Can't work out why this firewall rule isn't working
-
@johnpoz said in Can't work out why this firewall rule isn't working:
Did you validate the stuff you put in the alias are actually in the table - under diag, you can view the actual details of a table.
No I didn't. Have just checked that now (Haven't ever had to use that before) and it's missing most of the entries.
Why would that happen when it appears in the list of entries under the alias section?
Is it something I've done wrong or is that a bug or issue? -
Looks like its missing maybe the fqdn, not resolving? These only updates ever 5 minutes.. Maybe there is some issues typo? Or they don't resolve for some reason?
-
To rule any FQDN resolution issues I specifically added in an IP range that included all FQDNs it would have resolved
For some reason though they are not appearing in the diagnostics table view.
-
is filterdns running? Could be related to this?
https://redmine.pfsense.org/issues/9296Could you just put those IPs in via a /cidr rule?
-
Possibly related to that. Two of the entries resolved to the same IP which possibly triggered the bug. I tried restarting filterdns, tried restarting the firewall, tried changing the resolution time to 30s as suggested by someone. Now multiple of my tables are empty including the one I was trying to get to load before
Unfortunately for some of my rules I can't use a CIDR rule as the IP address changes due to the way cloud providers allocate IPs to servers in a cluster coming online and offline and the possibility that it might change to a different network thus rendering the CIDR rule unworkable. AWS seems to be notorious for that from what I can tell.
-
Yeah they can be problematic ;)
-
So it appears to be that bug. As soon as I remove any FQDNs then the table updates correctly. Surely this bug needs to be addressed before 2.5, it seems pretty critical to have the firewall table function as intended.
-
Is there a limit to an alias manually entered size? I have tried creating a CIDR networks alias with 4 entries in it, a /20, a /21 and two /24 but it does not even appear in the list of tables under diagnostics.
Scratch that, it's not letting me create any tables now -
Not sure what your doing, but you can create cidr alias just fine.. Are you wanting it to expand them? Not a good idea with a "host" type alias - just use the network alias type.
Here I have a alias for the cloudflare networks, which is huge amount of space..
As you can see the table contains the networks. They all there - just snipped the screenshot vs having to capture the scroll ;)
Also have a networks alias that contains all of rfc1918 space..
Mixing fqdn and IP or Networks, has never really been a good idea.. It says in the host name alias that when a /cidr is used it will expand that, etc.. Which could be problematic for sure if your using large /8 for example ;)
-
@johnpoz said in Can't work out why this firewall rule isn't working:
Not sure what your doing, but you can create cidr alias just fine.. Are you wanting it to expand them?
I worked out what I was doing wrong!
Because I haven't had to refer to the tables before (including from CLI) because I've never had an issue with 2.3x I was checking for them before applying them to a firewall rule which turns out is the point that they're created, not from after saving and hitting apply in the UI as I had expected.
So no issues with CIDR but unfortunately I am stuck with bug 9296 :(
