Netgate SG-1000 microFirewall

Author Topic: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore  (Read 1207 times)

0 Members and 1 Guest are viewing this topic.

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
After upgrade the ports are closed.

Diagnostic->Ping is working.
I saved the alias again to force dns lookup.
still unchecked (never enabled before): Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall
I use DNS Forwarder.
After changing the alias to IP it's working but not preferred.

Code: [Select]
<alias>
<name>smtp_server</name>
<type>host</type>
<address>smtp.domain.local</address>
<descr><![CDATA[SMTP Server]]></descr>
<detail><![CDATA[Entry added Fri, 14 Sep 2012 13:58:06 +0000]]></detail>
</alias>

Code: [Select]
<rule>
<id></id>
<type>pass</type>
<interface>opt2</interface>
<tag></tag>
<tagged></tagged>
<max></max>
<max-src-nodes></max-src-nodes>
<max-src-conn></max-src-conn>
<max-src-states></max-src-states>
<statetimeout></statetimeout>
<statetype><![CDATA[keep state]]></statetype>
<os></os>
<protocol>tcp</protocol>
<source>
<any></any>
</source>
<destination>
<address>smtp_server</address>
<port>25</port>
</destination>
<descr><![CDATA[SMTP Server]]></descr>
<tracker>1460899172</tracker>
</rule>


Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #1 on: October 17, 2017, 06:40:44 am »
I have EXACTLY the same issue although I'm using DNS Resolver and not DNS Forwarder. As many many of my rules rely on aliases (and names) it's broken the best part of my network.

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #2 on: October 17, 2017, 07:25:21 am »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15094
  • Karma: +1408/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #3 on: October 17, 2017, 07:40:23 am »
You opened a bug report with ZERO info to suggest it is..

So you have an alias for smtp.domain.local as a fqdn in it..

Does this resolve?  Simple query to pfsense for that fqdn should show you if pfsense can resolve it.  Or simple dns lookup under diag.

What does the table for your alias show also under diag..  As the comment in the bug you created states.. They can not duplicate your problem, nor can I..

Where should smtp.domain.local resolve?  Is this a host override on pfsense?  reservation in dhcp that you have register in forwarder/resolver?  Is it some downstream dns that should resolve that?  If so do you have a domain override in place so pfsense knows where to go ask for smtp.domain.local?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #4 on: October 17, 2017, 07:53:59 am »
Can you read?

> Diagnostic->Ping is working.

And it worked before update!

Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #5 on: October 17, 2017, 07:57:05 am »
Information requested below:

Code: [Select]
Alias:
IP_Syncthing_Clients - Type: Hosts - Entries: (contains many local computer names all registered in DNS by pfSense DHCP Server) my-desktop
IP_NAS - Type: Hosts - Entries: nas.fqdn.private
Port_Syncthing_Server_TCP- Type: Ports - Entries: 22000

Looking at the table alias for IP_Syncthing_Clients confirms that the IP address for my-desktop is in there.
The table alias for IP_NAS says there are no entries in the table. I have tried amending both the description and added a new host name to prompt it to refresh it but still it reports there are no entries in the table.
Port_Syncthing_Server_TCP doesn't appear in the tables list (I'm assuming only IP ones will?)

Code: [Select]
DNS Resolver Settings:
General:
Enable: Ticked
Port: Default (53)
Network Interfaces: selected the correct interfaces (LAN and the network the NAS is on)
Outgoing Interfaces: WAN
System Domain Local Zone Type: Transparent (default)
Enable Forwarding Mode: Ticked
Register the DHCP Leases in the DNS Resolver: Ticked
Register DHCP static mappings in the DNS Resolver: Ticked
No Domain Overrides

Advanced:
Hide Identity: Ticked
Hide Version: Ticked
Everything else either unticked or left at defaults

Access Lists: Empty

Code: [Select]
Rule:
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: Single Host or Alias: IP_Syncthing_Clients
Destination: Single Host or Alias: IP_NAS
Destination Port Range: (other): Port_Syncthing_Server_TCP: (other): Port_Syncthing_Server_TCP
Log packets handled by this rule: Ticked
Everything else left as default

Packets destined to port 22000 on nas.fqdn.local from my-desktop are blocked. If I change the rule and replace IP_NAS with the IP address of NAS it works fine.

