Aliases from local hostnames

[ulysses]

Hi, all!

I am a new OPNSense user transitioning from Zyxel land, and I ran into the following scenario.
I am using static DHCP leases for hosts with fixed IP addresses on my network, which all get assigned unique hostnames. I would like to create an alias for a group of hosts to apply NAT and firewall rules to this group.

Naturally, as a developer, I like to avoid repeating myself, so using IP addresses in the alias is not ideal for me, since these are set in the DHCP configuration for the interface, and if changed there, the changes should propagate across the system. I can see that I can also use the FQDN, but, again, the local domain name is set separately, and I would like to keep things modular, so that if I change the domain name at some point, I would not have to then go back and update every single alias that contains a local host. Ideally, I would just like to use the hostnames in the alias, but this does not seem to work. Is there another way to go about this? Perhaps a hidden environment variable that I can substitute for the domain part of the alias record, like myhost1.${mydomain} where mydomain is set in the global system preferences? Is there another way to go about this? Is the concept of objects present in OPNSense outside of the Firewall? I can see that I can re-use some things, like gateways and networks. Is there a way to configure a host once and reference it elsewhere? I am not married to the idea of assigning IP addresses and hostnames in the DHCP configuration, if this can be done at a higher level and re-used in DHCP and elsewhere.

I am open to suggestions. Thanks in advance!

[rainerle]

Hi,

since you assign specific IPs to a set of host - how about assigning IPs within a bespoke subnet of your LAN net and use that subnet in your rule?

Like you have a LAN net of
10.20.30.0/24

You give your hosts IPs from
10.20.30.17 to
10.20.30.30

And then create an Alias with a network of
10.20.30.16/28
and use that Alias in your rule.

Best regards
Rainer

[ulysses]

Thanks for the suggestion!

However, I do not see how that would resolve my problem, which could be expressed as the more general question of "can I/how do I assign numbers/hostnames/networks in one place only, and refer to them by some unique identifier throughout the system, in whatever area of the configuration needs to know about them (not just the firewall, but DHCP, DNS, etc.)?"

The subnet approach would still require knowledge of the subnet address in two different places, which is what I am trying to avoid. What I would like to do is set up the subnet in one place, then refer to it by some name, so that I can freely change its address later without having to change anything else that should know about the subnet.

On a Zyxel ZyWall USG, for example, this is all accomplished by creating Objects, which can be hosts, networks, FQDNs, hostnames, etc. The objects can then be referenced in any part of the appliance configuration, so that if you want to change the IP of a host, for example, you just have to do it in the host definition and nowhere else, which makes the configuration easily maintainable. I see similarities between this approach and Aliases in OPNSense, but it does not seem to be quite a 1:1 mapping, and some "objects" are created behind the scenes, such as gateway addresses, which can be referenced without explicitly specifying the IPs, which is nice, but seems incomplete. Maybe I am thinking about this backwards, but I don't see a way to use an alias within the DHCP configuration, such that the IP address is only defined in the alias and then referenced in the DHCP config. Either way you look at it, entering the same IP address or FQDN in more than one place just seems wrong to me, and only leads to headaches later on in my experience. For example, while I am setting up this appliance, I am working in a lab environment behind my current production firewall, so I defined a temporary domain, etc.. Once I am ready to replace the current firewall with the new OPNSense appliance, I would like the experience to be as drop-in as possible: ideally, I would just change the domain to the real domain, and get rid of any temporary rules related to the "fake" WAN, but it looks like it will have to be more complex than that, unless I am missing something, which I probably am.

[rainerle]

The global "Aliases" are not available in the DHCP services for lease definitions.

You could create a feature request here:
https://github.com/opnsense/core/issues

[Fright]

ulysses, is domain in System-General matches your lan domain and what dns-servers your opnsense use ?
if yes and opnsense use internal DNSes:
just tested: "Host(s)" Alias type accepts hosts names without domain and correctly resolves it to IP when prepares table. is that what you want?

[ulysses]

Fright, the domain in System-General matches the domain of the hosts I want to configure. I can resolve them from a machine on the LAN by the FQDN simply by setting the hostname in the DHCP configuration in OPNSense, when OPNSense is used as the DNS server for the local machine. I am not sure what you mean by "opnsense uses internal DNSes," because I am using Unbound DNS in OPNSense, but I also have upstream DNS servers configured, and a forwarding server for my current production domain (that sits between the OPNSense appliance and the WAN).

[Edit] I just tested using only the hostname for the alias, and this time it worked, and resolved correctly. Not sure what I changed to get here, but previously I received an error every time I tried to do this.

[Fright]

" I am not sure what you mean by "opnsense uses internal DNSes," because I am using Unbound DNS in OPNSens"
the idea is that opnsense can resolve the hostname from Alias without the domain suffix.
in that case you can make Alias without domain part at all. just host part. eg ("Engineers" {host1,host2,host3})
Then you can change your local domain name whenever you want and no alias edit needed.
or I didn't understand the task

[ulysses]

Thanks! That was my original idea as well, but for some reason it would not let me just enter the hostname part before. It all seems to be working now, though.

[Fright]

glad it works )