NAT, port aliases, redirect not working after upgrade

[Phobus]

Under Firewall: Settings: Advanced, is " Verify HTTPS certificates when downloading alias URLs" checked or unchecked? Are you using a proxy server in your network doing HTTPS MITM?

In my Situation also:
Setting is unchecked and I'm not using a proxy server who intercepts https..

[Phobus]

After the update to 18.1.1 "IDS rule update problem" seems to be solved.
Unfortunately Alias problem still exist - aliases aren't working e.g. hosts  :(
Same outputs as posted before...

[opnsense_user12123]

NAT / Portforwarding is even in 18.1.1 not working correctly.

only if i disable port forwarding rule to proxy 127.0.0.1 (https) and disable blocking https rule, i get a 100% working connection!

On 17.7.12 these all works without any problems.

my no ssl bump list is the same as in version 17.7.12.

[Phobus]

OK I've found the "bug" with aliases (hosts) not working.
In my case I've a alias list with hosts they are used from MS for data collection.
One of them can't be resolved anymore so this entry should be skipped (in my opinion), but in that case it ended up with an error -> table generation (all) will be aborted -> aliases in that case will not work.

One deceased entry in an alias list is enough to stop the whole table generation  :o
This behavior should be changed to skip such entries.

[hirschferkel]

After Updating to 18.1.1 it runs again. Obviously there were some more issues.

[Evil_Sense]

Tried reinstalling with 18.1 and updated to 18.1.2_2.
Still the same issue, geoip alias is empty..
Executed refresh_aliases and also deleted the tables and retried, still empty..
Same on test VM.

[franco]

Another patch to try... https://github.com/opnsense/core/commit/b514992

# opnsense-patch b514992


Cheers,
Franco

[Evil_Sense]

Another patch to try... https://github.com/opnsense/core/commit/b514992

# opnsense-patch b514992


Cheers,
Franco

Applied patch, retried the previous steps, still empty :(

[slackadelic]

How are you populating the alias?  Sorry if you mentioned it, but I don't want to dig through the entire thread.

[Evil_Sense]

How are you populating the alias?  Sorry if you mentioned it, but I don't want to dig through the entire thread.

I open an alias and save it, apply the changes and check the pfTables result for the GeoIP alias.

Since it's still empty, I try these mentioned commands:

# rm /var/db/aliastables/CH*
# configctl filter refresh_aliases

And still empty.

[slackadelic]

What is your configuration on the Alias itself?

Can you post a screenshot of the config?

[Evil_Sense]

What is your configuration on the Alias itself?

Can you post a screenshot of the config?

Only one country checked, even tried another one, same result..

[slackadelic]

So, I just tested a brand new alias, using this: https://iplists.firehol.org/files/firehol_level1.netset

Set the alias to URL Table (IPs) set the expiration to 1 day 0 hours (So it will refresh daily) and submitted, pfTables immediately shows them.

I've attached what the alias config looks like.  Can you screenshot YOUR alias similar to how I did mine so I can see what you're doing exactly.

[franco]

@Evil_Sense it's not for populating aliases, it's for repairing alias usage in the outbound rules. run this before retesting:

# configctl filter reload


Cheers,
Franco

[Evil_Sense]

So, I just tested a brand new alias, using this: https://iplists.firehol.org/files/firehol_level1.netset

Set the alias to URL Table (IPs) set the expiration to 1 day 0 hours (So it will refresh daily) and submitted, pfTables immediately shows them.

I've attached what the alias config looks like.  Can you screenshot YOUR alias similar to how I did mine so I can see what you're doing exactly.

That's how I configured the GeoIP alias..

Edit: IP and port aliases are working and also populated