pfSense fqdn aliases

I wanted to lockdown a list of lan servers to external roaming users with dynamic IP’s. I created a bunch of NO-IP trackers , well 60 of them and distributed them to the users computers. Then I created an allow rule to let that alias list of fqdn’s in to an alias server list on the local lan followed by a block rule for anything else. This seemed to work well, I also lowered the time value which pfSense resolves the FQDN’s down to 2 minutes. At the end of the user alias list I also added some static IP’s of external sites were users worked and needed to be let through.
Shortly after I added the static’s the allow rule started failing for those static’s i.e the firewall block rule started blocking a couple of them, I think there were about 6 altogether. In the end I had to add seperate allow rules for the static IP to be let through. Anyone else had this behavoir or know why this might happen? currently on 2.4.5

TIA

Why not use a VPN to access the internal servers, you will have more control.

1 Like

Thanks for the suggestion but users don’t want to have to faff about connecting and disconnecting vpn’s all the time. We prefer to make things easier for users rather than adding more steps.

VPN is the safe and more secure why of protecting your servers and networks. Not saying there could be a a hole in your firewall and someone is able to hack your systems

Endusers have to understand you have steps in place to protect the systems and it is not to make their life harder.

If you use wireguard vpn, no username or password is required - you just connect.

Thanks Paul, I’ll certainly look at WireGuard anyhow.

Why such an old version? You should be running the latest. Also, Wireguard & Tailscale are good options.

Hey Tom thanks for the reply, we run a lot of services from our building 24/7 so don’t like to have it down at any point. However we do have an exact hardware replica of the Dell R610 it’s running on which is on the latest version which just sits in the wings in case of failure. We do intend to swap it over to that at some point one weekend shortly, hopefully that might make a difference to the issues we’re seeing. Like I said to Paul I will look into WireGuard and Tailscale anyhow as we do use pfSense vpn’s for other applications.