Do not upgrade to Pfsense 2.4.4_1 Firewall rules with aliases are not processed

stephenw10

Only one interface I would suggest?

Could also have just renamed the interfaces.

Steve

hdejongh

i have exactly the same issue on our core firewalls @jimp maybe you remember them from the early days:). Everything worked fine untill we upgraded to 2.4.4P3 2 weeks ago. Since then we have had many problems with aliasses (still happening and reproducible).

I have an alias with many ip's in them. Some of them work and some dont.
So for example i have rule with: a.a.a.a and b.b.b.b in an alias.
a.a.a.a will work but b.b.b.b doesnt.

If i put b.b.b.b in a seperate rule it will work fine.

All traffic is blocked by the default rule...

stephenw10

What version did you upgrade from?

Do you have a mix of IPs and FQDNs?

Do you see any filterdns errors in the logs?

Steve

hdejongh

@stephenw10

went from 2.4.4 to 2.4.4. p3
Only IP's in this particular alias but we have had the same issue with other aliassen.
No problems.

If you like you can take a look. It is very easily reproducible.

dreivi

I gave up updating, I continue with version 2.4.4 I almost got fired from my job because of it.
some time later I had problems with Aliases Hostname Resolution Range I increased this number, try changing it and see if it works.

Gertjan

@dreivi said in Do not upgrade to Pfsense 2.4.4_1 Firewall rules with aliases are not processed:

I gave up updating, I continue with version 2.4.4 I almost got fired from my job because of it.

Be careful : not testing upgrades before deploying could be dangerous for employment.
Not updating at all (true : no testing is needed here) got fired the better part of us.

stephenw10

The only outstanding alias issue I'm aware of is this: https://redmine.pfsense.org/issues/9296

I've not replicated that myself but does that explain what you're seeing?

Steve

hdejongh

@stephenw10 said in Do not upgrade to Pfsense 2.4.4_1 Firewall rules with aliases are not processed:

The only outstanding alias issue I'm aware of is this: https://redmine.pfsense.org/issues/9296

I've not replicated that myself but does that explain what you're seeing?

Steve

nope not the same. These are IP based aliasses..

stephenw10

Nested aliases of IPs only then?

I have some huge alises here and haven't seen any problems but they are not nested.

Steve

hdejongh

lol i have worked with pfsense for 10 years+ and never knew you could use nested aliases:)

We have tens of pfsense's and only this particular pfsense is having problems...

stephenw10

Hmm, interesting. What's special about that then. Some odd character in there maybe that would be disallowed now but passed input validation years ago when it was added?

If you want to open a ticket and send us a status_output file I can look through it. https://go.netgate.com

Steve

hdejongh

@stephenw10 said in Do not upgrade to Pfsense 2.4.4_1 Firewall rules with aliases are not processed:

Hmm, interesting. What's special about that then. Some odd character in there maybe that would be disallowed now but passed input validation years ago when it was added?

If you want to open a ticket and send us a status_output file I can look through it. https://go.netgate.com

Steve
done