on re0!
>
> Which I guess isn't killing anyone, but it is annoying...
Hmmm, I haven't encountered that.  Do you have UPnP enabled on pfSense?

Regards,

dtb



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] A gentle intro to pfSense?

Dan Lyke
On Fri, 28 Apr 2017 14:07:21 -0400
Dave Brockman <[hidden email]> wrote:
> > Well, the dynamic DNS stuff isn't... Sigh. But the tunneling is..  
>
> Usually there is a key installed on the pfSense side, from the DDNS
> provider?

Yeah, I copied and pasted that in. No idea where the logs might be to
debug this...

> > My Internet connection is through a Pace 5268AC. Which sucks and  
>
> Ugh, are you on U-verse?

Almost. I'm on Sonic FTTN, is the business service IP portion of U-Verse
plus Sonic services (and TOS, but unless I VPN everything to Sonic it's
unclear what traffic monitoring AT&T is doing on my connection anyway).

> > I'm getting a gazillion log entries saying
> >
> >   arp: e0:22:03:df:b9:e1 is using my IP address 104.57.64.70 on re0!
> >
> > Which I guess isn't killing anyone, but it is annoying...  
>
> Hmmm, I haven't encountered that.  Do you have UPnP enabled on
> pfSense?

Nope. I'll ignore it, see if it goes away...

Dan


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

attachment0 (484 bytes) Download Attachment