Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Persistent Alias / Table, dnsmasq managed

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 678 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taliwok
      last edited by taliwok

      Hi,

      Will appreciate any help with this.

      I’m routing traffic for specific domains (which change IP addresses often) through a VPN.

      The cleanest and most accurate way to achieve it is by using the DNS Forwarder / dnsmasq to collect IP addresses of those domains into PF Tables, using the ‘ipset’ directive, and then having a rule for LAN traffic destined to the Alias which is that table, to go through the VPN gateway.

      The first problem is - the table itself, although existing and created corrected (checked in pfctl and also Diagnostics->Tables) isn’t recognized as an Alias - so I defined a dummy alias using the same name - just for PFSense to accept it - and it works - until for whatever reasons the filters reload (Eg because the VPN connection restarted) - then the table gets wiped clean.

      I tried defining the same alias as a URL Table type where it’s persistent (with no entries) - which then has another problem with not accepting the LAN outbound rule saying my alias is not a defined macro.

      Is there some way to make PFSense do one of the following:

      1. Recognize my externally defined PF Table without touching it upon filter reload
      2. Define an Alias which is persistent and is of the Host type
      3. Any other way where I can keep using dynamic dns domain IP list based routing

      Many thanks :)

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @taliwok
        last edited by Konstanti

        @taliwok
        Hello
        Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.
        You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
        Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.

        https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

        DIOCRGETADDRS - to get all the addresses of a table.
        DIOCRADDADDRS - to add one or more addresses to a table

        T 1 Reply Last reply Reply Quote 0
        • T
          taliwok @Konstanti
          last edited by taliwok

          @Konstanti said in FW Alias externally managed:

          @taliwok
          Hello
          Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.

          It must be possible using persistent tables, or any tables that PFSense does not reset (it does reset all that is defined in Firewall->Aliases).

          For example - if I define an Alias that is URL Table (it’s persistent) - and add some entries to the table/alias manually with pfctl, reloading the filters does not cause the table/alias to become empty.

          You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
          Is there a script that PFSense automatically executed after reloading the rules, that I can modify?
          Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.

          https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

          DIOCRGETADDRS - to get all the addresses of a table.
          DIOCRADDADDRS - to add one or more addresses to a table

          Thanks but this is way more complicated than I intended - i hope there are simpler solutions.

          For example I saw OPNSense have an Alias type called “External” which sounds just like what I’m looking for. https://docs.opnsense.org/manual/aliases.html

          I wonder if there’s a simple way to achieve the same result in PFSense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.