Visibility of aliases

Started by keeka, September 15, 2025, 11:07:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 15, 2025, 11:07:59 AM Last Edit: September 15, 2025, 11:10:50 AM by keeka
I think it would streamline configuration for the user if aliases were expanded and exposed in more sections of the OPNsense web interface.
Host interface aliases, for example, would make make it possible to configure DHCP and VPN without hardcoding a firewall IP address. Maybe I am overlooking something, but I have found myself looking for interface aliases and either not finding them in the dropdown or no aliases are offered/supported.
September 15, 2025, 02:54:26 PM #1
Aliases are a special way in pf(4) packet firewall format pf.conf(5) to hold immensely large lists of content. Mapping them to third party components like DHCP or similar would reduce their utility or lead to users complaining of interoperability challenges in the same subsystem, because the separation is not clear and never will be.

There's also no way to clamp down on specific network aliases.. could be hosts, networks, etc. Most services expect one or the other adding more wrenches to the system leading to slightly modified copies and further UX problems for "someone" to solve.


Cheers,
Franco
September 16, 2025, 12:18:31 PM #2
I was thinking solely of the visibility of the firewall interface address aliases. But I see the scope for problems.
Thanks for the comprehensive answer.
September 16, 2025, 12:59:50 PM #3
I see. Virtual IPs have tried to fill this gap, but it wasn't overly successful and straightforward. The biggest caveat of virtual IPs is that the primary interface IP addresses are not visible to virtual IPs so you cannot select them in some services, which work around this by also offering an interface selection or alias/CARP address. Historically we also scrapped most virtual IP selectors in code and bind to all primary and virtual IP addresses of a selected interface which offers a more robust user experience although it has its limit when micromanaging addresses is required.

If the interface code were all MVC (especially model-based) we could try to structure this better but that's likely 3-5 years away from being usable out of the box if we committed to this now. It's probably going to happen, but I also think the interface code is the last bit to be moved to MVC (and we're 80% done with that conversion after 10 years of work).


Cheers,
Franco
Print
Go Up Pages1
User actions