Aliases had droven me crazy

bchan

In my experience, alias is the most unreliable part in pfSense.
Some versions ago, alias table was not refreshed correctly when the same FQDN appeared more than once.

Now I am running 2.4.5-RELEASE-p1 community version and Aliases go strange again:

1. I added an ip to an alias but it was not reflected in the corresponding alias table.
2. When I created a network alias: 103.20.236.0/22, there was no table created.

I tried to scan through various logs but there were no clue what had gone wrong.
I studied the pfctl cli but there are nothing on aliases.

Besides rebooting pfSense, is there any ways to force a rebuild of alias tables?
In case of similar errors in future, where can I find more information on what was the culprit?

heper

@bchan
tables are only created when an alias is added to a firewall rule.
an alias that isn't used by a rule has no table.

bchan

@heper Thank you for your reply. Maybe I misunderstood. Can I ask when I embed an alias in another alias, will I get a table then when the other alias was referenced in a firewall rule.

heper

@bchan

example:
alias1 = [1.2.3.4]
alias2 = [5.6.7.8, Alias1]

if you then create a rule that uses alias2, then pfsense will create a table containing 1.2.3.4 & 5.6.7.8

serbus

@heper

Hello!

I added a simple IP Host Alias named tester with a FQDN of google.com. Even though it has not been added to a firewall rule, is still see a table in Diagnostics -> Table and the following output :

[2.4.5-RELEASE][admin@pfSense]/root: pfctl -T show -t tester
   172.217.4.78
   2607:f8b0:4009:805::200e

I share the concerns of @bchan when it comes to aliases.

John

heper

@serbus thats because a fqdn has to be resolved to ip's before they can be added to firewall rules.

it personally wouldn't ever use a fqdn in an alias in that way because of the huge loadbalancing pools most cloudproviders use .... it'll never be accurate because it'll resolve differently every time

serbus

Hello!

Ahhh...I see.

So I create a an IP Network Alias that has a mix of FQDN and IP networks. The alias is not in a firewall rule. The table is created immediately, but it only has the resolved FQDN IP in.

After adding the alias to a firewall rule, the IP network portion of the alias is never added into the table. The alias table never has anything other than the resolved FQDN.

John

heper

@serbus
i can't reproduce your problem.

i just created an alias with the following:

- 1.2.3.4
- google.be
- 5.6.7.8
- amazon.com

when i go to diagnostics->tables
it shows:

1.2.3.4 	
5.6.7.8 	
54.239.28.85 	
176.32.103.205 	
205.251.242.103 	
216.58.214.3 	
2a00:1450:400e:800::2003 

so i don't see the problem you experience. it's still a pointless alias because google.com & amazon.com will resolve differently for my clients & thus render the rule useless

serbus

Hello!

The same thing happens if the fqdn points to a local device, which is the normal use case for me.

The feeling I get from aliases is that they are finicky.

The idea that you could setup an alias and get one result, and that I could setup a similar alias (I used a /28 network, not a single host in my test) and get a different result bears this out.

I get the same vibe when reading through bugs like https://redmine.pfsense.org/issues/9296
There is lots of interesting reading in redmine about aliases.

I hope that aliases are working well for most people, but I do have to agree that at times they have "driven me crazy".

John