25.7.3_3 - Filtering by source ip on a wireguard interface doesn't work

Started by rarcel, September 10, 2025, 02:45:13 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
September 10, 2025, 02:45:13 PM
Hi,

I have a strange issue since the upgrade to 25.7.3_3.

On a wireguard interface, an existing rule with an alias in the source address field doesn't work anymore. If I put "Any" instead of the alias, the rule works again (even if it's not what I want ^^ ).

Do I miss a breaking change ?

September 10, 2025, 02:59:16 PM #1
Hi,

If you had 25.7.3 and grabbed 25.7.3 did you also hit "apply" under firewall: aliases?

And which alias type would that be exactly that doesn't work?


Cheers,
Franco
September 10, 2025, 03:18:57 PM #2
 Hi,

I just did it, and unfortunately, it still doesn't work.

Aliases types are all "Hosts" in my case.
September 10, 2025, 03:19:43 PM #3
And a packet trace or firewall log shows that the packets in question really match the source address in the alias?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 10, 2025, 03:23:36 PM #4
Yes it matches the alias, sorry I should mention it
September 10, 2025, 03:27:42 PM #5
Here is the content of the capture (nc -v 192.168.1.8 22 from 192.168.21.4 ) :

length 64: (tos 0x0, ttl 64, id 19606, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.21.4.60366 > 192.168.1.8.22: Flags , cksum 0x5721 (correct), seq 840528611, win 65424, options [mss 1392,sackOK,TS val 3660705569 ecr 0,nop,wscale 7], length 0
September 10, 2025, 03:39:30 PM #6
Ok, then please show the rule definition.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 10, 2025, 03:39:42 PM #7
I think I see why it doesn't work, in Diagnotistics/ Aliases, the alias I try to use is empty, whatever I do (I tried to change the content, Hit the apply button), the table is still empty
September 10, 2025, 03:40:54 PM #8
Then show the alias definition in the UI.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 10, 2025, 03:42:13 PM #9
I don't know if it's a coincidence, but it seems that all my aliases that contains two underscore in the name are empty. Others seems to be fine.
September 10, 2025, 03:44:02 PM #10
Finally it seems to be random ( I have more than 100 aliases )
September 10, 2025, 03:44:36 PM #11
> don't know if it's a coincidence, but it seems that all my aliases that contains two underscore in the name are empty.

This is odd, because 25.7.3_3 fixes exactly this.


Cheers,
Franco
September 10, 2025, 03:46:04 PM #12
Searching in the logs, I found this :

[ba512d3a-0fe9-4e3b-8872-24a007932bed] Script action failed with Command '/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py ' returned non-zero exit status 1. at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/actions/script_output.py", line 78, in execute subprocess.run(script_command, env=self.config_environment, shell=True, File "/usr/local/lib/python3.11/subprocess.py", line 571, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py ' returned non-zero exit status 1.
September 10, 2025, 03:57:11 PM #13
Ok, what happens when you manually run "/usr/local/opnsense/scripts/filter/update_tables.py" then?
September 10, 2025, 04:02:06 PM #14
this appens:

Print
Go Up Pages1 2
User actions