Best Way to import large number of Aliases or rules into pfSense
-
Hi,
I've got a large configuration I'm trying to migrate to pfSense from another firewall vendor.
I've got in excess of 1000 aliases to migrate across, what would be the best mechanism?
I have reformatted the configuration from the existing router to xml format that matches the pfsense alias configuration file. I was then looking to use the Restore command to pull in the alias definitions but I get a PHP fatal Crash:
php fatal error: Maximum function nesting level of 256 reached, aborting! in /etc/inc/util.inc on line 1728
and the restore fails when I get above about 800 aliases. There doesn't seem to be a way to segment the alises.
The Bulk import only allows one alias with lots of entires from what I can see, I need lots of aliases with a small number of IPs per alias.
Once I've cracked this I'm going to need to port the NAT and Rules ;D
Any ideas?
-
You can use the backup function to download the config.xml from the device. Then edit a local copy of that config.xml and paste in your aliases in the alias section of the config. Then use the Restore in the menus to restore the edited config. The system will reboot and you will be done.
Of course that relies on "manually" ensuring that the alias data you have pasted into config.xml is valid and in the expected XML format. But it sounds like you have been doing that already. If in doubt, make some manual entries of different types of stuff in aliases from the GUI and look in config.xml to confirm the format it is stored in.
-
Phil,
Thank you for the idea, I will give it a go.
-
Hi,
I have tried editing the config.xml file. I started with 10-20 alises and they were added okay. So I loaded the 800 aliases I currently have and the firewall doesn't response on the Webgui portal.
On the console I see a stream of error messages:
…. 8.1402 3195984 255. filter_generate_nested_alias() /etc/inc/filter.inc: 66.....alias_get_type() /etc/inc/filter.inc:638..
.
I've not worked out how to access or capture the error messages (pFSense is running on a VM under Hyper-V) so I can only see the end of the message trail.So it is a different error message but still an error seemingly related to the volume of aliases.
The VM has plenty of resources so I've either hit a bug or I'm going over a limit in pfSense (I've been looking but I can't see any published limits).
I'm running latest release with Patch.
-
I looks like you have some aliases contained in other aliases, which is legal. Or at least the code that parses the alias section sees it that way. I am not aware of any bugs in parsing aliases and setting them up in pf. I would guess that the XML you pasted in is missing some tag/closing tag or some other expected syntax.