Aliases had droven me crazy
-
In my experience, alias is the most unreliable part in pfSense.
Some versions ago, alias table was not refreshed correctly when the same FQDN appeared more than once.Now I am running 2.4.5-RELEASE-p1 community version and Aliases go strange again:
- I added an ip to an alias but it was not reflected in the corresponding alias table.
- When I created a network alias: 103.20.236.0/22, there was no table created.
I tried to scan through various logs but there were no clue what had gone wrong.
I studied the pfctl cli but there are nothing on aliases.Besides rebooting pfSense, is there any ways to force a rebuild of alias tables?
In case of similar errors in future, where can I find more information on what was the culprit? -
@bchan
tables are only created when an alias is added to a firewall rule.
an alias that isn't used by a rule has no table. -
@heper Thank you for your reply. Maybe I misunderstood. Can I ask when I embed an alias in another alias, will I get a table then when the other alias was referenced in a firewall rule.
-
example:
alias1 = [1.2.3.4]
alias2 = [5.6.7.8, Alias1]if you then create a rule that uses alias2, then pfsense will create a table containing 1.2.3.4 & 5.6.7.8
-
Hello!
I added a simple IP Host Alias named tester with a FQDN of google.com. Even though it has not been added to a firewall rule, is still see a table in Diagnostics -> Table and the following output :
[2.4.5-RELEASE][admin@pfSense]/root: pfctl -T show -t tester 172.217.4.78 2607:f8b0:4009:805::200e
I share the concerns of @bchan when it comes to aliases.
John
-
@serbus thats because a fqdn has to be resolved to ip's before they can be added to firewall rules.
it personally wouldn't ever use a fqdn in an alias in that way because of the huge loadbalancing pools most cloudproviders use .... it'll never be accurate because it'll resolve differently every time
-
Hello!
Ahhh...I see.
So I create a an IP Network Alias that has a mix of FQDN and IP networks. The alias is not in a firewall rule. The table is created immediately, but it only has the resolved FQDN IP in.
After adding the alias to a firewall rule, the IP network portion of the alias is never added into the table. The alias table never has anything other than the resolved FQDN.
John
-
@serbus
i can't reproduce your problem.i just created an alias with the following:
- 1.2.3.4 - google.be - 5.6.7.8 - amazon.com
when i go to diagnostics->tables
it shows:1.2.3.4 5.6.7.8 54.239.28.85 176.32.103.205 205.251.242.103 216.58.214.3 2a00:1450:400e:800::2003
so i don't see the problem you experience. it's still a pointless alias because google.com & amazon.com will resolve differently for my clients & thus render the rule useless
-
Hello!
The same thing happens if the fqdn points to a local device, which is the normal use case for me.
The feeling I get from aliases is that they are finicky.
The idea that you could setup an alias and get one result, and that I could setup a similar alias (I used a /28 network, not a single host in my test) and get a different result bears this out.
I get the same vibe when reading through bugs like https://redmine.pfsense.org/issues/9296
There is lots of interesting reading in redmine about aliases.I hope that aliases are working well for most people, but I do have to agree that at times they have "driven me crazy".
John