* net aliases autogenerated by opnsense not workin as intended (or at all)

Started by Siarap, May 05, 2025, 02:00:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 05, 2025, 02:00:51 AM Last Edit: May 05, 2025, 02:11:29 AM by Siarap
Adding block rule with destination "vlan net" built in alias (autogenerated) has no any effect on destination it still can be pinged from LAN net. Same with reversed direction with blocked LAN net destination.

When i set my own alias with 192.168.3.1/24 network (vlan net ip range) and block it as destination it works as intended destination cannot be pinged (whole address pool).

I know proper rule order in opnsense. It dont even work when one rule is present on lan interface with access to all from any address but with !vlan net destination (reverse destination). With this rule ip adresses in vlan net can be pinged without any restriction.

for example this rule wont block access to tv net (vlan): IPv4 *    LAN net    *    ! tv net    *    *    *  (pass rule)

Only aliases set by me worked, but not any * net aliases autogenerated by opnsense.

Im newbie so i may dont understand something.
May 05, 2025, 02:31:21 AM #1
You can go to FW > Diagnostics > Aliases to see to content of the alias.
For the interface corresponding to your alias, you'll likely find: 192.168.3.0/24

You might want to use something else than ping to test this.
Because ping is connection less, I believe FW "state" is time based. ~15 secs?
So if traffic is allowed, then you enable block and retest before the state times out or is deleted manually, traffic will still go through.

Tested with built-in net aliases...
May 05, 2025, 04:55:06 AM #2
Ok. Thanks for explanation. Probably there was some unwanted traffic between subnets, thats why rule not started imidietelly. Thats why i separate iptv decoder made in china (from my isp) and other machines. Nobody knows what that device doing on internal side of firewall.
Print
Go Up Pages1
User actions