search

browningluke / terraform-provider-opnsense

OPNsense Terraform Provider
https://registry.terraform.io/providers/browningluke/opnsense/latest
MIT License
52 stars 12 forks source link

Problems with os-firewall #28

Closed achetronic closed 11 months ago

achetronic commented 1 year ago

Hello there :)

I have found several errors when dealing with firewall resources (os-firewall installed)

Let me expose them here:

1. Firewall NAT rules seems to be created but not shown anywhere:

example of resource:

resource "opnsense_firewall_nat" "test_http_forwarding_rule" {
  interface = "wan"
  protocol  = "TCP"

  source = {
    net = "any"
    invert = false
  }

  destination = {
    net  = "wanip"
    port = 8080
  }

  target = {
    ip = "heimdal"
    port = 80
  }

  description = "[TEST] Forward HTTP traffic to Nginx Gateway"
}

Error 1: Description length should handle max 255 chars, but fails with this long. Don't fail with Forward HTTP traffic

Error 2:

Screenshot from 2023-09-06 11-56-03

test

2. Firewall aliases are correctly created but crashed after it:

example resource:

resource "opnsense_firewall_alias" "kubernetes_lb_wireguard" {
  name = "test_kubernetes_lb_wireguard"

  type    = "host"
  content = [
    "192.168.2.63"
  ]

  stats       = true
  description = "[TEST] Custom name for Kubernetes' LoadBalancer exposing Wireguard"
}

First apply is fine, and the resource is created fine, but in the second apply:

Screenshot from 2023-09-06 11-47-42

browningluke commented 1 year ago

Hi @achetronic, thank you for flagging these! I'll get these fixed as soon as I can.

achetronic commented 1 year ago

Hi @achetronic, thank you for flagging these! I'll get these fixed as soon as I can.

No problem! 😄

browningluke commented 11 months ago

Hey @achetronic

Thanks again for flagging this. I've finally got around to fixing them in the most recent release (v0.7.0).

For the first issue you flagged, the bug was a bit weird, the standard OPNsense firewall rules let you put special characters in the description, but the os-firewall plugin doesn't, so since you had [TEST] it was failing on the OPNsense end, but TF thought the resource was created. I've added validations now to prevent special characters in the description, so it should work correctly now.

For the second issue, it was a weird issue where the OPNsense API returned an empty array rather than an empty object, so the code failed to parse it. This should also be handled now.

Just a note, these resources use the os-firewall plugin, which puts the resources in a different place (i.e. not the regular places you find the rules in OPNsense), see below. Just thought I'd mention it since the first image you included is of the regular OPNsense firewall, rather than the os-firewall.

image

Firewall > Automation > Filter / Source NAT is where you can find the resources

browningluke commented 11 months ago

I'll close this issue now, but feel to comment if you still run into these issues and I'll reopen it and investigate further.

achetronic commented 11 months ago

oh Thank you! @browningluke I will test this ASAP and will give you feedback for both, this one and this other: https://github.com/browningluke/terraform-provider-opnsense/issues/27#issuecomment-1763256160