Pfsense 2.4.4 bug firewall



  • I have my firewall configured for many years now so that only a few ips can enter ports such as pfsense administration or rdesktops, for that I created an alias where I put all the ips that could access and then I went to the nat rule and in source i select single host or alias and select the name of the alias that i created, this is working a few years ago, but now all pfsense that i update not work this option, i think this is a bug
    Even if I erase it and generate it again, it still doesn't work.


  • Rebel Alliance Global Moderator

    So you created a alias that has public IPs in it that you want to be able access your port forwards.

    So this alias has what in exactly the public IPs say
    1.2.3.4
    5.6,7.8
    etc..

    And you are using this for source in your port forward.. Ok - did you validate the IPs are still listed in the alias. You can view that from your diag, tables menu item and selecting your alias.

    And you also validate that your seeing traffic on your wan from these specific IPs when your forward stops to work?

    Can you post up your fowards and wan rules. do you have any floating rules? Are you using IPS or say pfblocker packages? Did you run through the port forwarding troubleshoot guide?
    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html



  • Thank you johnpoz i post now some images to see you the bug, only one advance.. the same config its working 2.4.3, 2.3.x, etc...


  • Rebel Alliance Global Moderator

    Here is the thing - its not a bug.. Since I do the same thing.. With many IPs and networks... So I know for a fact it works ;)0_1540289053655_sourceAliasforward.png



  • 0_1540289382877_pfsense1.PNG
    0_1540289394672_pfsense2.PNG



  • 0_1540289862882_pfsense3.PNG

    It doesn't work for me. John :-(


  • Rebel Alliance Global Moderator

    So lets troubleshoot what is going on.

    So clearly your blocking at your wan.. So lets see the wan rules. Lets look in the actual table for the alias via the diag table menu item. Do you see that 93.30 IP in there?

    0_1540290848045_tableofalias.png

    Also you have no rules on your floating? Your not using pfblocker? Which rule actually blocked that - was it the default deny on your wan?

    You sure that 93.90.x.x is the same IP that is in your alias and not off by 1 or something.

    edit: Guess its possible that if say your fqdn does not resolve that the whole table doesn't get filled in? This is why you need to validate that you have the correct entries in the table via the diag, tables menu item like I showed above.



  • If I put the alias "seguros" it doesn't work for me, if I take it off it does.

    Thanks to your help, I think I know what's going on.

    before all this worked now I see that not worked in 2.4.4.

    Alias ip put 93.90.x.1-93.90.x.5 not works in 2.4.4, not view in diagnostics Tables
    Alias ip dynamic put in alias "myhome.business.com" -> xxx.ddns.net not view in diagnostics Tables or view a past ip, not renew the ips of my dinamic ip

    When i change my alias "seguros" add or delete hosts, i not view refresh in Diagnostics -> Tables it's normal ???

    How can i force reload the alias "seguros" with new hosts??


  • Netgate Administrator

    If you change the alias I would expect it to update immediately.
    I would guess that one of the FQDNs in that alias is unresolvable and that is causing at best a delay which it times out. I would expect some filterdns errors in the system log though.

    Steve


  • Rebel Alliance Global Moderator

    filterdns which is used in the alias should auto update on its own every 5 minutes.. This is how it is started when you create an alias that needs it, ie a fqdn in a hosts alias.

    If your not seeing any IP in the table for your fqdn (that is some dyndns record) you sure that it resolves at all? When you go to diag, dns lookup and put in the fqdn of this dyndns does it resolve to the correct IP?

    So you have 5 different fqdn for this IP range 93.90.x.1-93.90.x.5? Or your saying that 1 fqdn should return all 5 IP? Can you PM me this FQDN your using for your dyndns and I can check to see what it resolves too.