Last IP of an Alias is not used???

furom

Hi,

I have an alias of IP's which I use in one of my rules. However, I see that the last IP in that alias gets blocked... But if I add it twice it is used. Anyone else seeing this phenomena?

I don't believe it is a general problem with aliases in pfSense, but why would one (all else works fine afaik) of my defined one do this?

Strange as it may sound, it feels like indexing of this alias is off by one...

Thanks

SteveITS

@furom Create the alias and check its contents in Diagnostics/Tables.

johnpoz

@furom said in Last IP of an Alias is not used???:

Anyone else seeing this phenomena?

Nope... I looked in all of my per-existing aliases, and all the IPs are there. I then for good measure created a new one with 5 IPs, and all of them there.

furom

@steveits said in Last IP of an Alias is not used???:

Create the alias and check its contents in Diagnostics/Tables.

Did that now, and as said before, I have defined it with same address twice at the end for it not to be blocked, but in diagnostics/table it only shows up once. But it shows 6 unique addresses, which is correct.

furom

@johnpoz said in Last IP of an Alias is not used???:

created a new one with 5 IPs, and all of them there

Same here. In diagnostics/table all addresses show up, but for one of them pfSense is not using the last one - it is being blocked and cought in the log. Mitigation for now is to enter it twice in the alias...

johnpoz

@furom said in Last IP of an Alias is not used???:

I have defined it with same address twice

why.. its not going to show dupes I do not believe.. Here I created some dupe entry in my test alias. And a new one - to make sure its in there, etc.. So I added 192.168.6.100, as you can see none of the dupes are shown, but the 6.100 is there now along with the others.

furom

@johnpoz said in Last IP of an Alias is not used???:

why..

Because if I don't, that address is blocked, despite being defined in the alias... of which all the rest of the addresses work as they should (aka is not blocked)

This whas the point of the question/post... I don't get why this last one does not get processed (or seems not to be).

johnpoz

@furom is it in the table? Remove your dupes of this IP, and look in the table..

furom

@johnpoz said in Last IP of an Alias is not used???:

@furom is it in the table? Remove your dupes of this IP, and look in the table..

Removed it, reloaded filters just in case, and yes, all 6 addresses are still there. But now it gets blocked again. I have no real good way of testing if the last in each alias does the same, but would be interesting. I have only noted this one though

SteveITS

@furom Tried, can't duplicate.

Alias with 5 IPs in LAN subnet, mine last
rule allow ICMP to pfSense from alias
rule reject ICMP to pfSense from LAN Net

Can ping. Removed the allow, waited for the state to expire, can't ping.

Interestingly, the test alias does not show up in Diag/Tables until it is used in a rule. Didn't expect that but it makes sense.

furom

@steveits said in Last IP of an Alias is not used???:

@furom Tried, can't duplicate.

Alias with 5 IPs in LAN subnet, mine last
rule allow ICMP to pfSense from alias
rule reject ICMP to pfSense from LAN Net

Removed the allow, waited for the state to expire, can't ping.

Interestingly, the test alias does not show up in Diag/Tables until it is used in a rule. Didn't expect that but it makes sense.

Understood, and appreciated. As it has an easy workaround it's really not a big problem. Was just curious if anyone else had the same, and apparently not, which is all good. :) Thanks for testing!