1
17.1 Legacy Series / Re: Firewall:Aliases:View
« on: February 02, 2017, 01:57:02 am »
To answer your question: Yes. It should round robin through all of the servers in the alias when you use an alias as a NAT destination. (Disclaimer: That's what I've read but I haven't used that feature myself.)
However I don't think that's the most important use for aliases. Aliases in general help keep your firewall rules maintainable as your rule set grows. I have firewalls that protect hundreds of servers with hundreds of rules that apply to many different groups and individual servers. If I typed the IP address that a rule should apply to into each rule then things become a mess. For example if I did that and one server's IP address changes then I'd have to manually search through hundreds of rules and modify any rules that pertain to that server. This is error-prone and can cause the firewall to be in an inconsistent intermediate state if a rule is missed before clicking Apply.
To avoid this I strongly recommend never type an IP address, hostname or port number directly into any rule. Always take the time to create an alias for these things first and then use the aliases in all of your rules. That way if for example a server's IP changes then all you have to do is change one alias and all of the rules that apply to that server are automatically (and consistently) modified. It makes things more mistake-proof. That's the true power of aliases.
Pro tip: If you have rules that act upon a group of servers then create a group for them (as you have). However, do not type the individual IP addresses directly into the group (as you did). Instead take the time to create individual aliases for each member of the group and put those aliases you created into the group alias. Yep, OPNsense let's you nest aliases like that. That way each server's IP is defined in exactly one alias only and you don't have to change multiple aliases if the IP changes.
However I don't think that's the most important use for aliases. Aliases in general help keep your firewall rules maintainable as your rule set grows. I have firewalls that protect hundreds of servers with hundreds of rules that apply to many different groups and individual servers. If I typed the IP address that a rule should apply to into each rule then things become a mess. For example if I did that and one server's IP address changes then I'd have to manually search through hundreds of rules and modify any rules that pertain to that server. This is error-prone and can cause the firewall to be in an inconsistent intermediate state if a rule is missed before clicking Apply.
To avoid this I strongly recommend never type an IP address, hostname or port number directly into any rule. Always take the time to create an alias for these things first and then use the aliases in all of your rules. That way if for example a server's IP changes then all you have to do is change one alias and all of the rules that apply to that server are automatically (and consistently) modified. It makes things more mistake-proof. That's the true power of aliases.
Pro tip: If you have rules that act upon a group of servers then create a group for them (as you have). However, do not type the individual IP addresses directly into the group (as you did). Instead take the time to create individual aliases for each member of the group and put those aliases you created into the group alias. Yep, OPNsense let's you nest aliases like that. That way each server's IP is defined in exactly one alias only and you don't have to change multiple aliases if the IP changes.