Nested Aliases not working?



  • Running a standard freshly installed copy of 2.4.4-RELEASE-p1 and trying to replicate a similar setup to an older pfSense install on another box before retiring that older box.

    I've set up some aliases as per the old box. One of which contains a number of network addresses. Another one which contains two FQDN's relating to an individual IP address. If I create a NAT rule using one or other of these aliases, all works fine for access to the server behind that rule. However, if I create a third alias that includes the two previously created aliases and use that third alias in the NAT rule above, I get no access from any of the aliased hosts/networks (yes, I have reloaded the rules). Am I doing something wrong or are nested aliases no longer working?


  • Rebel Alliance Developer Netgate

    Nested aliases seem to work OK here. Do you have any entries in /var/etc/filterdns.conf for the new alias? What about entries in the Resolver log?

    Does it make a difference if you kill filterdns (killall -9 filterdns) followed by a filter reload (Status > Filter Reload, click Reload Filter)?



  • Thanks for the response Jim. Have had a look at the contents of filterdns.conf and the hosts/networks I've created aliases for are indeed listed. Though oddly, one of the original aliases isn't listed in it's own right, though the two networks it relates to are included as part of the combined alias (not sure that entirely reads right in my mind, let alone now I've typed it). I've killed the process and reloaded it without any difference.

    For example the three aliases I've set up are as follows (obfuscated to protect the innocent):

    OFFICE - 5.144.xxx.xxx/28, 217.68.xxx.xxx/27
    BRANCH - blah1.blahblahblah.com, blah2.blahblahblah.com
    OURTRAFFIC - OFFICE, BRANCH

    filterdns.conf contents:

    pf blah1.blahblahblah.com OURTRAFFIC
    pf blah2.blahblahblah.com OURTRAFFIC
    pf 5.144.xxx.xxx/28 OURTRAFFIC
    pf 217.68.xxx.xxx/27 OURTRAFFIC
    pf blah1.blahblahblah.com BRANCH
    pf blah2.blahblahblah.com BRANCH

    Not that it would appear to make any difference but shouldn't the OFFICE alias appear in there too?


  • Rebel Alliance Developer Netgate

    I believe it only lists aliases used in rules. So if you have that alias defined but not in a rule directly (only nested) then it wouldn't show up.



  • To close this topic off, I came back to the new install today and it's working fine now. No rule changes, no alias changes, just working.

    Thanks for the pointers.


  • Rebel Alliance Developer Netgate

    Glad to hear it's working but strange that it fixed itself.

    If you get a few moments in the future, try making a few changes (adding a hostname, for example, or making a new nested alias) and see if you can reproduce the original behavior. If you can, note the changes you made and we can try to replicate it here as well.