OPNsense Forum
English Forums => General Discussion => Topic started by: RoamingJay on March 07, 2023, 02:34:15 am
-
So I'm trying to use an alias that includes 192.168.1.180-190.
The setup page accepted it without error,
but if I create a rule with that alias the rule will have no effect (the firewall just skips that rule and goes to the next as if that alias didn't hit 192.168.1.181 for example).
Looks like there had been an old report about this issue:
https://github.com/opnsense/core/issues/1738
Any update on this?
If I just enter 10 individual addresses for that alias, the rule will work.
From the above old and closed report, perhaps I should just go with the type Network instead of host?
Thanks
=====
edited:
never mind, from that commit turns out 192.168.1.180-192.168.1.190 will work but not 192.168.1.180-190 ::)
Could perhaps be a future polishing job if any dev bothers to spend time on this.
=====
edited 2:
the 192.168.1.180-192.168.1.190 format seem to work just fine for rules, but the alias's content doesn't show up correctly under the Diagnostic page. Missing some addresses, having random network mask numbers, etc.. It's just very strange even though rules are working as expected. ::)
-
ut the alias's content doesn't show up correctly under the Diagnostic page. Missing some addresses, having random network mask numbers, etc
are you sure about 'missing' addresses?
Firewall: Diagnostics: Aliases shows aliases from the pf point of view (the actual pf table)
-
Definitely fewer entries than the total number of individual addresses,
though from memory they all have 1 or more lines with a network mask attached; didn't pay extra attention previously, perhaps multiple individual addresses were "shorten" into 1 entry.
Will have another look, and update later today.
-
Definitely fewer entries than the total number of individual addresses
sure..opnsense summarizes ip ranges to subnets when parsing aliases
https://github.com/opnsense/core/blob/3af487bcf65a4d8a32ea999f16f1a932620e80e7/src/opnsense/scripts/filter/lib/alias/base.py#L68-L74
-
So it's working as expected even though a somewhat awkward representation for human eyes.
Under the Diagnostic page for Aliases,
let's say an alias containing 192.168.1.200-192.168.1.209
The Diagnostic page will show two lines
192.168.1.200/29
192.168.1.208/31
3 digits (000 to 111) to represent the 200 to 207
similarly on the 2nd line for the last bit change.
I somehow were expecting something like 10 individual lines; coupled with the rare implementation of the "-" which tempted my brain to think something weird was happening.
*it accepts both 192.168.1.200-209 and 192.168.1.200-192.168.1.209 for adding an alias, but rules will only work with the later.
*if I enter the 192.168.1.200/29 as Type host the firewall will return with error :-\ Type network likely works then.
It makes sense now, just somewhat awkward for the brain.
The "Find reference" also works perfectly, pretty much mystery solved now :-X
Thanks for all the quick tips
-
pretty much mystery solved now
:)
-
*it accepts both 192.168.1.200-209 and 192.168.1.200-192.168.1.209 for adding an alias, but rules will only work with the later.
So ist he first notation a valid one??
So it would be nice if there is some helptext in the gui which describes valid notations.