Feature #1361
closed
DNSMasq, source interface and IPSec VPNs
Added by Hugh Blandford over 13 years ago.
Updated over 10 years ago.
Description
Posts: 1
View Profile Email Personal Message (Online)
DNSMasq, source interface and IPSec VPNs
« on: March 11, 2011, 10:03:04 am »
Reply with quoteQuote Modify messageModify Remove messageRemove
dnsmasq has the capability to use the internal interface IP when querying the override domains. IE when overriding internal.local use the IP address 192.168.111.12 (server on the VPN at the other end of the link) However, as the request goes out from pfSense it uses the WAN interface and isn't encrypted. Normally, this can be overcome by sending the query from the internal interface which dnsmasq supports through the syntax of 192.168.111.12@192.168.1.1. However, the valid ip address checks on line 72 in services_dnsmasq_domainoverride_edit.php stop this being entered. If the line is commented out, then it all works as desired.
Could the tests please be modified to support this feature please?
Files
well here is my first bit of php coding, so hopefully it is ok. It seems to do what I wanted it to do.
diff services_dnsmasq_domainoverride_edit.php.orig services_dnsmasq_domainoverride_edit.php
54c54,61
< $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
---
> if (is_ipaddr($a_domainOverrides[$id]['ip']) && ($a_domainOverrides[$id]['ip'] != '#')) {
> $pconfig['ip'] = $a_domainOverrides[$id]['ip'];
> }
> else {
> $dnsmasqpieces = explode('@', $a_domainOverrides[$id]['ip'], 2);
> $pconfig['ip'] = $dnsmasqpieces[0];
> $pconfig['dnssrcip'] = $dnsmasqpieces[1];
> }
73c80,83
< $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
---
> $input_errors[] = gettext("A valid IP address must be specified, or # for an exclusion.");
> }
> if ($_POST['dnssrcip'] && !in_array($_POST['dnssrcip'], get_configured_ip_addresses())) {
> $input_errors[] = gettext("An interface IP address must be specified for the DNS query source.");
78c88,91
< $doment['ip'] = $_POST['ip'];
---
> if (empty($_POST['dnssrcip']))
> $doment['ip'] = $_POST['ip'];
> else
> $doment['ip'] = $_POST['ip'] . "@" . $_POST['dnssrcip'];
118a132,138
> <tr>
> <td width="22%" valign="top" class="vncellreq"><?=gettext("Source IP");?></td>
> <td width="78%" class="vtable">
> <?=$mandfldhtml;?><input name="dnssrcip" type="text" class="formfld unknown" id="dnssrcip" size="40" value="<?=htmlspecialchars($pconfig['dnssrcip']);?>">
>
<span class="vexpl"><?=gettext("Source IP address for queries to the DNS server for the override domain."); ?>
> <?=gettext("Leave blank unless your DNS server is accessed through a VPN tunnel."); ?></span></td>
> </tr>
Looking for a dev response on this - has it been included into the latest nightlies? I need this functionality and rather than hacking about in my system I'll just upgrade from RC1 -> Nightly if it is included.
- Target version set to 2.1
we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.
Chris,
this is only changing the testing of the IP address that takes place in the page. Its really only cosmetic. If you take the test for is_ipaddr out you can put an address in to the existing interface and it works.
I just added an extra box to make it a bit easier on the eyes.
Hugh
a feature freeze is a feature freeze, if we added every little thing that came along at RC stage we wouldn't put out a release in our lifetimes. Unintended consequences are prevalent with the most trivial seeming changes.
Chris Buechler wrote:
we've been feature frozen a while, this won't make it until 2.1. just add a static route as described in the FAQ.
Sorry to rock the boat, I completely forgot that RC normally = no more features. I hate Mondays.
I tried the static route option and it didn't work, at least not for dnsmasq trying to hit a remote server across the tunnel. This was back on 1.2.3 though... but I assume since Hugh made this patch the same bug was present anyway in 2.0.
I just munged my .php file by hand and that will work for me for now. :) Thanks for the patch, Hugh.
- Status changed from New to Assigned
- Assignee set to Darren Embry
need to merge the above diff though it may not cleanly apply anymore and need some manual help.
Hugh, any chance you can provide the patch in the form of a unified diff or context diff please, and attach it instead of including it in a post? Those are normally the best practices when providing a patch.
I need it to be a context/unified diff because I cannot tell where the "Source IP" fields need to be inserted.
And I need it to be attached because I have reason to believe it got munged by the post formatting tool.
- Status changed from Assigned to Feedback
- Target version deleted (
2.1)
- Affected Version deleted (
2.0)
Sorry this update has taken so long. I have checked the file still applies and added the capability to handle the _msdcs AD domains.
I have attached a unified diff. Hopefully the coding is OK.
Sorry a beginner at this. The patch file was the wrong way around.
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100
Hugh, your patch is in github now.
- Status changed from Resolved to Feedback
- Assignee changed from Darren Embry to Ermal Luçi
maybe now this will get fixed.
- Target version set to 2.2
- Status changed from Feedback to Resolved
this was implemented for 2.1 and works fine, just didn't get moved to "resolved" status.
Also available in: Atom
PDF