Hi,
I would like to query for some background information about the __optX_network and __optX_address objects/aliases/thingies. They are either inconsistently handled in the Web UI or I am missing something in my limited Knowledge.
Here is what I know:
- It looks like they are implicitly created with putting an IP address on an Interface in Interfaces > Interface.
- __optX_network seems to contain the proper network/prefix object that can be used to cover the IP address range on the Interface
- __optX_address looks like designed to contain the IP address of the OPNsense machine.
- The object name is one of the few places where the internal identifier of the Interface seems exposed to the user, which is a major source of confusion since the number in optX usually neither matches the physical interface name nor the VLAN id. It's just another incremented number that one cannot seem to be able to influence but has to grok in rules.
- It seems to be possible to use both variants directly in the Source/Destination field of a Firewall Rule (old interface) by scrolling down aaaaaaaaaalll the way to "Networks" and searching for the "Description" of the Interface, not the identifier.
- __optX_network shows up in Firewall > Aliases as "Internal(Automatic)" with the Interface Description as "Description". The Content doesn't show, but I can also see them in Firewall > Diagnostics > Aliases and I can build network groups from them. In the "Edit Alias" dialog, I can add them to a network list, but I need to do so by searching for the __optX_network string and not for the description.
- __optX_address does not show up in Aliases at all, neither in the Alias list, nor in Firewall > Diagnostics > Aliases, nor can I add those objects to a host or entwork list.
- I also cannot see which addresses __optX_address expands to. What happens to that object when I have multiple IP addresses and/or virtual IP addresses no the Interface? Can I rely on that object always being correct?
I would appreciate if someone could elaborate on this or maybe even lead me towards existing documentation, or maybe even issues (in the case that I am correct and that OPNsense indeed handles this suboptimally).
In the current state of me not understanding and not finding documentation, those automatic network objects add confusion while being of quite limited usefulness for me.
Greetings
Marc
Quote from: Zugschlus on Today at 01:29:19 PMI also cannot see which addresses __optX_address expands to. What happens to that object when I have multiple IP addresses and/or virtual IP addresses no the Interface? Can I rely on that object always being correct?
The firewall alias "FOO address" resolves to *all* addresses assigned to interface FOO.
For general manageability you are supposed to use the "LAN address", "LAN network", "FOO address" etc. aliases not the internal __opt_something ones. I don't know why they are even exposed other than "historical artefact".
HTH,
Patrick
When used in firewall rules, OPNsense itself doesn't expand these _network / _address aliases at all.
Have a look at Firewall: Diagnostics: Statistics: rules. If you selected an _address or _network alias in a firewall rule, it turns into something like vtnet1:2 or vtnet0:network:1 in the resulting pf rules.
Cheers
Maurice