Alias based firewall rules doesn't work after upgrade to 22.1.8

Started by tuxlemmi, May 25, 2022, 01:57:16 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
May 26, 2022, 09:39:47 PM #30
I just installed the hotfix and my aliases return the correct networks under Diagnose > Aliases.
My firewall rules are working as expected again!

Thank you for the quick response!
May 26, 2022, 10:36:45 PM #31
Quote from: franco on May 26, 2022, 09:13:33 PM
The hotfix was published now. Took a bit longer due to national holiday getting in the way.

Thanks a lot for the quick hotfix franco !

I'm still puzzled though as to why it wasn't affecting me even though I use ports, networks, hosts (about all types) of aliases and it affected others...

Was this happening when someone had, let's say an alias with nothing in it or something like that ?

Is this the only patch that was done to handle this ?

https://github.com/opnsense/core/commit/021786612cae12fe7557bf1627773f4f71cff50d

If that's the case, maybe I simply did not have any blank lines when the commands ran in my case... I wonder how blank lines could happen then ?
May 26, 2022, 10:45:37 PM #32
Just curious...

Was it that it couldn't split and/or strip when there was only one line in the alias or something like that ?
May 27, 2022, 09:09:04 AM #33
The split returned a single empty string, which lead to [''] in some cases instead of []. Because this doesn't always happen (and likely only when there's a single host/network entry in the list), we didn't notice on our end.
May 27, 2022, 12:09:50 PM #34
Thanx for the hotfix. It is working as before.
May 27, 2022, 12:25:16 PM #35
Thank you for resolving this quickly.

Thought I was missing something when an update and reboot fully broke remote access over an IPSec VPN. Got remote access via TeamViewer and just tried recreating rules using named subnets instead of aliases, that fixed it. The bug was preventing firewall ACL permitting traffic, so everything was hitting the default deny.

Then woke up today to some failed off-site backups since there are some PBR rules redirecting certain traffic, which weren't working of course (using alias).

Updated and all seems to be working now :)
May 27, 2022, 05:48:23 PM #36
Quote from: AdSchellevis on May 27, 2022, 09:09:04 AM
The split returned a single empty string, which lead to [''] in some cases instead of []. Because this doesn't always happen (and likely only when there's a single host/network entry in the list), we didn't notice on our end.

Thanks a lot for taking the time to explain it, I appreciate it.
June 05, 2022, 10:58:01 AM #37
I'm not sure if this is related but since I upgraded to 22.1.8 - my VLAN's have been basically broken.

Setup (pretty much)
- Main network -> NordVPN Gateway - all good
- IOT Network -> WAN/NordVPN Gateway -> Stops working.
- Direct Out Network (no VPN) -> Stops working

My main network works fine, wired and wireless. But the IOT network, VLAN works for about 10 minutes after resetting everything and then will fail and I can't get an IP Address.

If I look in the firewall live view,
the main WAN network starts failing all over the place and only the NordVPN gateway works.
My WAN is essentially just failing with "Default deny / state violation rule"

I tried to revert back to the 22.1.4 but it said it couldn't find the opnsense.txz. Couldn't find it for 22.1.7_1 either.

Anyone have any ideas on what to do or where to start looking? When I try to connect to the IOT Network.

and if I look at the DHCPv4: Log File

Code Select

2022-06-05T02:47:07-06:00 Informational dhcpd DHCPNAK on 192.168.20.35 to XX:XX:XX:XX:XX:0d via igb0
2022-06-05T02:47:07-06:00 Informational dhcpd DHCPREQUEST for 192.168.20.35 from XX:XX:XX:XX:XX:0d via igb0: wrong network.
2022-06-05T02:47:05-06:00 Informational dhcpd DHCPNAK on 192.168.20.35 to XX:XX:XX:XX:XX:0d via igb0
2022-06-05T02:47:05-06:00 Informational dhcpd DHCPREQUEST for 192.168.20.35 from XX:XX:XX:XX:XX:0d via igb0: wrong network.


But my phone and every other device can't connect to it.

I apologize if this doesn't make sense - been a long night fighting with this again and not even sure what the problem is...

Thank you for your time reading this.
June 05, 2022, 02:00:02 PM #38
Quote from: franco on May 26, 2022, 09:13:33 PM
The hotfix was published now. Took a bit longer due to national holiday getting in the way.

I have the hotfix installed, but still Aliases are not working correctly compared to 21.7.1.

I am missing all Port and Port Group aliases within Firewall >> Diagnostics >> Aliases.
When modifying a Port Alias "Last Updated" in Firewall >> Aliases is not updated.
When renaming a Port Alias and changing the rule as well Alias shows as not loaded in Firewall >> Aliases.

Unfortunately opnsense-revert to 21.7.1 did not worked as well. So I am stuck with a partially working firewall.

Thanks, -MN
June 05, 2022, 02:28:39 PM #39
21.7.1 is highly specific and off target for a 22.1.7/22.1.8 comparison. Which version did you mean?


Cheers,
Franco
June 05, 2022, 02:59:50 PM #40 Last Edit: June 05, 2022, 03:02:53 PM by Morgennebel
Thank you for your quick reply.

I am currently at OPNsense 22.1.8_1-amd64, I can see the hotfix from github.com discussed earlier in this thread applied to /usr/local/opnsense/scripts/filter/update_tables.py.

But still my Aliases for Ports and Port Groups do not work correctly. Some of them work, new ones are not used in firewall rules, do not show being loaded nor updated.

This Alias & rule worked fine with 22.1.7 (edited). Cannot attach screenshots, as they are too large as PNG.

Thanks, -MN
June 05, 2022, 03:24:51 PM #41
The attached Alias is used as Port Group (PG_) in a firewall rule. The rule is not working, in Live View I do get

Code Select
5_LAN       2022-06-04T16:03:09 192.168.1.133:64658 185.90.196.130:443  tcp Default deny / state violation rule
5_LAN       2022-06-04T16:03:09 192.168.1.133:64642 185.90.196.130:443  tcp Default deny / state violation rule

errors. You see in the screenshot that the PG_ Alias has no timestamp for Last Updated, but I created and updated it today few times. Also it's not loaded - but referenced by a firewall Allow rule.

Thanks, -MN
June 05, 2022, 04:26:28 PM #42
I also have a problem with port aliases: They do not work correctly in port forwarding rules with NAT reflection, see https://forum.opnsense.org/index.php?topic=28639.0 (problem #1).

Alas, I have not verified if this turned up with 22.1.8 only...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
June 06, 2022, 12:36:31 PM #43
Quote from: Morgennebel on June 05, 2022, 02:59:50 PM
I am currently at OPNsense 22.1.8_1-amd64, I can see the hotfix from github.com discussed earlier in this thread applied to /usr/local/opnsense/scripts/filter/update_tables.py.
...
This Alias & rule worked fine with 22.1.7 (edited). Cannot attach screenshots, as they are too large as PNG.

I reverted to 22.1.7: everything worked again for like 5-10 minutes. Then Aliases stopped working.
Reverted to 22.1.6: nothing worked after a reboot.

I assume my installation is now a little bit messed up and will reinstall.

Ciao, -MN
June 07, 2022, 08:20:12 AM #44
Thanks for digging. Seems to be inconclusive so far from the testing points you gave. We are looking at similar reports and already fixes some other oddities that occur in the new code, e.g. https://github.com/opnsense/core/commit/84b6d0755883


Cheers,
Franco
Print
Go Up Pages 1 2 3 4
User actions