Host vs Network Aliases

Alphabet Soup · April 18, 2017, 04:04:06 AM

In one OPNsense 17.1.4 install I have some firewall rules that reference a Host alias which is populated with IP addresses, e.g. 192.168.5.8, 192.168.99.54, etc.

Now I have a need to apply these same rules to a network, e.g. 10.35.0.0/16.

I can of course create a new Network alias and create copies of all the relevant firewall rules, changing these copies to reference my new Network alias.

My question is whether that is the best way to do it? Is there a performance impact from having more rules? If instead I moved all the Hosts into the Network alias, is there a performance impact from having hosts in a network alias? Do I lose or gain some functionality either way?

franco · April 18, 2017, 07:21:41 AM

Hi there,

You can nest aliases, so create a wrapper for either two explicit aliases or a new alias with the network that includes the former alias.

Cheers,
Franco

Alphabet Soup · April 18, 2017, 02:56:34 PM

Nesting sure keeps the Rules simpler. Is there any (significant) performance impact that you're aware of?

franco · April 18, 2017, 03:17:11 PM

No, they are expanded prior to being written to the ruleset, so you end up with the same speed as when typed explicitly multiple times.

Host vs Network Aliases

Alphabet Soup

April 18, 2017, 04:04:06 AM

franco

April 18, 2017, 07:21:41 AM #1

Alphabet Soup

April 18, 2017, 02:56:34 PM #2

franco

April 18, 2017, 03:17:11 PM #3