Hi,
I am running out of ideas what to check with the following issue:
I have two instances of OPNSense, running on 25.1.7_4. One is within a proxmox VM and works fine. The other is my edge router (bare metal) and this is unable to handle new aliases.
What I did to exercise the problem:
1. Create new Alias "PC" (Host, 1 IPv4 LAN). Yes, clicked "Apply"!
2. Create a rule on LAN (Source "PC", Protocol enabled), pass. Yes, clicked "Apply"!
3. Trigger some traffic, nothing in the LiveView Log
4. Updated the rule using the verbatim IP address.
5. LiveView is showing a lot of traffic from the protocol rule.
Observations:
- In the alias section in firewall, the "last updated" column remains empty for "PC", load count is 0
- In the alias section in diagnostics, PC shows up as selectable item but shows no contents.
- Global configuration in /conf/config.xml contains the alias definition
- Checked /var/db/aliastables, no entry for "PC" - the filesystem has plenty of space left and permissions seem ok
- Checked backend log: Nothing of a warning or higher severity, nothing relevant (from my perspective) in less severe levels.
- Checked firewall log: No warning or higher, nothing about alias (had to search for the term "alias")
- Cloudflare, Spamhaus DROP and GeoIP seem to regenerate as usual, timestamp of /var/db/aliastables matches log entries
The only "interesting" part about this machine is that I replaced the SSD 4 weeks ago, ran a full install and reloaded the last known config / backup. Updated to 24.1.7_4 in the process afterwards.
I know I can stick to hard coded IP addresses for now - and I will not reboot until the next weekend at least, so testing it is currently not possible. My second instance on Proxmox does not have this issue and updates everything as required.
EDIT: (See reply below for more) running configctl filter refresh_aliases returned no output other than an empty line.
Are there any other locations I might have a look for diagnostics or trigger an alias re-generation from the shell?
Thanks.
EDIT2/Resolution: flock was blocking forever on a lock existing for more than 21 days. I'd expect however the firewall to not silently do nothing in such a case.
Quote- In the alias section in firewall, the "last updated" column remains empty for "PC", load count is 0
Seems to be the root of all. The alias is not being populated. Why? This depends on what are you using for "Content". If is an ip address, can you ping it for instance from this firewall?
Yes, I can ping the IP address.
Had the chance to run configctl filter refresh_aliases
On the proxmox machine with no issues:
{"status": "ok"}
On the barematel machine with issues:
Are you running them as a HA setup with CARP and pfsync enabled?
Quote from: cookiemonster on June 02, 2025, 04:19:24 PMAre you running them as a HA setup with CARP and pfsync enabled?
No, I don't.
I don't know then with the limited info available for two firewalls and their setup.
Quote from: cookiemonster on June 02, 2025, 05:46:07 PMI don't know then with the limited info available for two firewalls and their setup.
Sorry for being unclear: Both instances were not running in HA mode or anyhow connected. One is the network's edge router the other one acts as a DevOps testing protection gateway. The only common thing they had: Same software version. But different behaviour.