Question regarding multiple group assignments for same clients

tauceti · June 9, 2020, 11:07am

Hi,

I am using Pihole 5 and when adding multiple clients e.g.
192.168.0.0/24 and assigning them to groups then what happens if I then add e.g.
192.168.0.33 to other (and/or overlapping) groups?
Which groups will be selected for 192.168.0.3? Only those defined explicitly for that client or also the groups from the 192.168.0.0./24 entry?

Thanks

jfb · June 9, 2020, 11:28am

Both assignments should apply.

yubiuser · June 9, 2020, 12:09pm

At the moment ~~both~~ the first matching will be assigned, but this behavior will change in v5.1

github.com/pi-hole/FTL

Always chose best (= maximum match) subnet for clients

pi-hole:development ← pi-hole:tweak/best_subnet

opened 06:32PM - 11 May 20 UTC

DL6ER

+70 -34

**By submitting this pull request, I confirm the following:** - [X] I have re…ad and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** ## 10 --- This allows to configure specific settings for a whole range of devices but still exclude others. Complain softly (no error) if multiple configured subnets match with the same number of relevant bits. We log in case there are multiple groups defined matching equally which one FTL chose. It will deterministic chose the most matching *last added one*. ![Screenshot at 2020-05-11 20-25-22](https://user-images.githubusercontent.com/16748619/81597148-8e180280-93c5-11ea-9a23-8d834d38fd4d.png) resulting in the following log line (only the last line is logged in non-DEBUG mode, I kept all for illustrative proposes here): ```plain [2020-05-11 20:26:55.425 18858] SQL: Comparing 127.0.0.1 vs. 127.0.0.0/8 (subnet 255.0.0.0) - !! MATCH !! [2020-05-11 20:26:55.425 18858] SQL: Comparing 127.0.0.1 vs. 127.0.0.0/8 (subnet 255.0.0.0) - !! MATCH !! [2020-05-11 20:26:55.425 18858] SQL: Comparing 127.0.0.1 vs. 127.0.0.1/8 (subnet 255.0.0.0) - !! MATCH !! [2020-05-11 20:26:55.425 18858] SQL: Comparing 127.0.0.1 vs. 127.0.0.1/8 (subnet 255.0.0.0) - !! MATCH !! [2020-05-11 20:26:55.425 18858] SQL: Comparing 127.0.0.1 vs. 127.0.0.1/8 (subnet 255.0.0.0) - !! MATCH !! [2020-05-11 20:26:55.425 18858] SUBNET WARNING: Client 127.0.0.1 is managed by 2 groups (IDs 1,37), all describing /8 subnets. FTL chose the most recent entry 127.0.0.1/8 (ID 37) for this client. ``` This will also show up on the dashboard when the new Pi-hole diagnostics system has been merged: ![Screenshot_2020-05-11 Pi-hole - ubuntu-server(1)](https://user-images.githubusercontent.com/16748619/81597737-78570d00-93c6-11ea-9072-d5a772ec0509.png)

tauceti · June 9, 2020, 12:29pm

ok thanks understood! So in 5.1 it will use the last added entry then. It would be nice to change the order in that table on the admin page so you can easily adapt it and it will chose lets say the first match found in that list instead of the last added one.
When is 5.1 released?

yubiuser · June 9, 2020, 12:32pm

It will choose the best fit (eg. /32 over /24) but for same subnet it will prefer the last added one.

Roughly scheduled for the next weeks.

Dorkster · June 9, 2020, 3:05pm

So does that mean if I have my network like 10.0.0.0/16 and I assign the subnet 10.0.2.0/24 to group 'IoT' and than have an IP from the same range explicitly assigned to group 'Xiaomi' only the rules from group 'Xiaomi' will apply?

yubiuser · June 9, 2020, 3:59pm

Yes, that's how I think it should work.

