OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: tuxlemmi on May 25, 2022, 01:57:16 pm

Title: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: tuxlemmi on May 25, 2022, 01:57:16 pm
I have a ccouple ipsec site2site tunnels running on my opnsense.
Each LAN on the remote sites has an alias. I use these aliases to define rules that pass every traffic/protocol to the remote site.
ssh, http, https will pass, every other traffic will be blocked since the update to 22.1.8 as i can see in the live log by the default block rule.

This was not expected.

Just to try i added an ANY-2-ANY rule and it works again - but this is just vor testing.


Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: vOoPtNa on May 25, 2022, 03:37:45 pm
I've seen a similar behaivor. After upgrading to 22.1.8 some rules stopped working...
Had no time to troubleshoot this further and revented back to 22.1.7.

Will try to reproduce it later and report here.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Com DAC on May 25, 2022, 03:54:18 pm
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: neis on May 25, 2022, 07:00:30 pm
I experience the same as others.  Post update all LAN traffic was ignoring any rules with aliases attached and was instead matching the floating default deny rule.  A quick edit and save with no changes did not work for me but disabling/enabling the alias resolved the issue.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: CGrisamore on May 25, 2022, 07:28:14 pm
Thanks for the heads up. I did the upgrade this morning and all seemed fine but after reading this post I tested my Wireguard connection (used for remote access to my home network) and it wasn't working. I use an alias for a rule specific to Wireguard VPN clients and after disabling saving and re-enabling its now working properly.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: vOoPtNa on May 25, 2022, 09:03:58 pm
Seems to be some kind of bug.
Under Firewall->Diagnostics->Aliases some aliases doesn't show results(see attached screenshots)
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: mannp on May 25, 2022, 09:06:08 pm
Became slack with the previous faultless releases, but this one borked me for sure.....downloading 22.1.7 now....
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: db7 on May 25, 2022, 09:11:40 pm
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: mannp on May 25, 2022, 09:34:07 pm
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: gpb on May 25, 2022, 09:44:22 pm
edit: deleted.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: db7 on May 25, 2022, 09:51:29 pm
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx

Yes, that's correct.  You'll want to run this:

Code: [Select]
opnsense-revert -r 22.1.7_1 opnsense
Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: abulafia on May 25, 2022, 10:11:12 pm
Have you reported this as a bug on GitHub? If not please do - sounds like a bug and that will get resolved earlier if a GitHub report is made.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: vOoPtNa on May 25, 2022, 10:20:01 pm
Have you reported this as a bug on GitHub? If not please do - sounds like a bug and that will get resolved earlier if a GitHub report is made.

issue on github already reported:
https://github.com/opnsense/core/issues/5788
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: mannp on May 25, 2022, 10:21:11 pm
Quote
Yes, that's correct.  You'll want to run this:

Code: [Select]
opnsense-revert -r 22.1.7_1 opnsense
Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.

Thanks for confirming :) I was about to 'engage' and you confirmed, so thanks.

Restored my config back after the downgrade to be sure.....seems back...
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: meyergru on May 25, 2022, 11:22:46 pm
Confirming the bug as well. In my case, only one alias was affected, namely a network alias.

Reverting to 22.1.7_1...
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: RedVortex on May 26, 2022, 12:25:35 am
I have about 30 aliases and even though I haven't tested them all, I tested at least half of them without issue. But since I use them a lot, I'm watching this issue very closely as it would affect my setup a lot.

I have a few questions:

1 - Does this happens to every type of alias ? (Hosts, networks, ports)
2 - How many items do you have in the alias content that fails ? (3 IP addresses or 1 network or 4 ports for instance)
3 - If you have only one entry in the alias can you add a second item in the content (even if bogus) just to see if this happens only on aliases that have only 1 entry or more (All my aliases seems to work but they all have more than 1 entry)
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: DavidGA on May 26, 2022, 07:07:40 am
This was broken for me too, and it broke a lot of stuff. There were a bunch of new aliases in the aliases view that started with an underscore that I'd never seen before. I wish I'd taken a screenshot, sorry. I reverted to 22.1.7_1 and rebooted and it's fine again. All the new aliases have disappeared.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: DavidGA on May 26, 2022, 07:20:01 am
It turns out I had an old stale browser tab open from before I did the downgrade so I was able to snag this screenshot.

