Project

General

Profile

Actions

Feature #1361

closed

DNSMasq, source interface and IPSec VPNs

Added by Hugh Blandford almost 14 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
DNS Forwarder
Target version:
Start date:
03/17/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Posts: 1

View Profile Email Personal Message (Online)

DNSMasq, source interface and IPSec VPNs
« on: March 11, 2011, 10:03:04 am »
Reply with quoteQuote Modify messageModify Remove messageRemove
dnsmasq has the capability to use the internal interface IP when querying the override domains. IE when overriding internal.local use the IP address 192.168.111.12 (server on the VPN at the other end of the link) However, as the request goes out from pfSense it uses the WAN interface and isn't encrypted. Normally, this can be overcome by sending the query from the internal interface which dnsmasq supports through the syntax of . However, the valid ip address checks on line 72 in services_dnsmasq_domainoverride_edit.php stop this being entered. If the line is commented out, then it all works as desired.

Could the tests please be modified to support this feature please?


Files

Actions #1

Updated by Hugh Blandford almost 14 years ago

well here is my first bit of php coding, so hopefully it is ok. It seems to do what I wanted it to do.


diff services_dnsmasq_domainoverride_edit.php.orig services_dnsmasq_domainoverride_edit.php
54c54,61
<        $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
---
>        if (is_ipaddr($a_domainOverrides[$id]['ip']) && ($a_domainOverrides[$id]['ip'] != '#')) {
>               $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
>        }
>        else {
>              $dnsmasqpieces = explode('@', $a_domainOverrides[$id]['ip'], 2);
>              $pconfig['ip'] = $dnsmasqpieces[0];
>              $pconfig['dnssrcip'] = $dnsmasqpieces[1];
>        }
73c80,83
<                $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
---
>               $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
>        }
>        if ($_POST['dnssrcip'] && !in_array($_POST['dnssrcip'], get_configured_ip_addresses())) {
>               $input_errors[] = gettext("An interface IP address must be specified for the DNS query source.");
78c88,91
<                       $doment['ip'] = $_POST['ip'];
---
>                       if (empty($_POST['dnssrcip']))
>                                 $doment['ip'] = $_POST['ip'];
>                       else
>                               $doment['ip'] = $_POST['ip'] . "@" . $_POST['dnssrcip'];
118a132,138
>                               <tr>
>                   <td width="22%" valign="top" class="vncellreq"><?=gettext("Source IP");?></td>
>                   <td width="78%" class="vtable">
>                     <?=$mandfldhtml;?><input name="dnssrcip" type="text" class="formfld unknown" id="dnssrcip" size="40" value="<?=htmlspecialchars($pconfig['dnssrcip']);?>">
>                     
 <span class="vexpl"><?=gettext("Source IP address for queries to the DNS server for the override domain."); ?>

>                     <?=gettext("Leave blank unless your DNS server is accessed through a VPN tunnel."); ?></span></td>
>                 </tr>

Actions #2

Updated by Braden McGrath almost 14 years ago

Looking for a dev response on this - has it been included into the latest nightlies? I need this functionality and rather than hacking about in my system I'll just upgrade from RC1 -> Nightly if it is included.

Actions #3

Updated by Chris Buechler almost 14 years ago

  • Target version set to 2.1

we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.

Actions #4

Updated by Hugh Blandford almost 14 years ago

Chris,

this is only changing the testing of the IP address that takes place in the page. Its really only cosmetic. If you take the test for is_ipaddr out you can put an address in to the existing interface and it works.

I just added an extra box to make it a bit easier on the eyes.

Hugh

Actions #5

Updated by Chris Buechler almost 14 years ago

a feature freeze is a feature freeze, if we added every little thing that came along at RC stage we wouldn't put out a release in our lifetimes. Unintended consequences are prevalent with the most trivial seeming changes.

Actions #6

Updated by Braden McGrath almost 14 years ago

Chris Buechler wrote:

we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.

Sorry to rock the boat, I completely forgot that RC normally = no more features. I hate Mondays.

I tried the static route option and it didn't work, at least not for dnsmasq trying to hit a remote server across the tunnel. This was back on 1.2.3 though... but I assume since Hugh made this patch the same bug was present anyway in 2.0.

I just munged my .php file by hand and that will work for me for now. :) Thanks for the patch, Hugh.

Actions #8

Updated by Chris Buechler over 12 years ago

  • Status changed from New to Assigned
  • Assignee set to Darren Embry

need to merge the above diff though it may not cleanly apply anymore and need some manual help.

Actions #9

Updated by Darren Embry over 12 years ago

Hugh, any chance you can provide the patch in the form of a unified diff or context diff please, and attach it instead of including it in a post? Those are normally the best practices when providing a patch.

I need it to be a context/unified diff because I cannot tell where the "Source IP" fields need to be inserted.

And I need it to be attached because I have reason to believe it got munged by the post formatting tool.

Actions #10

Updated by Darren Embry over 12 years ago

  • Status changed from Assigned to Feedback
Actions #11

Updated by Chris Buechler over 12 years ago

  • Target version deleted (2.1)
  • Affected Version deleted (2.0)
Actions #12

Updated by Hugh Blandford over 12 years ago

Sorry this update has taken so long. I have checked the file still applies and added the capability to handle the _msdcs AD domains.

I have attached a unified diff. Hopefully the coding is OK.

Actions #13

Updated by Hugh Blandford over 12 years ago

Sorry a beginner at this. The patch file was the wrong way around.

Actions #14

Updated by Darren Embry over 12 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100

Hugh, your patch is in github now.

Actions #15

Updated by Darren Embry over 12 years ago

  • Status changed from Resolved to Feedback
Actions #16

Updated by Jim Thompson over 10 years ago

  • Assignee changed from Darren Embry to Ermal Luçi

maybe now this will get fixed.

Actions #17

Updated by Jim Thompson over 10 years ago

  • Target version set to 2.2
Actions #18

Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to Resolved

this was implemented for 2.1 and works fine, just didn't get moved to "resolved" status.

Actions

Also available in: Atom PDF