core
core copied to clipboard
opnsense
[Feature] Global Aliases
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Is your feature request related to a problem? Please describe.
Feature request is not related to a "problem"
Describe the solution you like I would like to see the firewall aliases available in other sections of the opnsense firewall, or more likely, a global alias system that could be used in multiple services. For example a global alias for an internal IP that could be used in unbound, DHCP, and the firewall section. This benefits user who may run virtual workloads that often change their IP (think VIP based loadbalancers) if the VIP of a loadbalancer changes there are multiple locations in opnsense where this may need to change. I see this global alias being mostly useful in DNS, Firewall and DHCP functions.
Describe alternatives you considered
I do not believe there are any.
Additional context Below I pasted some pictures of some sample alias uses.
Unbound:
DHCP:
Looked at this from various angles in the past, but the service in question has no way of knowing anything underneath has changed and has no way of coping with the flexibility the alias system has to offer. In practice this would mean any update to the alias system has the possible effect of restarting of all consumers of these aliases (which causes unexpected service interruption) .
Not to mention the heavy restrictions that each user of the alias would impose on the alias being used (lower number of entries, stricter format, etc).
I just now configured VPN->IPsec->Connection->Pools and came exactly across that idea. One Pool for IPv6, one for IPv4, selecting two pools in the connection... And "Local Nets" like that is not maintainable: I have over 8 lines of tool tip full of IP networks garbage when hoovering with the mouse over it - when it is just three entries in the "Alias"...
The Alias system regarding networks/hosts is great - you should make it available in the other networking sections to get rid of those possible errors when maintaining IP networks/adresses over the various services.
If the services allows a reload instead a restart, just reload when the Alias changes. Services with only restart -> no alias funktionality. Start with IPsec please and move then on to OpenVPN!
i feel like having a standard display of what services support aliases would be a good idea
-
services that work well with the concept like ones that can reload with no downtime, would say something like 'fully supported'.
-
services that require restarts to use aliases could have an explicit checkbox saying the service can be restarted for alias changes, and a warning to the user asking if they really want to enable aliases, and say 'partially supported, downtime on alias update'.
i feel like allowing the user to choose if they're ok with downtime might be the only solution to this issue that covers most cases.
In most cases you can bind the service to a loopback address and use a rdr (port forward) to offer the flexibility, which is a best practice anyway. Bindings (such as static dhcp addresses and dns hosts) are different, but also cause less duplication when properly used.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
