Feature #1361
closedDNSMasq, source interface and IPSec VPNs
100%
Description
Posts: 1
View Profile Email Personal Message (Online)
DNSMasq, source interface and IPSec VPNs
« on: March 11, 2011, 10:03:04 am »
Reply with quoteQuote Modify messageModify Remove messageRemove
dnsmasq has the capability to use the internal interface IP when querying the override domains. IE when overriding internal.local use the IP address 192.168.111.12 (server on the VPN at the other end of the link) However, as the request goes out from pfSense it uses the WAN interface and isn't encrypted. Normally, this can be overcome by sending the query from the internal interface which dnsmasq supports through the syntax of 192.168.111.12@192.168.1.1. However, the valid ip address checks on line 72 in services_dnsmasq_domainoverride_edit.php stop this being entered. If the line is commented out, then it all works as desired.
Could the tests please be modified to support this feature please?
Files
Updated by Hugh Blandford over 13 years ago
well here is my first bit of php coding, so hopefully it is ok. It seems to do what I wanted it to do.
diff services_dnsmasq_domainoverride_edit.php.orig services_dnsmasq_domainoverride_edit.php 54c54,61 < $pconfig['ip'] = $a_domainOverrides[$id]['ip']; --- > if (is_ipaddr($a_domainOverrides[$id]['ip']) && ($a_domainOverrides[$id]['ip'] != '#')) { > $pconfig['ip'] = $a_domainOverrides[$id]['ip']; > } > else { > $dnsmasqpieces = explode('@', $a_domainOverrides[$id]['ip'], 2); > $pconfig['ip'] = $dnsmasqpieces[0]; > $pconfig['dnssrcip'] = $dnsmasqpieces[1]; > } 73c80,83 < $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion."); --- > $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion."); > } > if ($_POST['dnssrcip'] && !in_array($_POST['dnssrcip'], get_configured_ip_addresses())) { > $input_errors[] = gettext("An interface IP address must be specified for the DNS query source."); 78c88,91 < $doment['ip'] = $_POST['ip']; --- > if (empty($_POST['dnssrcip'])) > $doment['ip'] = $_POST['ip']; > else > $doment['ip'] = $_POST['ip'] . "@" . $_POST['dnssrcip']; 118a132,138 > <tr> > <td width="22%" valign="top" class="vncellreq"><?=gettext("Source IP");?></td> > <td width="78%" class="vtable"> > <?=$mandfldhtml;?><input name="dnssrcip" type="text" class="formfld unknown" id="dnssrcip" size="40" value="<?=htmlspecialchars($pconfig['dnssrcip']);?>"> > <span class="vexpl"><?=gettext("Source IP address for queries to the DNS server for the override domain."); ?> > <?=gettext("Leave blank unless your DNS server is accessed through a VPN tunnel."); ?></span></td> > </tr>
Updated by Braden McGrath over 13 years ago
Looking for a dev response on this - has it been included into the latest nightlies? I need this functionality and rather than hacking about in my system I'll just upgrade from RC1 -> Nightly if it is included.
Updated by Chris Buechler over 13 years ago
- Target version set to 2.1
we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.
Updated by Hugh Blandford over 13 years ago
Chris,
this is only changing the testing of the IP address that takes place in the page. Its really only cosmetic. If you take the test for is_ipaddr out you can put an address in to the existing interface and it works.
I just added an extra box to make it a bit easier on the eyes.
Hugh
Updated by Chris Buechler over 13 years ago
a feature freeze is a feature freeze, if we added every little thing that came along at RC stage we wouldn't put out a release in our lifetimes. Unintended consequences are prevalent with the most trivial seeming changes.
Updated by Braden McGrath over 13 years ago
Chris Buechler wrote:
we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.
Sorry to rock the boat, I completely forgot that RC normally = no more features. I hate Mondays.
I tried the static route option and it didn't work, at least not for dnsmasq trying to hit a remote server across the tunnel. This was back on 1.2.3 though... but I assume since Hugh made this patch the same bug was present anyway in 2.0.
I just munged my .php file by hand and that will work for me for now. :) Thanks for the patch, Hugh.
Updated by Chris Buechler over 13 years ago
static routes work for dnsmasq and all other services in all versions.
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
Updated by Chris Buechler over 12 years ago
- Status changed from New to Assigned
- Assignee set to Darren Embry
need to merge the above diff though it may not cleanly apply anymore and need some manual help.
Updated by Darren Embry over 12 years ago
Hugh, any chance you can provide the patch in the form of a unified diff or context diff please, and attach it instead of including it in a post? Those are normally the best practices when providing a patch.
I need it to be a context/unified diff because I cannot tell where the "Source IP" fields need to be inserted.
And I need it to be attached because I have reason to believe it got munged by the post formatting tool.
Updated by Darren Embry over 12 years ago
- Status changed from Assigned to Feedback
Updated by Chris Buechler over 12 years ago
- Target version deleted (
2.1) - Affected Version deleted (
2.0)
Updated by Hugh Blandford over 12 years ago
Sorry this update has taken so long. I have checked the file still applies and added the capability to handle the _msdcs AD domains.
I have attached a unified diff. Hopefully the coding is OK.
Updated by Hugh Blandford over 12 years ago
Sorry a beginner at this. The patch file was the wrong way around.
Updated by Darren Embry over 12 years ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
Hugh, your patch is in github now.
Updated by Darren Embry over 12 years ago
- Status changed from Resolved to Feedback
Updated by Jim Thompson over 10 years ago
- Assignee changed from Darren Embry to Ermal Luçi
maybe now this will get fixed.
Updated by Chris Buechler over 10 years ago
- Status changed from Feedback to Resolved
this was implemented for 2.1 and works fine, just didn't get moved to "resolved" status.