[SOLVED in 25.7.3_3] Internal firewall aliases always empty in diagnostics?

Started by jangw, September 09, 2025, 10:32:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 09, 2025, 10:32:28 PM Last Edit: September 10, 2025, 12:32:15 PM by jangw
Hi,

is it normal that automatically generated firewall aliases (LAN, WAN, loopback, etc.) always show up as empty in Firewall -> Diagnostics -> Aliases? See attachment screenshots for an example. Other aliases (e.g. bogons) show up with content as expected.

No errors appear in the backend log, just the normal notices. The generated aliases are functioning in firewall rules (hence they cannot be empty).
September 10, 2025, 12:43:10 AM #1
After updating to 25.7.3 today, I also had problems with empty aliases.

In my case, manually created aliases were also empty in the diagnostics.

For this reason, none of my rules matched and I had to restore to 25.7.1. Now everything is working again.
[OPNsense 25.7] CWWK N100 4xi226 16Gb Ram (as a VM on Proxmox)
[OPNsense 25.7] Hetzner Cloud CPX11 (POC)
September 10, 2025, 02:53:56 AM #2
Same here.
September 10, 2025, 03:01:36 AM #3 Last Edit: September 10, 2025, 03:05:52 AM by hharry
same here, upgraded from 25.7.2 to 25.7.3 and now all the automatically generated firewall aliases (LAN, WAN, loopback, etc.) always show up as empty in Firewall -> Diagnostics -> Aliases.

In earlier version 25.7.2, did not have this issue, seems like a clear regression.

Luckily i'd only upgraded pre-production LAB testing staging OPNsense and run into this issue, 25.7.3 won't be going into production....
OPNsense 25.7.2-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, sftp-backup plugins. limited kea DHCP server deployment.
September 10, 2025, 03:22:35 AM #4
I was able to downgrade the opnsense package to 25.7.1 to fix my issue until a fix comes out.
September 10, 2025, 08:42:13 AM #5
Looking into it now, thanks for the report!
September 10, 2025, 12:19:18 PM #6
This was hotfixed in 25.7.3_3.


Cheers,
Franco
September 10, 2025, 12:31:04 PM #7
Great, thanks a lot for the quick reaction franco!

I can confirm that in 25.7.3_3 all these internal pf tables are populated again on my system.


September 10, 2025, 03:59:13 PM #8
Franco I applied the hot fix and rebooted and still have empty alias tables.
September 10, 2025, 04:01:48 PM #9
Quote from: Burthouse4563 on September 10, 2025, 03:59:13 PMFranco I applied the hot fix and rebooted and still have empty alias tables.
same problem
September 10, 2025, 04:42:53 PM #10
Quote from: nbca2 on September 10, 2025, 04:01:48 PM
Quote from: Burthouse4563 on September 10, 2025, 03:59:13 PMFranco I applied the hot fix and rebooted and still have empty alias tables.
same problem
September 10, 2025, 04:43:38 PM #11 Last Edit: September 10, 2025, 04:45:57 PM by Burthouse4563
Quote from: nbca2 on September 10, 2025, 04:01:48 PM
Quote from: Burthouse4563 on September 10, 2025, 03:59:13 PMFranco I applied the hot fix and rebooted and still have empty alias tables.
same problem

I think I found part of the problem. I had an alias with URLs in it that were failing to resolve because they didn't have https in front of them. This previously didn't cause an issue on older versions. But disalbing that alias allowed other aliases to populate. So there's an issue if an alias can't populate that it stops updating ones further down the list.

Example error message.

error fetching alias url us.archive.ubuntu.com (Invalid URL 'us.archive.ubuntu.com': No scheme supplied. Perhaps you meant https://us.archive.ubuntu.com?)
September 10, 2025, 04:54:13 PM #12 Last Edit: September 10, 2025, 04:57:42 PM by nbca2
Quote from: Burthouse4563 on September 10, 2025, 04:43:38 PM
Quote from: nbca2 on September 10, 2025, 04:01:48 PM
Quote from: Burthouse4563 on September 10, 2025, 03:59:13 PMFranco I applied the hot fix and rebooted and still have empty alias tables.
same problem

I think I found part of the problem. I had an alias with URLs in it that were failing to resolve because they didn't have https in front of them. This previously didn't cause an issue on older versions. But disalbing that alias allowed other aliases to populate. So there's an issue if an alias can't populate that it stops updating ones further down the list.

Example error message.

error fetching alias url us.archive.ubuntu.com (Invalid URL 'us.archive.ubuntu.com': No scheme supplied. Perhaps you meant https://us.archive.ubuntu.com?)

you're right, i resolved modifing the type from "url" to "Host/s" in the alias that in Content has "archive.ubuntu.com"

now the command /usr/local/opnsense/scripts/filter/update_tables.py --> {"status": "ok"}
aliases are populated now
September 10, 2025, 05:02:05 PM #13
Quote from: nbca2 on September 10, 2025, 04:54:13 PM
Quote from: Burthouse4563 on September 10, 2025, 04:43:38 PM
Quote from: nbca2 on September 10, 2025, 04:01:48 PM
Quote from: Burthouse4563 on September 10, 2025, 03:59:13 PMFranco I applied the hot fix and rebooted and still have empty alias tables.
same problem

I think I found part of the problem. I had an alias with URLs in it that were failing to resolve because they didn't have https in front of them. This previously didn't cause an issue on older versions. But disalbing that alias allowed other aliases to populate. So there's an issue if an alias can't populate that it stops updating ones further down the list.

Example error message.

error fetching alias url us.archive.ubuntu.com (Invalid URL 'us.archive.ubuntu.com': No scheme supplied. Perhaps you meant https://us.archive.ubuntu.com?)

you're right, i resolved modifing the type from "url" to "Host/s" in the alias that in Content has "archive.ubuntu.com"

now the command /usr/local/opnsense/scripts/filter/update_tables.py --> {"status": "ok"}
aliases are populated now

I made that change as well and it also fixed the alias problem.
Print
Go Up Pages1
User actions