Alias database [resolved]

Started by Saarbremer, June 02, 2025, 03:27:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 02, 2025, 03:27:21 PM Last Edit: June 02, 2025, 04:15:43 PM by Saarbremer Reason: Added additional information
Hi,

I am running out of ideas what to check with the following issue:

I have two instances of OPNSense, running on 25.1.7_4. One is within a proxmox VM and works fine. The other is my edge router (bare metal) and this is unable to handle new aliases.

What I did to exercise the problem:
1. Create new Alias "PC" (Host, 1 IPv4 LAN). Yes, clicked "Apply"!
2. Create a rule on LAN (Source "PC", Protocol enabled), pass. Yes, clicked "Apply"!
3. Trigger some traffic, nothing in the LiveView Log
4. Updated the rule using the verbatim IP address.
5. LiveView is showing a lot of traffic from the protocol rule.

Observations:
- In the alias section in firewall, the "last updated" column remains empty for "PC", load count is 0
- In the alias section in diagnostics, PC shows up as selectable item but shows no contents.
- Global configuration in /conf/config.xml contains the alias definition
- Checked /var/db/aliastables, no entry for "PC" - the filesystem has plenty of space left and permissions seem ok
- Checked backend log: Nothing of a warning or higher severity, nothing relevant (from my perspective) in less severe levels.
- Checked firewall log: No warning or higher, nothing about alias (had to search for the term "alias")
- Cloudflare, Spamhaus DROP and GeoIP seem to regenerate  as usual, timestamp of /var/db/aliastables matches log entries

The only "interesting" part about this machine is that I replaced the SSD 4 weeks ago, ran a full install and reloaded the last known config / backup. Updated to 24.1.7_4 in the process afterwards.

I know I can stick to hard coded IP addresses for now - and I will not reboot until the next weekend at least, so testing it is currently not possible. My second instance on Proxmox does not have this issue and updates everything as required.

EDIT: (See reply below for more) running configctl filter refresh_aliases returned no output other than an empty line.

Are there any other locations I might have a look for diagnostics or trigger an alias re-generation from the shell?

Thanks.

EDIT2/Resolution: flock was blocking forever on a lock existing for more than 21 days. I'd expect however the firewall to not silently do nothing in such a case.

June 02, 2025, 03:35:57 PM #1
Quote- In the alias section in firewall, the "last updated" column remains empty for "PC", load count is 0
Seems to be the root of all. The alias is not being populated. Why? This depends on what are you using for "Content". If is an ip address, can you ping it for instance from this firewall?
June 02, 2025, 03:51:24 PM #2
Yes, I can ping the IP address.

Had the chance to run
Code Select
configctl filter refresh_aliases
On the proxmox machine with no issues:
Code Select
{"status": "ok"}
On the barematel machine with issues:
Code Select

(yes, just an empty line)

June 02, 2025, 04:19:24 PM #3
Are you running them as a HA setup with CARP and pfsync enabled?
June 02, 2025, 05:12:46 PM #4
Quote from: cookiemonster on June 02, 2025, 04:19:24 PMAre you running them as a HA setup with CARP and pfsync enabled?

No, I don't.
June 02, 2025, 05:46:07 PM #5
I don't know then with the limited info available for two firewalls and their setup.
Print
Go Up Pages1
User actions