So it looks like if the table entries are missing it won't resolve. So it looks like the upgrade is hosing some of the Alias tables (as there are a lot of empty ones). Which begs the question how to recreate the alias tables without starting from scratch.

These rules have been in place since 19/2/16 without issue. There are also other rules I have with the same problems. This is just one.
« Last Edit: October 17, 2017, 08:16:01 am by blueivy »

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #6 on: October 17, 2017, 08:16:47 am »
Are you using Domain Overrides and query them in your alias table?

Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #7 on: October 17, 2017, 08:20:05 am »
Are you using Domain Overrides and query them in your alias table?

No. As I said above there are no Domain Overrides in the DNS Resolver.

Just to be clear as well the nas.fqdn.private and my-desktop both resolve to the correct IP when using Diagnostics -> Ping.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15094
  • Karma: +1408/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #8 on: October 17, 2017, 08:49:10 am »
Dude post up screenshots of your alias and your diagnostic table... How and the hell is pfsense going to resolve smtp.domain.local since that is not a public..

So your saying that is a reservation in your dhcp that your register in your forwarder?  Or your just registering dhcp clients?  If your not doing an override

If your saying pfsense can resolve it, then it would be in the TABLE.. If its not in the table then no your alias would not work.

Can not duplicate this.. Plain and simple.. If pfsense can resolve a fqdn, then it shows up in the table.. Be it a local entry or a public entry..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #9 on: October 17, 2017, 08:51:44 am »
Dude post up screenshots of your alias and your diagnostic table... How and the hell is pfsense going to resolve smtp.domain.local since that is not a public..

As you're replying to ggzengel (as he has smtp.domain.local) I will let him answer. If you're referring to me then let me know.

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #10 on: October 17, 2017, 08:57:25 am »
Strange:
Since update on Friday until yesterday the firewall was blocking the smtp port.
Yesterday I saved this table entry again in the hope it would work, but it always blocked this port.
Only changing to IP resolved this problem.
Today after trying multiple entries with google it's working again.
Now I have a FQDN entry and the firewall is open again. WTF?

Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #11 on: October 17, 2017, 09:12:29 am »
Strange:
Since update on Friday until yesterday the firewall was blocking the smtp port.
Yesterday I saved this table entry again in the hope it would work, but it always blocked this port.
Only changing to IP resolved this problem.
Today after trying multiple entries with google it's working again.
Now I have a FQDN entry and the firewall is open again. WTF?

Glad you got yours sorted. I only upgraded yesterday so hopefully I don't need to wait 4 days before it starts working again!

I have a mixture of internal and external addresses that are in the aliases. All resolve through Diagnostics -> Ping so pfSense knows how to resolve them. But their tables are empty.
« Last Edit: October 17, 2017, 09:18:27 am by pauby »

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #12 on: October 17, 2017, 09:21:51 am »
This is a outside located perimeter firewall and is connected with the core network over openvpn.
In the core network are the smtp and the dns servers. The domain.local TLD is forwarded with Domain Override.
This solution (openvpn, dns forward, fqdn alias) is working since years.

I don't know what happened after update that this solution was so much disturbed.
Normally the tables should be reloaded with interface changes and everything should be alright.

1. guess: It didn't refresh the alias table even on saving old entries
2. guess: It look like there was a negative DNS cache entry for the alias tables which didn't expire if it's always used. While booting the FQDN couldn't be resolved.

Perhaps tonight I can reboot the pfsense and will see what happen.

Offline ggzengel

  • Full Member
  • ***
  • Posts: 264
  • Karma: +3/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #13 on: October 17, 2017, 09:28:55 am »
Can you test a FQDN you never used before?
Only to see if it's a caching problem.

Offline pauby

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Upgrade 2.4.0: firewall rule with alias and FQDN not working anymore
« Reply #14 on: October 17, 2017, 09:32:16 am »
You mean just to ping?

I just tried to Diagnostics -> Ping 'hello.fqdn.private' and just 'hello' and both failed as you'd expect.

UPDATED: Also tried this from the console itself with the same error (again as you'd expect). I rebooted pfSense earlier today and also about 15 minutes ago (in case the aliases 'spring' to life after a reboot - I can but hope).
« Last Edit: October 17, 2017, 09:37:07 am by pauby »