OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: marijn on July 27, 2017, 10:19:32 am

Title: Scripting Aliases to OPNsense
Post by: marijn on July 27, 2017, 10:19:32 am
Hi All,

I have the feeling this question is already asked 100 times, but I cannot find a final fitting answer to my question.

We have a lot of Aliases, and with our current firewall solutions I use a script to generate them in the firewall, so I was looking for a possibility to create Aliases in the command line, in that way I can automate it (as data sources we are using our DNS servers for example).

I know you guys are working on an awesome API, but for now, I like to make a temporary solution.

So what I basically like to know:

1. Is it possible to create/edit aliases using the Shell (SSH)
2. What are the syntaxes
3. Are there major downside's regarding this idea?

If it's possible I will create a script (most likely PowerShell), and if people are interested I'm happy to share the script on this forum.

If this question is already answered please let me know

Thanks a lot!
Title: Re: Scripting Aliases to OPNsense
Post by: Beeblebrox on July 27, 2017, 10:56:01 am
1 & 2. Yes,
Code: [Select]
ifconfig <nic> alias 192.168.x.y/subnetRemove:
Code: [Select]
ifconfig <nic> -alias 192.168.x.y
3. You might want to expand on what the aliases are used for - what purpose do they serve? The subnet selection is relevant here. If subnetting is done sanely, NAT & PF would take care of the rest.

Normally in PF you would pre-define certain values, ex: 
Code: [Select]
dns="", and write rules using syntax $dns. IDK how it's handled in OPNs.
Title: Re: Scripting Aliases to OPNsense
Post by: marijn on July 27, 2017, 12:22:06 pm
Thanks for the quick answer, but I'm not sure if this is where im looking for.

Example command I used:

Code: [Select]
ifconfig em0 alias
The line is accepted but I cannot find the alias in the GUI. besides that, I didn't have an option to give the object a name (or at least; I don't understand how)

I have the feeling this is an alias for the network interface or something like that.

This line is now extra placed in ifconfig:

Code: [Select]
inet netmask 0xf000000 broadcast
The aliases I talking about can be found in the GUI -> Firewall -> Aliases. so are we talking about the same aliases?

Thanks anyway.
Title: Re: Scripting Aliases to OPNsense
Post by: Beeblebrox on July 27, 2017, 01:05:58 pm
ifconfig is used for network card (NIC) aliasing.
Firewall (PF) aliasing is something else (but you did not specify than in OP)
So we were talking about different things.

Why are you aliasing the google DNS in the Firewall? Place it in the DNS resolver instead?
I really don't understand what you're trying to do, sorry.
Title: Re: Scripting Aliases to OPNsense
Post by: marijn on July 27, 2017, 01:56:18 pm
OK, I will try to clarify myself a little bit better: ;)

What do I want to achieve:

I like to create aliases (host /network-object called by other major Firewalling/network brand  ::)) for all servers we have.

For example:

hostname, ipv4, ipv6
TST-WEB-001,, 2001:10::1

(Note: I know I cannot use the "-" mark in aliases at the moment, I have already a feature request created for this)

Since we have hundreds and hundreds of servers I like to script this, for example by talking to our DNS servers (they know IP address and hostnames of course).

In this way I can use the aliases to create access rules in the firewall (manually), due to the thousands of required access rules we have it's quite important to use hostnames instead of IP-addresses, that is the reason I like to create the aliases for each IP address we have.

So what I like to know:

Is it possible to create aliases from the Shell, in that way I can build a script and feed OPNsense with information I already own.

The thing about the google DNS; it was just an example, I don't want to have an alias for the google DNS.

I hope this makes it a little bit more clear.


Title: Re: Scripting Aliases to OPNsense
Post by: marijn on August 02, 2017, 11:21:49 am
I like to bump this forum post ones more;

Because I really don't get it; is what I try to achieve so strange, are there better ways to do this?

Let's make to scope otherwise a little different:

What is the best practice to build a lot of firewall rules using specific internal servers (web, app, enz servers) I cannot imagine that everyone is creating aliases by hand or only use IP addresses in the rules.

So maybe I just don't know the best practice is. So that could be the reason that my question is sounds a little bit strange for the OpnSense Experts on this forum.

I'm open for all kind of feedback because I'm really interested in the OpnSense technology and how to use it in the most efficient way.