Persistent Alias / Table, dnsmasq managed
-
Hi,
Will appreciate any help with this.
I’m routing traffic for specific domains (which change IP addresses often) through a VPN.
The cleanest and most accurate way to achieve it is by using the DNS Forwarder / dnsmasq to collect IP addresses of those domains into PF Tables, using the ‘ipset’ directive, and then having a rule for LAN traffic destined to the Alias which is that table, to go through the VPN gateway.
The first problem is - the table itself, although existing and created corrected (checked in pfctl and also Diagnostics->Tables) isn’t recognized as an Alias - so I defined a dummy alias using the same name - just for PFSense to accept it - and it works - until for whatever reasons the filters reload (Eg because the VPN connection restarted) - then the table gets wiped clean.
I tried defining the same alias as a URL Table type where it’s persistent (with no entries) - which then has another problem with not accepting the LAN outbound rule saying my alias is not a defined macro.
Is there some way to make PFSense do one of the following:
- Recognize my externally defined PF Table without touching it upon filter reload
- Define an Alias which is persistent and is of the Host type
- Any other way where I can keep using dynamic dns domain IP list based routing
Many thanks :)
-
@taliwok
Hello
Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.
You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html
DIOCRGETADDRS - to get all the addresses of a table.
DIOCRADDADDRS - to add one or more addresses to a table -
@Konstanti said in FW Alias externally managed:
@taliwok
Hello
Unfortunately, you can't avoid deleting the table when you reload the rules. At the moment of reload, the firewall stops for a while and restarts again.It must be possible using persistent tables, or any tables that PFSense does not reset (it does reset all that is defined in Firewall->Aliases).
For example - if I define an Alias that is URL Table (it’s persistent) - and add some entries to the table/alias manually with pfctl, reloading the filters does not cause the table/alias to become empty.
You can write a script (using pfctl) that will save the table contents to a file and restore the table after reloading the rules.
Is there a script that PFSense automatically executed after reloading the rules, that I can modify?
Or write a utility using the IOCTL interface PF, which will also save and restore the contents of the table.https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=4&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html
DIOCRGETADDRS - to get all the addresses of a table.
DIOCRADDADDRS - to add one or more addresses to a tableThanks but this is way more complicated than I intended - i hope there are simpler solutions.
For example I saw OPNSense have an Alias type called “External” which sounds just like what I’m looking for. https://docs.opnsense.org/manual/aliases.html
I wonder if there’s a simple way to achieve the same result in PFSense.