Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unexpected alias behaviour - two ranges

    Scheduled Pinned Locked Moved General pfSense Questions
    57 Posts 4 Posters 614 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT Offline
      tinfoilmatt @SteveITS
      last edited by

      @SteveITS This thread is lacking in coherent, reproducible steps which demonstrate anything. Not picking on you as you're not OP. But Stephen most recently reaffirms that, at one point, he was able to do—something. In this post he referred to it as "case 2".

      That's what I'm wanting to try to recreate for myself.

      1 Reply Last reply Reply Quote 0
      • P Offline
        Patch @SteveITS
        last edited by Patch

        @SteveITS said in Unexpected alias behaviour - two ranges:

        I am curious, does it matter where the FQDN is, in your alias? Does it stop updating the alias after the FQDN, if it is listed first or last?

        Starting from https://forum.netgate.com/post/1229337
        In practice I have entered a FQDN then many actual IPv4 addresses. I have mostly used a fixed prefix such as 201 or 202 or 203 (using a different number for each IP_set alias consists almost) followed by random numbers (0-255). It is far easier to add sequential IPv4 addresses but I was unsure what optimisation pfsense does so avoided that.

        These IP_sets are then combined in Combined_IP alias (nested / hierarchical)

        The bug is revealed on full alias rebuild. In testing I used a configuration restore to ensure repeatability and clear starting point. Restarting pfsense has trigger it in my active systems.

        Using 3 IP_sets containing 50, 512, 50 IP addresses,
        for me it happens every time within a 30 sec of pfsense starting up. Smaller IP_set sizes can fail less cleanly. Tested with a clean install pfsense v2.81 and v2.72.

        @SteveITS said in Unexpected alias behaviour - two ranges:

        ...should have 612 615, has 256. Which seems like a suspiciously specific number, tbh

        I agree that's a suspicious number but if I use 2 IP_sets the number is larger and with other IP set sizes the Combined_IP varies slightly.

        @stephenw10 said in Unexpected alias behaviour - two ranges:

        A partially populate table is probably a better description here.

        That's a reasonable term.

        Looking at the Resolver logs the missing alias table entries appear to correspond to

        said in Unexpected alias behaviour - two ranges:

        IP_set3 table is empty however the log shows the actual 50 IP addresses are added but duplicates of "Adding Action: pf table: IP_set3 host:" but I think all 50 appear.

        Similarly "Adding Action: pf table: IP_set2 host: " shows some duplicates. Not all actual IP addresses appear in the 2000 log entires. I was not able to readily tell if all 512 appear at least once in Adding Action: pf table: IP_set2 host:

        tinfoilmattT 1 Reply Last reply Reply Quote 0
        • tinfoilmattT Offline
          tinfoilmatt @Patch
          last edited by

          @Patch said in Unexpected alias behaviour - two ranges:

          These IP_sets are then combined in Combined_IP alias (nested / hierarchical)

          It's nested.

          1 Reply Last reply Reply Quote 0
          • tinfoilmattT Offline
            tinfoilmatt
            last edited by

            If anybody can distill two posts above this one, I'm happy to test.

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              SteveITS Galactic Empire @tinfoilmatt
              last edited by

              Seems like I've replicated it.

              I created a VM with 2.8.1.
              I used easyrule to allow access on WAN.
              I bypassed the GUI setup wizard.

              I created 4 aliases. IPs were created in Excel, enter the first and drag down 255 cells, then copy/paste into the Import in pfSense to create the alias.

              alias_50_1: 	Host(s) 	10.1.1.1, 10.1.1.2, 10.1.1.3, 10.1.1.4, 10.1.1.5, 10.1.1.6, 10.1.1.7, 10.1.1.8, 10.1.1.9, 10.1.1.10… 	  	(through .50)

alias_50_2: 	Host(s) 	10.2.2.1, 10.2.2.2, 10.2.2.3, 10.2.2.4, 10.2.2.5, 10.2.2.6, 10.2.2.7, 10.2.2.8, 10.2.2.9, 10.2.2.10… 	  	(through .50)

alias_512: 	Host(s) 	10.0.0.1, 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6, 10.0.0.7, 10.0.0.8, 10.0.0.9, 10.0.0.10… 	  	(through .255 and 10.10.0.1-.255)

              Each of the first 3 ended with a hostname, e.g. pfsense.org.

              alias_all: 	Host(s) 	alias_512, alias_50_1, alias_50_2

              If I click Apply and look at Diag > Tables, alias_512 shows:
              Date of last update of table is unknown. 172 records.

              ...and ends at 10.0.0.170 but has the hostname for alias_512:
              forum.netgate.com. 3 IN A 208.123.73.77

              Matching that, alias_all has 278 records.

              The two "50" aliases do include the FQDN IPs (the third was netgate.com). So they seem correct. The alias_512 is missing most of its list. Which does show correctly if I edit the alias.

              I did not need to reboot.

              I'll make a follow on post momentarily. I can send or upload the config if desired but it seems easy enough.

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
              Upvote 👍 helpful posts!

              S 1 Reply Last reply Reply Quote 2
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                If you run filter_reload does it fully populate?

                Mixed mode aliases have been a problem in the past. I've long recommended not mixing IPs and FQDNs but I had thought those issues were resolved. Looks like we have a regression.

