"Aliases" in Dnsmasq are not the same as "aliases" in the firewall config

Started by ItsHarper, June 12, 2025, 06:50:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 12, 2025, 06:50:38 PM Last Edit: June 12, 2025, 07:17:58 PM by ItsHarper
At first, I didn't realize that Dnsmasq and the firewall config had separate "alias" concepts. I wasted a decent amount of time trying to figure out why my NAT rule that referenced a particular alias wasn't working when I assigned that alias to a host in Dnsmasq.

I think the help text for assigning aliases in Dnsmasq should clarify what exactly an alias is in this context, and that it's separate from firewall aliases.

What I would really like to see is the feature that I thought existed. I want to be able to add devices to a firewall Hosts alias from the same place that I configure everything else about the device.

That would be significantly more than just a convenience feature. Especially as it can provide both DHCP and DNS, Dnsmasq should be able to be the Source of Truth about each physical device's hostname and IP address. If I want to change a device's IP address, I should not have to update all of its firewall rules or alias assignments manually.

Right now, if I want to create a firewall rule for a particular device, I have to either reference it by IP address or manually create a Hosts alias that references the IP address. With this feature, I could create an alias for the device that would automatically follow whatever IP address Dnsmasq is giving the device.

Ultimately, it would be ideal if there was some kind of universal alias feature (maybe with a different name) that could be used not only for firewall rules, but also Unbound access lists and anywhere else where you'd need to refer to a particular IP address.

Overall, Dnsmasq has been great, thanks for all of your hard work.
June 12, 2025, 10:42:59 PM #1 Last Edit: June 12, 2025, 11:12:22 PM by OPNenthu
Quote from: ItsHarper on June 12, 2025, 06:50:38 PMIf I want to change a device's IP address, I should not have to update all of its firewall rules or alias assignments manually.

You don't need to use IP addresses in firewall aliases.  You can also use FQDN in the "Host" alias type, or the MAC address in the "MAC" alias type.  Either of those will track the current IP address(es) of the client, including any auto-configured IPs such as from IPv6 SLAAC (in my experience, at least).  I think there may just be a short delay between IP changes for the alias to update, but I'm not sure how long.  I haven't noticed an issue in practice.

EDIT: I found a setting in Firewall->Settings->Advanced that seems to control the update interval.  Default is 300s.

You cannot view this attachment.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE
June 12, 2025, 11:29:59 PM #2
Hmm, I thought FQDN would resolve all of the IPs but it looks like it doesn't pick up IPv6 auto-generated addresses, at least in my current setup with Kea+Unbound.

MAC aliases seem reliable, though.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE
June 13, 2025, 06:57:29 AM #3
This has always been misnamed and maybe that can be addressed by renaming the Dnsmasq field.

But then again may be firewall alias support is coming to Dnsmasq... https://github.com/opnsense/core/pull/8791 making this even more complicated. ;)


Cheers,
Franco
June 13, 2025, 08:32:11 PM #4
FQDN is definitely better than nothing, though it doesn't help with grouping devices.

Quote from: franco on June 13, 2025, 06:57:29 AMThis has always been misnamed and maybe that can be addressed by renaming the Dnsmasq field.

But then again may be firewall alias support is coming to Dnsmasq... https://github.com/opnsense/core/pull/8791 making this even more complicated. ;)


Cheers,
Franco

Was that PR made in response to this feature request, or was this already about to happen? Either way, that's exciting!

Unfortunately, the limitation of IP addresses staying in the alias forever would kill the usefulness of this feature for me. To me, the whole point of doing it this way is so that I can create groups of devices, and change rules for the whole group at once, without having to worry about things like changing IP addresses.

If I get rid of a particular device, and another one that shouldn't be in the group gets assigned the old one's IP address, rules that shouldn't be applied will be. To me, that's just a ticking time bomb.

Interestingly, dnsmasq's add_to_ipset() function has a parameter to make it remove entries rather than add them, but it's always set to 0. I wonder how much work it would be to make it auto-remove expired entries.
June 15, 2025, 09:41:44 AM #5
Quote from: OPNenthu on June 12, 2025, 11:29:59 PMHmm, I thought FQDN would resolve all of the IPs but it looks like it doesn't pick up IPv6 auto-generated addresses, at least in my current setup with Kea+Unbound.

MAC aliases seem reliable, though.

It works with MAC in aliases. Then it will track IPv6 too.
Print
Go Up Pages1
User actions