Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd situation with alias not being resolved

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 3 Posters 898 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SipriusPTS Offline
      SipriusPT
      last edited by SipriusPT

      Hello everyone,

      I have a subnet that doesnt have internet access by default. And 2 weeks ago I've setup several rules with alias to allow certain websites. Some alias have around 40 url entries.

      While testing those rules now, I notice that several urls have stop working, without any change on rules and alias sides.

      As a test, I tried to use only one url in on alias and set a rule for it, and put that rule in the front of the other, and it worked. So I disabled that new rule and apply it, and even closing all the states of that pc, that website continues to work.

      I tried to replicate this with other urls, but no success.

      It feels like those url alias are not being updated, but on System/ Advanced /Firewall & NAT, Aliases Hostnames Resolve Interval, I am using the default 300s:

      5fa6c02f-7956-4782-8d99-dbcaa0b5c442-image.png
      Note: that single IP is the same of the rule that I have created with only one URL to test.

      The alias table that is having issues:

      Production_tools_Hosts.txt

      Damn, am I missing here something??!

      1xSG-4860-1U
      1xSG-3100
      2xpfSense Virtual Machines

      noplanN KOMK 2 Replies Last reply Reply Quote 0
      • noplanN Offline
        noplan @SipriusPT
        last edited by

        @sipriuspt
        Screenshot of your Firewalls rules is missing ;)

        SipriusPTS 1 Reply Last reply Reply Quote 0
        • KOMK Offline
          KOM @SipriusPT
          last edited by

          @sipriuspt pfSense resolves aliased hostnames every 5 minutes IIRC. Many websites have multiple IP addresses. It's very possible that they accessed a site based on an IP address that you weren't blocking at that moment.

          1 Reply Last reply Reply Quote 0
          • SipriusPTS Offline
            SipriusPT @noplan
            last edited by

            @noplan sorry, here it goes (sorry for the mess but there is still lots of disabled rules that I need to remove):

            90bf051e-c535-4ce7-af36-bfd05d817034-image.png
            816d043b-d092-479a-81ab-b8d696b3de30-image.png
            53685466-d2af-426f-a931-6e044cef79f7-image.png

            1xSG-4860-1U
            1xSG-3100
            2xpfSense Virtual Machines

            SipriusPTS 1 Reply Last reply Reply Quote 0
            • SipriusPTS Offline
              SipriusPT @SipriusPT
              last edited by SipriusPT

              I tried to create a new alias but with less urls, and add that for 443 and 80 on top, but no result:

              bfd90451-2c80-43f8-b24b-fa10fbeb8d81-image.png

              DNs and sub DNs are resolved by DNS Lookup from firewall.

              And this is the computer that I am using to test:

              74f8219f-782e-453b-9263-ee3ec1820b21-image.png

              On network settings in that computer I have:

              2ab44ef6-0e66-40e8-83a5-48f245a92afe-image.png

              @kom I am using urls copy pasted from those alias into the target computer browser through VNC.

              1xSG-4860-1U
              1xSG-3100
              2xpfSense Virtual Machines

              KOMK 1 Reply Last reply Reply Quote 0
              • KOMK Offline
                KOM @SipriusPT
                last edited by

                @sipriuspt OK maybe you're not understanding me. Many large hosts resolve to many IP addresses. pfSense will only use one at a time.

                So, for example, say you block www.netgate.com. When you do a lookup, www.netgate.com resolves to:

                199.60.103.226
                199.60.103.30

                pfSense will only use one of those. If your client then does a lookup and gets the 199.60.103.30 address, then they will be able to get there even though you think you have it blocked.

                SipriusPTS noplanN 2 Replies Last reply Reply Quote 0
                • SipriusPTS Offline
                  SipriusPT @KOM
                  last edited by SipriusPT

                  @kom Not sure if I am following but I think that wouldnt be an issue here, because I only allow certain large hosts, so there will be no issue with such rules "leaks".

                  In that alias I have like 40 DNs and sub DNs, but only one IP (from one url) was resolved in the entire url table, I was specting that using a DN or sub DN listed there, it would at least get one IP but nothing.

                  1xSG-4860-1U
                  1xSG-3100
                  2xpfSense Virtual Machines

                  1 Reply Last reply Reply Quote 0
                  • noplanN Offline
                    noplan @KOM
                    last edited by

                    Not gettin into much detail cuz lack of time

                    Mention udp / TCP on your rule settings for your ports

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.