Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host(s) type aliases now missing from list within Firewall/ pfBlockerNG/ IP /IPv4

    Scheduled Pinned Locked Moved pfBlockerNG
    4 Posts 2 Posters 286 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      farrina
      last edited by

      It would appear that Host(s) type aliases are no longer allowed, only Network(s) - this seems to have been a recent change in behaviour.

      General Setup

      Using pfsense version 2.7.2 (Community Edition)
      pfBlockerNG-Develop 3.2.0_7
      pfBlockerNG is set via CRON to update daily (IP & DNSBL)
      Firewall Auto Rule Order is set to pfB_Pass/Match/Block/Reject | All otherRules (Default format)

      I use the IP blocking capabilities within pfBlockerNG to bar access to locations by way of their ASN numbers. This has worked seamlessly for a number of years but I have recently encountered a problem that I believe to have occurred following a recent upgrade of pfsense from 2.7.0 to 2.7.2

      I say upgrade, but in reality my normal practice is to undertake a bare metal reinstall of the latest version of pfsense and then restore the immediately preceding pfsense configuration via full backup restore.

      Basic Problem

      Under Firewall / pfBlockerNG / IP / IPv4
      Advanced Outbound Firewall Rule Settings
      Custom Source
      Text Field (to right of enable and invert check boxes)

      Expected behaviour

      Type name of existing alias into field should automatically filter/display list of existing configured aliases (both Hosts and Network) to enable easy selection and addition.

      Previously I have selected Host(s) based aliases

      Actual behaviour

      Only Network aliases are now displayed - all existing Host(s) aliases are missing

      For existing configured Advanced Outbound Firewall Rule Settings previously using a Hosts alias field, the field in now blank and net effect of rule implementation is to block all outbound LAN connections to Microsoft ASN and ignore previously configuration permitted Host(s) IP list.

      Mitigations

      Uninstall pfBlockerNG (retain existing settings - would be a major ball ache to reconfigure from scratch)
      Reboot pfsense (cold)
      Reinstall pfBlockerNG

      Creating new Host aliases and new IPv4 block lists does not circumvent the problem i.e appears broken for new items as well as existing host aliases

      Workaround

      Within Firewall / Aliases /IP convert all existing Host(s) type aliases to Network type e.g.

      Individual Host IP of 192.168.123.50 -> Network of 192.168.123.50/32

      (Note this can be done in bulk by changing alias type from Host(s) to Network(s) which automatically appends /32 to each individual host IP address listed - if you have a large number of entries saves having to individual change/re-add)

      Result

      Under Firewall / pfBlockerNG / IP / IPv4
      Advanced Outbound Firewall Rule Settings
      Custom Source
      Text Field (to right of enable and invert check boxes)
      Converted Host -> Converted Host(s) now Network aliases are listed and can be selected from list

      Expected behaviour restored (albeit Host aliases are no longer eligible for selection)

      Question

      Has the option to select Host(s) type aliases been removed from pfBlockerNG-Develop 3.2.0_7 as it still seems to be operative on one of my older pfsense boxes thus

      pfsense 2.7.0
      pfBlockerNG-Devel 3.2.0_6

      Cheers

      Alan

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @farrina
        last edited by

        @farrina I am low on coffee, but as I recall there was a one character typo bug fix in _7 and I don’t think it’s in the devel version. You could just switch to non devel…in theory they are supposed to be the same.

        https://docs.netgate.com/pfsense/en/latest/releases/23-01.html
        “The pfBlockerNG package has been updated to match pfBlockerNG-devel. After upgrade it is safe to uninstall pfBlockerNG-devel (keeping settings) and install pfBlockerNG instead.”

        I seem to recall running into a similar problem a while back and using network/32 was my answer also. I don’t remember if it was pfBlocker though.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        F 1 Reply Last reply Reply Quote 0
        • F
          farrina @SteveITS
          last edited by

          @SteveITS

          Thanks Steve - I was in auto mode and had not clocked that Devel and normal were now at same revision. Likewise with me running the community edition I had not read the plus release notes.

          Certainly looks promising - I shall revert my Host -> Network changes, install the normal package and report back in a day or so.

          Appreciate you taking the time to respond (seems rather quite hereabouts lately - my next destination was going to be pfBlockerNG on Reddit!

          Hope you found the coffee 😀

          Cheers

          Alan

          1 Reply Last reply Reply Quote 0
          • F
            farrina
            last edited by

            Further to my last, an update.

            I reverted my workaround changes (back from Network to Host) and reloaded pfBlockerNG but the issue did not return. I wonder if converting the type (described above) from Host to Network and back has reset something?

            Followed your suggestion of installing the non Dev version of pfBlocker and reloaded. All seems normal and operational using Host again.

            If I come across any subsequent "funnies" I shall report back, but for now I think I'll leave this post as is, in case any one else runs into a similar issue.

            Cheers again for your help.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.