All the aliases that start with an underscore I had never seen before. They look like internal stuff that wasn't supposed to be visible?
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Marin BERNARD on May 26, 2022, 09:43:17 am
This is just awful. Since some months, every couple of updates bring some kind of bug. This, added to the lack of proper release notifications (no mailing list, no GitHub releases, just a forum thread which cancels your subscription on any new release) make OPNsense quite unusable in demanding environments.

We deployed it to power schools and care centers; we've got tens of instances dispatched in many small sites on a wide area. I can't imagine losing access to all those distant sites because someone did not take the time to test the changes to such a critical feature as aliases.

I'm sure someone will soon answer me that we've got no right to complain since this is a free product, that quality assurance has a cost, and we should pay for professional support. OK, seems fair. But giving us nightmares every 2 months is not the best way to engage new customers. Since OPNsense is a free product, we do expect some bugs. We are prepared to handle proxy failures, unbound config errors (only a few weeks ago; another sweet memory), API bugs, et al. But certainly not empty aliases making 80+ instances unreachable in the middle of a week off.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: mannp on May 26, 2022, 09:53:46 am
This was broken for me too, and it broke a lot of stuff. There were a bunch of new aliases in the aliases view that started with an underscore that I'd never seen before. I wish I'd taken a screenshot, sorry. I reverted to 22.1.7_1 and rebooted and it's fine again. All the new aliases have disappeared.

The same situation for me… I have circa 100 aliases, and it was hard to tell which were broke and which were okay.

It appears a lot was broken though, no internet on the few vlans I tried, and editing and saving aliases didn't work for me, although I did only try a dozen of what I thought were the key ones....with no change.

I, too, had the additional ones with underscores too.

Got to say, my updates have been flawless for many months, but this certainly got me to document the recovery plan better :)
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: AdSchellevis on May 26, 2022, 11:28:08 am
Quote
...This, added to the lack of proper release notifications


Quote
...We deployed it to power schools and care centers; we've...

Which is a vey good reason why you should at least test our development versions before their being merged, their available at every release included in the exact same version as you're installing now.... The alias additions have been in there for a couple of cycles now.  (https://docs.opnsense.org/manual/firmware.html#settings)

Quote
I'm sure someone will soon answer me that we've got no right to complain since this is a free product...

Sure you do, it just doesn't bring much to the table when not thinking about how to help out from your end as well.

Quote
...started with an underscore that I'd never seen before

It's a new feature collecting the networks attached to an interface so we can reuse these later in the "xxx_network" rules. This increases visibility and also offers the possibility to "nest" and combine these into derivatives.

A full list of added features is in this merged pull request https://github.com/opnsense/core/pull/5668.



Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: abulafia on May 26, 2022, 11:59:39 am
Only issue I noticed is that the crowdsec aliases remain empty. That may be a crowdsec issue of course.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: marin on May 26, 2022, 12:19:55 pm
Quote
...This, added to the lack of proper release notifications

  • https://docs.opnsense.org/releases/CE_22.1.html#may-25-2022
  • https://forum.opnsense.org/index.php?topic=28492.0
  • https://twitter.com/opnsense/status/1529391333852471297

Yes, I know detailed release notes are published with every release; I routinely read them, but often after the instances were updated (by cron). My point was about release notifications, i.e. being notified when a new version is released, via GitHub, a mailing list, or anything. I suppose Twitter is fine for many people, but I don't use it.

Quote
...We deployed it to power schools and care centers; we've...

Which is a vey good reason why you should at least test our development versions before their being merged, their available at every release included in the exact same version as you're installing now.... The alias additions have been in there for a couple of cycles now.  (https://docs.opnsense.org/manual/firmware.html#settings)

Yes, this is something I'm considering, and/or maintaining a private update mirror and only pushing upgrades after they've been tested.

Quote
I'm sure someone will soon answer me that we've got no right to complain since this is a free product...

Sure you do, it just doesn't bring much to the table when not thinking about how to help out from your end as well.

Of course not... Sorry for the rant.

Quote
...started with an underscore that I'd never seen before

It's a new feature collecting the networks attached to an interface so we can reuse these later in the "xxx_network" rules. This increases visibility and also offers the possibility to "nest" and combine these into derivatives.

A full list of added features is in this merged pull request https://github.com/opnsense/core/pull/5668.

Are those internal aliases excluded from the JSON import/export feature ? We use it internally (via the API) to propagate alias changes to sets of nodes, and we don't want to overwrite those internal aliases on remote nodes  :-\
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: chemlud on May 26, 2022, 01:13:28 pm
This was broken for me too, and it broke a lot of stuff. There were a bunch of new aliases in the aliases view that started with an underscore that I'd never seen before. I wish I'd taken a screenshot, sorry. I reverted to 22.1.7_1 and rebooted and it's fine again. All the new aliases have disappeared.

I can help you out with a screnshot of 22.1.8, the underscore aliases are the internal networks, type is shown as "Internal (automatic)", appears to be benign...
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: AdSchellevis on May 26, 2022, 01:35:52 pm
Quote
Are those internal aliases excluded from the JSON import/export feature ? We use it internally (via the API) to propagate alias changes to sets of nodes, and we don't want to overwrite those internal aliases on remote nodes  :-\

They are in the export, but I don't mind omitting them in a future version. I don't expect much will happen when you do import them anyway to be honest.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: myksto on May 26, 2022, 04:07:07 pm
I can confirm the same problem with some aliases. Especially I did have problems with network aliases (e.g. 192.168.20.0/24). Everything started working again after reverting to version 22.1.7_1.
I hope developer team can solve it in newer versions.

Have a nice day,
Michele.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: RedVortex on May 26, 2022, 04:14:32 pm
Do you guys have any error when you run this ? (Make sure you are on 22.1.8, not a previous version...)

Code: [Select]
/usr/local/opnsense/scripts/filter/update_tables.py
I'm still trying to figure out why I'm not affected by this and so many others are.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: muchacha_grande on May 26, 2022, 08:40:43 pm
Apparently I'm not affected by this problem. As @RedVortex.
Running update_tables.py returns {"status": "ok"}
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: diekos on May 26, 2022, 09:10:35 pm
I'm also affected by this bug.
It seems to be only with network and ports aliases, host aliases are not affected and still return the valid results under Diagnose > Aliases.

The Geo aliases are still filled with networks, so those seem to work as well.
The Spamhaus aliases are also still filled so remote aliases seem to work.

Ports aliases don't even show up under diagnose > Aliases.

Running the update_tables.py gives the result "Ok" but no changes in the aliases.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: franco on May 26, 2022, 09:13:33 pm
The hotfix was published now. Took a bit longer due to national holiday getting in the way.


Cheers,
Franco
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: diekos on May 26, 2022, 09:39:47 pm
I just installed the hotfix and my aliases return the correct networks under Diagnose > Aliases.
My firewall rules are working as expected again!

Thank you for the quick response!
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: RedVortex on May 26, 2022, 10:36:45 pm
The hotfix was published now. Took a bit longer due to national holiday getting in the way.

Thanks a lot for the quick hotfix franco !

I'm still puzzled though as to why it wasn't affecting me even though I use ports, networks, hosts (about all types) of aliases and it affected others...

Was this happening when someone had, let's say an alias with nothing in it or something like that ?

Is this the only patch that was done to handle this ?

https://github.com/opnsense/core/commit/021786612cae12fe7557bf1627773f4f71cff50d

If that's the case, maybe I simply did not have any blank lines when the commands ran in my case... I wonder how blank lines could happen then ?
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: RedVortex on May 26, 2022, 10:45:37 pm
Just curious...

Was it that it couldn't split and/or strip when there was only one line in the alias or something like that ?
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: AdSchellevis on May 27, 2022, 09:09:04 am
The split returned a single empty string, which lead to [''] in some cases instead of []. Because this doesn't always happen (and likely only when there's a single host/network entry in the list), we didn't notice on our end.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: tuxlemmi on May 27, 2022, 12:09:50 pm
Thanx for the hotfix. It is working as before.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: DanVsTheUniverse on May 27, 2022, 12:25:16 pm
Thank you for resolving this quickly.

Thought I was missing something when an update and reboot fully broke remote access over an IPSec VPN. Got remote access via TeamViewer and just tried recreating rules using named subnets instead of aliases, that fixed it. The bug was preventing firewall ACL permitting traffic, so everything was hitting the default deny.

Then woke up today to some failed off-site backups since there are some PBR rules redirecting certain traffic, which weren't working of course (using alias).

Updated and all seems to be working now :)
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: RedVortex on May 27, 2022, 05:48:23 pm
The split returned a single empty string, which lead to [''] in some cases instead of []. Because this doesn't always happen (and likely only when there's a single host/network entry in the list), we didn't notice on our end.

Thanks a lot for taking the time to explain it, I appreciate it.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: jaoteay on June 05, 2022, 10:58:01 am
I'm not sure if this is related but since I upgraded to 22.1.8 - my VLAN's have been basically broken.

Setup (pretty much)
- Main network -> NordVPN Gateway - all good
- IOT Network -> WAN/NordVPN Gateway -> Stops working.
- Direct Out Network (no VPN) -> Stops working

My main network works fine, wired and wireless. But the IOT network, VLAN works for about 10 minutes after resetting everything and then will fail and I can't get an IP Address.

If I look in the firewall live view,
the main WAN network starts failing all over the place and only the NordVPN gateway works.
My WAN is essentially just failing with "Default deny / state violation rule"

I tried to revert back to the 22.1.4 but it said it couldn't find the opnsense.txz. Couldn't find it for 22.1.7_1 either.

Anyone have any ideas on what to do or where to start looking? When I try to connect to the IOT Network.

and if I look at the DHCPv4: Log File

Code: [Select]
2022-06-05T02:47:07-06:00 Informational dhcpd DHCPNAK on 192.168.20.35 to XX:XX:XX:XX:XX:0d via igb0
2022-06-05T02:47:07-06:00 Informational dhcpd DHCPREQUEST for 192.168.20.35 from XX:XX:XX:XX:XX:0d via igb0: wrong network.
2022-06-05T02:47:05-06:00 Informational dhcpd DHCPNAK on 192.168.20.35 to XX:XX:XX:XX:XX:0d via igb0
2022-06-05T02:47:05-06:00 Informational dhcpd DHCPREQUEST for 192.168.20.35 from XX:XX:XX:XX:XX:0d via igb0: wrong network.

But my phone and every other device can't connect to it.

I apologize if this doesn't make sense - been a long night fighting with this again and not even sure what the problem is...

Thank you for your time reading this.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Morgennebel on June 05, 2022, 02:00:02 pm
The hotfix was published now. Took a bit longer due to national holiday getting in the way.

I have the hotfix installed, but still Aliases are not working correctly compared to 21.7.1.

I am missing all Port and Port Group aliases within Firewall >> Diagnostics >> Aliases.
When modifying a Port Alias "Last Updated" in Firewall >> Aliases is not updated.
When renaming a Port Alias and changing the rule as well Alias shows as not loaded in Firewall >> Aliases.

Unfortunately opnsense-revert to 21.7.1 did not worked as well. So I am stuck with a partially working firewall.

Thanks, -MN
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: franco on June 05, 2022, 02:28:39 pm
21.7.1 is highly specific and off target for a 22.1.7/22.1.8 comparison. Which version did you mean?


Cheers,
Franco
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Morgennebel on June 05, 2022, 02:59:50 pm
Thank you for your quick reply.

I am currently at OPNsense 22.1.8_1-amd64, I can see the hotfix from github.com discussed earlier in this thread applied to /usr/local/opnsense/scripts/filter/update_tables.py.

But still my Aliases for Ports and Port Groups do not work correctly. Some of them work, new ones are not used in firewall rules, do not show being loaded nor updated.

This Alias & rule worked fine with 22.1.7 (edited). Cannot attach screenshots, as they are too large as PNG.

Thanks, -MN
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Morgennebel on June 05, 2022, 03:24:51 pm
The attached Alias is used as Port Group (PG_) in a firewall rule. The rule is not working, in Live View I do get

Code: [Select]
5_LAN       2022-06-04T16:03:09 192.168.1.133:64658 185.90.196.130:443  tcp Default deny / state violation rule
5_LAN       2022-06-04T16:03:09 192.168.1.133:64642 185.90.196.130:443  tcp Default deny / state violation rule

errors. You see in the screenshot that the PG_ Alias has no timestamp for Last Updated, but I created and updated it today few times. Also it's not loaded - but referenced by a firewall Allow rule.

Thanks, -MN
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: meyergru on June 05, 2022, 04:26:28 pm
I also have a problem with port aliases: They do not work correctly in port forwarding rules with NAT reflection, see https://forum.opnsense.org/index.php?topic=28639.0 (problem #1).

Alas, I have not verified if this turned up with 22.1.8 only...
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Morgennebel on June 06, 2022, 12:36:31 pm
I am currently at OPNsense 22.1.8_1-amd64, I can see the hotfix from github.com discussed earlier in this thread applied to /usr/local/opnsense/scripts/filter/update_tables.py.
...
This Alias & rule worked fine with 22.1.7 (edited). Cannot attach screenshots, as they are too large as PNG.

I reverted to 22.1.7: everything worked again for like 5-10 minutes. Then Aliases stopped working.
Reverted to 22.1.6: nothing worked after a reboot.

I assume my installation is now a little bit messed up and will reinstall.

Ciao, -MN
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: franco on June 07, 2022, 08:20:12 am
Thanks for digging. Seems to be inconclusive so far from the testing points you gave. We are looking at similar reports and already fixes some other oddities that occur in the new code, e.g. https://github.com/opnsense/core/commit/84b6d0755883


Cheers,
Franco
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: shermant on June 09, 2022, 03:43:20 pm
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx

Yes, that's correct.  You'll want to run this:

Code: [Select]
opnsense-revert -r 22.1.7_1 opnsense
Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.

I've tried to revert to 22.1.7_1 using the code snippet above from the CLI, and it appears that there isn't a 22.1.7_1 release - at least I don't see that folder on any of the mirrors I've checked.  Can someone please confirm if that release is correct, or is it just 22.1.7 ? (that folder exists)

I'm still having trouble even with 22.1.8_1, and just need things to work - no time to troubleshoot these days.  If someone could please advise which is the best release to revert to, I'd appreciate it.

Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: franco on June 09, 2022, 03:49:44 pm
hotfix directories are merged as single release after subsequent releases to avoid people catching unpatched releases, best never to use hotfix annotation with opnsense-revert.


Cheers,
Franco
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: shermant on June 10, 2022, 03:47:28 am
hotfix directories are merged as single release after subsequent releases to avoid people catching unpatched releases, best never to use hotfix annotation with opnsense-revert.


Cheers,
Franco

Awesome - thanks for confirming that.  Appreciated!
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Mbl on June 13, 2022, 10:50:11 am
Looks like I have the same issue on the business edition 22.4.1

I have some nested groups with FQDNs inside allowing other Linux servers to update from internet. Running apt upgrade failed for some of the FQDN even if they existed in the group. The apt log showed the IP address it tried to connect to for the corresponding FQDN. Checking on OPNsense > Firewall > Diagnostics >  Aliases I could find all of the failing IP addresses inside the alias.
So it looks like the alias was provisioned with the correct IP addresses but the rules did not catch it up. After opening the alias and saving it, the rules where correctly passing the traffic...

Assuming the previously mentioned hotfix was just merged into the community realease. How will this be addressed in the business edition?

Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: franco on June 13, 2022, 10:53:32 am
The alias code in question hasn't been issued to opnsense-business just yet so it's a separate issue or the initial report here is convoluted.


Cheers,
Franco
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: Mbl on June 13, 2022, 07:43:43 pm
Not sure if I got you right @franco.

Are you asking me to open a separate threat for the business edition or is it something you are going to adapt anyway to the business edition? If so, is there any planned release dated?
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: warren_peace on January 09, 2023, 12:28:59 am
For others that find this when having an issue it is still present in 22.7.10 as of 8Jan2023.... <---almost did the 2022 thing. too early in the year.

I created "approved_ips" alias in my firewall and all IPs are failing the check. Like one of the users suggested that there could be something broken in the system, when I go to Firewall > diagnostics > aliases and view the statistics, all of them are 0s. Even if I create a pass rule with a /8 network, it always comes back 0.   I've rebooted and enabled / disabled / enabled aliases, firewall rules, moved the order around and modified rdr rules with no affect. ITS BROKEN.   

EDIT: found a weird solution, but this still needs to be addressed. As mentioned 2-3 pages ago on this forum that if you were go navigate to Firewall > Ddiagnostics > Aliases     and adjust the alias you are working with you will see zero packets 0 bytes and just completely useless. if you add the ip address you want to use and click the "+" quick add which is supposed to add the address to the alias, it will start working. If you navigate back to Firewall > Aliases you will not see the added entries into that alias.

Core problem at hand I think is when you enter data into the actual alias page, its not really being added as it should. Next I'm going to try different browsers and facing my computer different directions.

Furthermore when you view the entry under Firewall > Aliases, my alias now says 4 entries, but when I click on it there are only 2. When I go into Firewall > Diagnostics and select the alias, it has the 4 entries I put on there in that page earlier.   FYI this is 22.7.10 despite the forum being for version 22.1.7. So this has been a problem for a while.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: AdSchellevis on January 09, 2023, 04:13:10 am
When in doubt about the functionality, best execute an update from the console first using:

Code: [Select]
/usr/local/opnsense/scripts/filter/update_tables.py.
If that doesn’t exit normally, there’s something to look at.

Best regards,
Ad
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: z1p on January 31, 2023, 07:45:46 pm
Running OPNsense 22.7.11_1-amd64.
Trying to get aliases to work but they're not populating hosts (e.g. twitch.tv).
Ran update_tables.py and got the output:

Code: [Select]
root@opnsense:~ # python3 /usr/local/opnsense/scripts/filter/update_tables.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/filter/update_tables.py", line 130, in <module>
    geoip.download_geolite()
  File "/usr/local/opnsense/scripts/filter/lib/geoip.py", line 71, in download_geolite
    with zipfile.ZipFile(tmp_stream, mode='r', compression=zipfile.ZIP_DEFLATED) as zf:
  File "/usr/local/lib/python3.9/zipfile.py", line 1266, in __init__
    self._RealGetContents()
  File "/usr/local/lib/python3.9/zipfile.py", line 1333, in _RealGetContents
    raise BadZipFile("File is not a zip file")
zipfile.BadZipFile: File is not a zip file

Any help is appreciated.
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: AdSchellevis on January 31, 2023, 09:58:04 pm
Likely the file downloaded for geoip in Firewall->Aliases->Geoip settings isn't a valid database. If you remove the Url or change it for a valid geoip target, the error should go away.

I will push a patch for future versions to send the message to the log and prevent a crash in these cases.

Best regards,

Ad
Title: Re: Alias based firewall rules doesn't work after upgrade to 22.1.8
Post by: z1p on February 01, 2023, 12:27:43 am
Likely the file downloaded for geoip in Firewall->Aliases->Geoip settings isn't a valid database. If you remove the Url or change it for a valid geoip target, the error should go away.

I will push a patch for future versions to send the message to the log and prevent a crash in these cases.

Best regards,

Ad

Thanks for the tip. Its fixed now.