Nested Aliases not working?

mjs · Dec 19, 2018, 1:32 PM

Running a standard freshly installed copy of 2.4.4-RELEASE-p1 and trying to replicate a similar setup to an older pfSense install on another box before retiring that older box.

I've set up some aliases as per the old box. One of which contains a number of network addresses. Another one which contains two FQDN's relating to an individual IP address. If I create a NAT rule using one or other of these aliases, all works fine for access to the server behind that rule. However, if I create a third alias that includes the two previously created aliases and use that third alias in the NAT rule above, I get no access from any of the aliased hosts/networks (yes, I have reloaded the rules). Am I doing something wrong or are nested aliases no longer working?

jimp · Dec 19, 2018, 1:58 PM

Nested aliases seem to work OK here. Do you have any entries in /var/etc/filterdns.conf for the new alias? What about entries in the Resolver log?

Does it make a difference if you kill filterdns (killall -9 filterdns) followed by a filter reload (Status > Filter Reload, click Reload Filter)?

mjs · Dec 19, 2018, 2:27 PM

Thanks for the response Jim. Have had a look at the contents of filterdns.conf and the hosts/networks I've created aliases for are indeed listed. Though oddly, one of the original aliases isn't listed in it's own right, though the two networks it relates to are included as part of the combined alias (not sure that entirely reads right in my mind, let alone now I've typed it). I've killed the process and reloaded it without any difference.

For example the three aliases I've set up are as follows (obfuscated to protect the innocent):

OFFICE - 5.144.xxx.xxx/28, 217.68.xxx.xxx/27
BRANCH - blah1.blahblahblah.com, blah2.blahblahblah.com
OURTRAFFIC - OFFICE, BRANCH

filterdns.conf contents:

pf blah1.blahblahblah.com OURTRAFFIC
pf blah2.blahblahblah.com OURTRAFFIC
pf 5.144.xxx.xxx/28 OURTRAFFIC
pf 217.68.xxx.xxx/27 OURTRAFFIC
pf blah1.blahblahblah.com BRANCH
pf blah2.blahblahblah.com BRANCH

Not that it would appear to make any difference but shouldn't the OFFICE alias appear in there too?

jimp · Dec 19, 2018, 2:28 PM

I believe it only lists aliases used in rules. So if you have that alias defined but not in a rule directly (only nested) then it wouldn't show up.

mjs · Dec 20, 2018, 12:19 PM

To close this topic off, I came back to the new install today and it's working fine now. No rule changes, no alias changes, just working.

Thanks for the pointers.

jimp · Dec 20, 2018, 1:54 PM

Glad to hear it's working but strange that it fixed itself.

If you get a few moments in the future, try making a few changes (adding a hostname, for example, or making a new nested alias) and see if you can reproduce the original behavior. If you can, note the changes you made and we can try to replicate it here as well.

dalamar · Aug 22, 2019, 8:06 PM

Hi, I know this is an old thread, but just a quick line to confirm the behavior; I am running 2.4.4-RELEASE-p3 with several nested aliases. Only the top aliases (not their children) are used in rules.

For some unknown reason, one of the firewall rules with source= top alias for a pass rule was not allowing the devices in one of the children aliases, the other two children aliases were working ok.

Following the following suggestion by @jimp everything went back to normal.

"Does it make a difference if you kill filterdns (killall -9 filterdns) followed by a filter reload (Status > Filter Reload, click Reload Filter)?"

In case It helps.