OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: kwag on February 01, 2017, 01:56:52 am

Title: Firewall:Aliases:View
Post by: kwag on February 01, 2017, 01:56:52 am
Hi all,

Can anyone explain the alias section, where you can enter multiple IP addresses for a single alias?
How does this work?
If I add one alias called "MyWebServers", and then I add four different IP's for 4 internal web servers, and then I create a firewall (NAT) rule,  for example  port 80 on WAN to internal LAN alias MyWebServers.

What happens here when someone enters www-our.site-com via WAN address? Does it do round robin to all four aliased servers? Does it do  failover, or what?

As far as I know, an alias would be one-to-one to an IP address, but not to multiple IPs.

Title: Re: Firewall:Aliases:View
Post by: Carl E. Thompson on February 02, 2017, 01:57:02 am
To answer your question: Yes. It should round robin through all of the servers in the alias when you use an alias as a NAT destination. (Disclaimer: That's what I've read but I haven't used that feature myself.)

However I don't think that's the most important use for aliases. Aliases in general help keep your firewall rules maintainable as your rule set grows. I have firewalls that protect hundreds of servers with hundreds of rules that apply to many different groups and individual servers. If I typed the IP address that a rule should apply to into each rule then things become a mess. For example if I did that and one server's IP address changes then I'd have to manually search through hundreds of rules and modify any rules that pertain to that server. This is error-prone and can cause the firewall to be in an inconsistent intermediate state if a rule is missed before clicking Apply.

To avoid this I strongly recommend never type an IP address, hostname or port number directly into any rule. Always take the time to create an alias for these things first and then use the aliases in all of your rules. That way if for example a server's IP changes then all you have to do is change one alias and all of the rules that apply to that server are automatically (and consistently) modified. It makes things more mistake-proof. That's the true power of aliases.

Pro tip: If you have rules that act upon a group of servers then create a group for them (as you have). However, do not type the individual IP addresses directly into the group (as you did). Instead take the time to create individual aliases for each member of the group and put those aliases you created into the group alias. Yep, OPNsense let's you nest aliases like that. That way each server's IP is defined in exactly one alias only and you don't have to change multiple aliases if the IP changes.