Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Persistent Alias / Table, dnsmasq managed

    Firewalling
    2
    3
    114
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taliwok last edited by taliwok

      Hi,

      Will appreciate any help with this.

      I’m routing traffic for specific domains (which change IP addresses often) through a VPN.

      The cleanest and most accurate way to achieve it is by using the DNS Forwarder / dnsmasq to collect IP addresses of those domains into PF Tables, using the ‘ipset’ directive, and then having a rule for LAN traffic destined to the Alias which is that table, to go through the VPN gateway.

      The first problem is - the table itself, although existing and created corrected (checked in pfctl and also Diagnostics->Tables) isn’t recognized as an Alias - so I defined a dummy alias using the same name - just for PFSense to accept it - and it works - until for whatever reasons the filters reload (Eg because the VPN connection restarted) - then the table gets wiped clean.

      I tried defining the same alias as a URL Table type where it’s persistent (with no entries) - which then has another problem with not accepting the LAN outbound rule saying my alias is not a defined macro.

      Is there some way to make PFSense do one of the following:

      1. Recognize my externally defined PF Table without touching it upon filter reload
      2. Define an Alias which is persistent and is of the Host type
      3. Any other way where I can keep using dynamic dns domain IP list based routing

      Many thanks :)

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @taliwok last edited by Konstanti

        @taliwok
        Hello
        Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.
        You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
        Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.

        https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

        DIOCRGETADDRS - to get all the addresses of a table.
        DIOCRADDADDRS - to add one or more addresses to a table

        T 1 Reply Last reply Reply Quote 0
        • T
          taliwok @Konstanti last edited by taliwok

          @Konstanti said in FW Alias externally managed:

          @taliwok
          Hello
          Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.

          It must be possible using persistent tables, or any tables that PFSense does not reset (it does reset all that is defined in Firewall->Aliases).

          For example - if I define an Alias that is URL Table (it’s persistent) - and add some entries to the table/alias manually with pfctl, reloading the filters does not cause the table/alias to become empty.

          You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
          Is there a script that PFSense automatically executed after reloading the rules, that I can modify?
          Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.

          https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html

          DIOCRGETADDRS - to get all the addresses of a table.
          DIOCRADDADDRS - to add one or more addresses to a table

          Thanks but this is way more complicated than I intended - i hope there are simpler solutions.

          For example I saw OPNSense have an Alias type called “External” which sounds just like what I’m looking for. https://docs.opnsense.org/manual/aliases.html

          I wonder if there’s a simple way to achieve the same result in PFSense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy