Alias based firewall rules doesn't work after upgrade to 22.1.8

Started by tuxlemmi, May 25, 2022, 01:57:16 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3 4
User actions
May 25, 2022, 01:57:16 PM
I have a ccouple ipsec site2site tunnels running on my opnsense.
Each LAN on the remote sites has an alias. I use these aliases to define rules that pass every traffic/protocol to the remote site.
ssh, http, https will pass, every other traffic will be blocked since the update to 22.1.8 as i can see in the live log by the default block rule.

This was not expected.

Just to try i added an ANY-2-ANY rule and it works again - but this is just vor testing.


May 25, 2022, 03:37:45 PM #1
I've seen a similar behaivor. After upgrading to 22.1.8 some rules stopped working...
Had no time to troubleshoot this further and revented back to 22.1.7.

Will try to reproduce it later and report here.
May 25, 2022, 03:54:18 PM #2
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.
May 25, 2022, 07:00:30 PM #3
I experience the same as others.  Post update all LAN traffic was ignoring any rules with aliases attached and was instead matching the floating default deny rule.  A quick edit and save with no changes did not work for me but disabling/enabling the alias resolved the issue.
May 25, 2022, 07:28:14 PM #4
Thanks for the heads up. I did the upgrade this morning and all seemed fine but after reading this post I tested my Wireguard connection (used for remote access to my home network) and it wasn't working. I use an alias for a rule specific to Wireguard VPN clients and after disabling saving and re-enabling its now working properly.
May 25, 2022, 09:03:58 PM #5
Seems to be some kind of bug.
Under Firewall->Diagnostics->Aliases some aliases doesn't show results(see attached screenshots)
May 25, 2022, 09:06:08 PM #6
Became slack with the previous faultless releases, but this one borked me for sure.....downloading 22.1.7 now....
May 25, 2022, 09:11:40 PM #7
Quote from: Com DAC on May 25, 2022, 03:54:18 PM
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.
May 25, 2022, 09:34:07 PM #8
Quote from: db7 on May 25, 2022, 09:11:40 PM
Quote from: Com DAC on May 25, 2022, 03:54:18 PM
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx
May 25, 2022, 09:44:22 PM #9 Last Edit: May 26, 2022, 04:41:02 PM by gpb
edit: deleted.
HP T730/AMD  RX-427BB/8GB/500GB SSD
HP NC365T 4-PORT
May 25, 2022, 09:51:29 PM #10 Last Edit: May 25, 2022, 09:54:15 PM by db7
Quote from: mannp on May 25, 2022, 09:34:07 PM
Quote from: db7 on May 25, 2022, 09:11:40 PM
Quote from: Com DAC on May 25, 2022, 03:54:18 PM
After the upgrade my rules weren't working either. After reading this post I opened my aliases and edited and re-saved each alias and they all started working.

Just sharing that a revert to 22.1.7_1 is the only durable fix for this I've found.  I tried the disable/enable alias trick as well.  It works, but after a reboot the aliases return to not working correctly, and of course neither will the rules that depend on them.

Did you use opnsense-revert to get to 22.1.7_1? Struggling to find the process...thx

Yes, that's correct.  You'll want to run this:

Code Select
opnsense-revert -r 22.1.7_1 opnsense

Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.
May 25, 2022, 10:11:12 PM #11
Have you reported this as a bug on GitHub? If not please do - sounds like a bug and that will get resolved earlier if a GitHub report is made.
May 25, 2022, 10:20:01 PM #12
Quote from: abulafia on May 25, 2022, 10:11:12 PM
Have you reported this as a bug on GitHub? If not please do - sounds like a bug and that will get resolved earlier if a GitHub report is made.

issue on github already reported:
https://github.com/opnsense/core/issues/5788
May 25, 2022, 10:21:11 PM #13
QuoteYes, that's correct.  You'll want to run this:

Code Select
opnsense-revert -r 22.1.7_1 opnsense

Then reboot, everything should come back up as it was.  If you can't reboot after install, you can probably do the disable/enable on aliases to bring them up for the current session, and then the reverted opnsense package will handle loading them correctly on the next reboot.

Thanks for confirming :) I was about to 'engage' and you confirmed, so thanks.

Restored my config back after the downgrade to be sure.....seems back...
May 25, 2022, 11:22:46 PM #14
Confirming the bug as well. In my case, only one alias was affected, namely a network alias.

Reverting to 22.1.7_1...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
Print
Go Up Pages1 2 3 4
User actions