                S 2 Replies Last reply Reply Quote 0
                • S Offline
                  SteveITS Galactic Empire @SteveITS
                  last edited by

                  The first time I tried this I had an error in my list for alias_512. I accidentally scrolled two extra rows, leaving this in the import copy/paste:

                  10.10.0.256
                  10.10.0.257

                  Obviously an error. Filterdns (DNS Resolver log) threw an error trying to resolve the "hostnames" since they are not IPs. The result was still the problem above, however, the results/numbers were slightly different and not off by two.

                  Deleting those and clicking Apply again reproduced the issue, hence my above post.

                  I'm not sure what that means but it seems odd that removing the two invalid IPs resulted in 1) several more (more than 2) additional IPs made it into the alias_512 table, and 2) the FQDN forum.netgate.com at the bottom of that list was resolved and its IPs also in that table. Even though 10.0.0.171-.255 and 10.10.0.1-.255 are not. Possibly an out of memory error and the "hostnames" take a bit more RAM than the last few IPs? I did try adding them back in again and the tables did not shrink as I expected.

                  Note also that as @Patch reported, the log shows the missing IPs being added:

                  Nov 7 01:34:37 	filterdns 	55828 	Adding Action: pf table: alias_all host: 10.10.0.253
Nov 7 01:34:37 	filterdns 	55828 	Adding Action: pf table: alias_all host: 10.10.0.254
Nov 7 01:34:37 	filterdns 	55828 	Adding Action: pf table: alias_all host: 10.10.0.255

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    SteveITS Galactic Empire @stephenw10
                    last edited by

                    @stephenw10 said in Unexpected alias behaviour - two ranges:

                    If you run filter_reload does it fully populate?

                    no.

                    Initializing
Creating aliases
Creating gateway group item...
Generating Limiter rules
Generating NAT rules
Creating 1:1 rules...
Creating outbound NAT rules
Creating automatic outbound rules
Setting up TFTP helper
Generating filter rules
Creating default rules
Pre-caching Default allow LAN to any rule...
Creating filter rule Default allow LAN to any rule ...
Creating filter rules Default allow LAN to any rule ...
Setting up pass/block rules
Setting up pass/block rules Default allow LAN to any rule
Creating rule Default allow LAN to any rule
Pre-caching Default allow LAN IPv6 to any rule...
Creating filter rule Default allow LAN IPv6 to any rule ...
Creating filter rules Default allow LAN IPv6 to any rule ...
Setting up pass/block rules
Setting up pass/block rules Default allow LAN IPv6 to any rule
Creating rule Default allow LAN IPv6 to any rule
Pre-caching Passed via EasyRule...
Creating filter rule Passed via EasyRule ...
Creating filter rules Passed via EasyRule ...
Setting up pass/block rules
Setting up pass/block rules Passed via EasyRule
Creating rule Passed via EasyRule
Creating IPsec rules...
Generating ALTQ queues
Loading filter rules
Setting up logging information
Setting up SCRUB information
Processing down interface states
Running plugins
Done

                    Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      SteveITS Galactic Empire @stephenw10
                      last edited by

                      @stephenw10 said in Unexpected alias behaviour - two ranges:

                      not mixing IPs and FQDNs

                      If I remove forum.netgate.com from alias_512 then I get 618 records so I think it fully populates.

                      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                      Upvote 👍 helpful posts!

                      S 1 Reply Last reply Reply Quote 0
                      • S Offline
                        SteveITS Galactic Empire @SteveITS
                        last edited by

                        OK, weirder, I set the tunable for https://docs.netgate.com/pfsense/en/latest/troubleshooting/filterdns-thread-errors.html to 4096, just to see. I applied it, and did a Filter Reload.

                        alias_512 now contains only 12 records, scattered through the list plus the last 7+FQDN:

                        10.0.0.138 	
10.10.0.1 	
10.10.0.58 	
10.10.0.249 	
10.10.0.250 	
10.10.0.251 	
10.10.0.252 	
10.10.0.253 	
10.10.0.254 	
10.10.0.255 	
208.123.73.77 	
2610:160:11:11::6

                        However alias_all still contains 618 entries. Which makes me think it either was created successfully, or not updated at all.

                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                        Upvote 👍 helpful posts!

                        P 1 Reply Last reply Reply Quote 0
                        • P Offline
                          Patch @SteveITS
                          last edited by Patch

                          @SteveITS

                          • In my testing when editing alias, the old table entries are not deleted. But I agree sometimes not fully updated. This is probably why the bug results in latent failure, and the fault is revelled on pfsense restart when all aliases are fully built.
                          • I agree it can be reproduced without restarting, it's just that I found it harder to make sense of the data.
                          • I suspect deleting table data then filter reload would be equivalent.
                          • Configuration save and reload is a belts & braces approach used as I didn't know what part of pfsense was locking up initially.
                          • I get the same behaviour in pfsense 2.7.2 also. I looked as I wondered about a regression or new bug but could not confirm that.

                          @SteveITS said in Unexpected alias behaviour - two ranges:

                          the log shows the missing IPs being added

                          I think included IP's added once but missing IP are added twice.

                          To see this I

                          • set the Resolver log to show 2000 entries
                          • copy the log
                          • paste text into a spreadsheet (such as LibreOffice calc) using space as a delimiter
                          • sort by the description column (D)
                          • scroll to Alias of interest & look for duplicates
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.