In other firewall software, when creating a list of IPs in an alias, I could use a comment to note what the IP was, by entering data in to a simple text field like this;
103.10.5.131#asus
35.241.133.48#dtube
There seems to be no way to comment each IP in Opnsense? Without an ability to comment each alias IP, I'm left with large lists of IPs and no idea where IP is referencing without doing a lookup or keeping a separate list. Am I missing something?
No to mention that the UI control for adding IPs to a alias is really awkward for anything more than a few entries...
Thanks!
Isn't the name of the alias supposed to document what the ip adress is for?
I use alias names like "Host4_Minecraft" - I don't see what I would want to put into an additional comment.
This alias is of type "Hosts" and will have about 50 or so IPs in it...
For example, I could create the alias "FRIENDS_IPS", to contain the IP addresses of 50 of my friend's Minecraft servers. How would I know which friend owned which IP when looking at the list? In the past in other systems, I've used a format like;
for alias FRIENDS_IPS
x.x.x.x#John
x.x.x.x#George
x.x.x.x#Paul
I hear you... but in OPNsense you can can a master Alias which contains the individual aliases.
Alias: Allowed_oVPN_out
That master Alias contains a lot of single Aliases:
Alias: John
Alias: Mary_iPad
Alias: Mary_laptop
Etc... so you can do this today.
Thanks! It's messier, but that looks like the best option.
Sadly, this will require far too many clicks in the UI.
So ultimately, this is negatively impacting use of Opnsense. I'm not sure why the entry field for alias "content" is using a "label" type field but it's not working well at all for managing alias entries, and is hard to read when there are many IPs.
As a workaround, I can see possibly using Ansible to manage my aliases, as I could at least know what the IPs are for that I'm adding. I could also set up a URL IP list served by a web server. Not a great set of options really for something that should be really simple.
If none of these have public FQDN available, you could add them as host overrides in Unbound and then use those overrides in your alias.
Not sure if that really ends up cleaner or not. Perhaps convince everyone to invest in some dynamic DNS accounts?
To solve this problem, I use the IP Table option in the alias.
In my IIS, I have the aliases as text file, where I can document then.
I create a file named FRIENDS_IPS.txt, that can be downloaded on https://x.x.x.x/FRIENDS_IPS.txt (using an internal IIS)
In that file the alias is defined:
x.x.x.x,#John
x.x.x.x,#George
x.x.x.x,#Paul
In OpnSense, I create an alias of type IP Table, with the link https://x.x.x.x/FRIENDS_IPS.txt.
I define the refresh frequency as 0 days, 0.02 Hours (about every minute).
This way I can use properly documented Alias files.
Quote from: Patrick M. Hausen on September 05, 2023, 10:56:52 PM
Isn't the name of the alias supposed to document what the ip adress is for?
I use alias names like "Host4_Minecraft" - I don't see what I would want to put into an additional comment.
That means that you have to create 51 aliases to properly document the 1 alias you really need.
So, not really an option.