[prev in list] [next in list] [prev in thread] [next in thread]
List: pfsense-discussion
Subject: Re: [pfSense] Bug in DynDNS notification sequence
From: Walter Parker <walterp () gmail ! com>
Date: 2013-12-06 16:31:40
Message-ID: CAMPTd_ByZ=BV+458mhjDi0FcFyo4DkGfR9kYiiCoTGSXLV3HDA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
You don't need to open your rule set to allow every one on the internet to
ping any address. Just allow the HE broker subnet to ping any address in
the tunnel subnet.
On Dec 5, 2013 11:51 PM, <pfsense@encambio.com> wrote:
>
> Hello list,
>
> The DynDNS logic seems to work in this wrong order:
>
> 1 Figure out the new public IP address for the interface
> 2 Send notifications to DynDNS targets (services_dyndns.php)
> 3 Change the interface database entry IP in firewall tables
>
> GRITTY DETAILS
>
> Please see
> http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker#Enable_ICMP
>
> Assuming a monitored interface 'WAN' with IP 1.2.3.4
> Assuming a firewall rule 'only pass ICMP to WAN's address'
> Assuming a DynDNS entry of type 'HE.net Tunnelbroker'
> Assuming that 'WAN's IP now changes to 22.44.66.88
>
> ...a notification is sent to the HE.net Tunnelbroker using
> the specified HTTP POST to ipv4.tunnelbroker.net/nic/update
> which immediately sends ICMP requests to the new IP 22.44.66.88.
> PFSense blocks these ICMP requests because they don't match the
> rule 'block all ICMP to WAN except 5.6.7.8'
>
> WHY ARE THESE VALID ICMP REQUESTS BLOCKED?
>
> Because PFSense has not yet updated the 'WAN' alias to the new
> IP 22.44.66.88 in the firewall tables. This happens a short time
> later, too late to satisfy Tunnelbroker's link inspection logic.
>
> And that's the bug that keeps Tunnelbroker from working for some.
> The proof is in the logs:
>
> php: rc.newwanip: phpDynDNS: PAYLOAD: -ERROR: IP is not ICMP
> pingable. Please make sure ICMP is not blocked. If you are
> blocking ICMP, please allow 66.220.2.74 through your firewall.
>
> ...by the way, when clicking 'Save' or 'Save & Force Update' in
> the HE.net Tunnelbroker PHP interface 'services_dyndns_edit.php',
> the WAN IP is correctly changed in the firewall tables before
> notifying HE.net, so the procedure works correctly then.
>
> (SUCKY) WORKAROUND
>
> Just allow ICMP to any IP address in the firewall rules for WAN.
>
> Regards,
> Michael
> _______________________________________________
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
[Attachment #5 (text/html)]
<p>You don't need to open your rule set to allow every one on the internet to \
ping any address. Just allow the HE broker subnet to ping any address in the tunnel \
subnet. </p> <div class="gmail_quote">On Dec 5, 2013 11:51 PM, <<a \
href="mailto:pfsense@encambio.com">pfsense@encambio.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
Hello list,<br>
<br>
The DynDNS logic seems to work in this wrong order:<br>
<br>
1 Figure out the new public IP address for the interface<br>
2 Send notifications to DynDNS targets (services_dyndns.php)<br>
3 Change the interface database entry IP in firewall tables<br>
<br>
GRITTY DETAILS<br>
<br>
Please see <a href="http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker#Enable_ICMP" \
target="_blank">http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker#Enable_ICMP</a><br>
<br>
Assuming a monitored interface 'WAN' with IP 1.2.3.4<br>
Assuming a firewall rule 'only pass ICMP to WAN's address'<br>
Assuming a DynDNS entry of type 'HE.net Tunnelbroker'<br>
Assuming that 'WAN's IP now changes to 22.44.66.88<br>
<br>
...a notification is sent to the HE.net Tunnelbroker using<br>
the specified HTTP POST to <a href="http://ipv4.tunnelbroker.net/nic/update" \
target="_blank">ipv4.tunnelbroker.net/nic/update</a><br> which immediately sends ICMP \
requests to the new IP 22.44.66.88.<br> PFSense blocks these ICMP requests because \
they don't match the<br> rule 'block all ICMP to WAN except 5.6.7.8'<br>
<br>
WHY ARE THESE VALID ICMP REQUESTS BLOCKED?<br>
<br>
Because PFSense has not yet updated the 'WAN' alias to the new<br>
IP 22.44.66.88 in the firewall tables. This happens a short time<br>
later, too late to satisfy Tunnelbroker's link inspection logic.<br>
<br>
And that's the bug that keeps Tunnelbroker from working for some.<br>
The proof is in the logs:<br>
<br>
php: rc.newwanip: phpDynDNS: PAYLOAD: -ERROR: IP is not ICMP<br>
pingable. Please make sure ICMP is not blocked. If you are<br>
blocking ICMP, please allow 66.220.2.74 through your firewall.<br>
<br>
...by the way, when clicking 'Save' or 'Save & Force Update' \
in<br> the HE.net Tunnelbroker PHP interface 'services_dyndns_edit.php',<br>
the WAN IP is correctly changed in the firewall tables before<br>
notifying HE.net, so the procedure works correctly then.<br>
<br>
(SUCKY) WORKAROUND<br>
<br>
Just allow ICMP to any IP address in the firewall rules for WAN.<br>
<br>
Regards,<br>
Michael<br>
_______________________________________________<br>
List mailing list<br>
<a href="mailto:List@lists.pfsense.org">List@lists.pfsense.org</a><br>
<a href="http://lists.pfsense.org/mailman/listinfo/list" \
target="_blank">http://lists.pfsense.org/mailman/listinfo/list</a><br> \
</blockquote></div>
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic