Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic from an Alias host FQDN starts being blocked after some time

    Firewalling
    3
    9
    244
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alirz
      last edited by

      I have an alias /32 FQDN hostname defined in pfsense e.g "ABC.mydomain.net", the host does have a static IP. When i add that alias, traffic from that host is allowed and i can reach the resources inside the LAN from that host.
      However after a day or two the traffic starts being blocked by pfsense. firewall rule show "blockced by DEFAULT block rule" Note the host source IP is the same.
      At this point if i reboot pfsense it starts working again for sometime but the problem eventually comes bac. I only have a total of 5 aliases defined in pfsense so its not even an extensive list, all are /32

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @alirz
        last edited by

        @alirz Can Diagnostics/DNS Lookup resolve it? Perhaps, after it stops working?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        A 1 Reply Last reply Reply Quote 0
        • A
          alirz @SteveITS
          last edited by

          @SteveITS i have not tried that yet however the last time it stopped working i did do a nslookup for that host from the pfsense CLI and it returned the correct IP but it still wasnt working.
          As i write this post, the issue had been occurring for the past hour. Few minutes ago i just went in the Alias tab, edited the Aliases, but then came out without saving and now realize traffic is being allowed again.
          confused lol

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @alirz
            last edited by

            @alirz Alias hostnames are resolved every 5 minutes by default so it’s still likely some sort of DNS error. Maybe on the server end?
            https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#using-hostnames-in-aliases
            Brainstorming, write a batch file to do that DNS lookup every few minutes?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            JonathanLeeJ A 2 Replies Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @SteveITS
              last edited by

              @SteveITS I remember we use to be able to change the resolve time in the past. Is that not the case anymore?

              Make sure to upvote

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @JonathanLee
                last edited by

                @JonathanLee Per that doc page
                "The default interval is 300 seconds (5 minutes), and can be changed by adjusting the value of Aliases Hostnames Resolve Interval on System > Advanced, Firewall & NAT tab. "
                :)

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                JonathanLeeJ 1 Reply Last reply Reply Quote 1
                • JonathanLeeJ
                  JonathanLee @SteveITS
                  last edited by

                  @SteveITS

                  Thanks I thought it use to be under system tuneables.

                  Screenshot 2023-06-14 at 11.40.57 AM.png

                  Make sure to upvote

                  1 Reply Last reply Reply Quote 0
                  • A
                    alirz @SteveITS
                    last edited by

                    @SteveITS but even if the dns lookup failed for some reason,does pfsense not remember the previously resolved iP address for that Alias? It’s a static iP so isn’t really changing.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Rebel Alliance @alirz
                      last edited by

                      @alirz Not sure, but the alias should be in Diagnostics/Tables.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post