[2020-06-09 19:23:23.446 7022] Querying gravity database for client with IP 10.0.10.136...
[2020-06-09 19:23:23.446 7022] SQL: Comparing 10.0.10.136 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-09 19:23:23.446 7022] SQL: Comparing 10.0.10.136 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] SQL: Comparing 10.0.10.136 vs. 10.0.10.0/24 (subnet 255.255.255.0) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] SQL: Comparing 10.0.10.136 vs. 10.0.10.0/24 (subnet 255.255.255.0) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] SQL: Comparing 10.0.10.136 vs. 10.0.10.136 (subnet 255.255.255.255) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] SQL: Comparing 10.0.10.136 vs. 10.0.10.136 (subnet 255.255.255.255) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] SQL: Comparing 10.0.10.136 vs. 10.0.10.136 (subnet 255.255.255.255) - !! MATCH !!
[2020-06-09 19:23:23.447 7022] --> Found record for 10.0.10.136 in the client (ID 6)
[2020-06-09 19:23:23.447 7022] Querying gravity database for client 10.0.10.136 (getting groups)
[2020-06-09 19:23:23.447 7022] Gravity database: Client 10.0.10.136 found. Using groups [7].

Group ID 7 is associated with /32.

rossc719 · June 10, 2020, 11:35pm

Hiya.

Just wanted to clarify something, because I think I am seeing something other than what is described here.

I have 192.168.2.0/24 in groups Default and Group1
And 192.168.2.1 is in group Group2

Default has a blacklist entry for foo.com.
Group2 has a whitelist entry for foo.com.

But 192.168.2.1 gets blocked when going to foo.com.

When you say:

Both assignments should apply.

Does this mean that 192.168.2.1 should be a member of all three groups?
Shouldn't the whitelist win?

There is no change in behavior if I change 192.168.2.1 to be in all three groups.
(This is presumably what I would do in v5.1?)

In v5.0 It seems to be acting as though it is finding the 192.168.2.0/24 client mapping first, and stopping there, ignoring the 192.168.2.1 entry completely.

If I add 192.168.2.0/24 to Group2, so that it is a member of all three, then the whitelist takes effect for 192.168.2.1.

Is there a good way to debug what's happening?

tauceti · June 11, 2020, 5:51am

I observe the same behavior. For me it also seems that the /24 assignment which I defined first is used instead of my more specific client IP setting 192.169.0.30 later on.

yubiuser · June 11, 2020, 8:14am

You're right.

Carefully reading the other topic I linked above revealed that only the first matching client mapping applies.

You can add DEBUG_DATABASE=true to /etc/pihole/pihole-FTL.conf and restart pihole. You should see in /var/log/pihole-FTL.log

[2020-06-11 10:05:15.352 28624] SQL: Comparing 127.0.0.1 vs. 10.0.1.0/16 (subnet 255.255.0.0) - NO MATCH
[2020-06-11 10:05:15.352 28624] SQL: Comparing 127.0.0.1 vs. 10.0.10.1/24 (subnet 255.255.255.0) - NO MATCH
[2020-06-11 10:05:15.353 28624] Querying gravity database for client 10.0.20.198 (getting best match)
[2020-06-11 10:05:15.353 28624] SQL: Comparing 10.0.20.198 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.353 28624] SQL: Comparing 10.0.20.198 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.353 28624] SQL: Comparing 10.0.20.198 vs. 10.0.10.1/24 (subnet 255.255.255.0) - NO MATCH
[2020-06-11 10:05:15.353 28624] SQL: Comparing 10.0.20.198 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.353 28624] Querying gravity database for client 10.0.20.198 (getting groups)
[2020-06-11 10:05:15.354 28624] Querying gravity database for client 10.0.10.182 (getting best match)
[2020-06-11 10:05:15.354 28624] SQL: Comparing 10.0.10.182 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.354 28624] SQL: Comparing 10.0.10.182 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.354 28624] SQL: Comparing 10.0.10.182 vs. 10.0.10.1/24 (subnet 255.255.255.0) - !! MATCH !!
[2020-06-11 10:05:15.354 28624] SQL: Comparing 10.0.10.182 vs. 10.0.10.1/24 (subnet 255.255.255.0) - !! MATCH !!
[2020-06-11 10:05:15.355 28624] SQL: Comparing 10.0.10.182 vs. 10.0.10.1/24 (subnet 255.255.255.0) - !! MATCH !!
[2020-06-11 10:05:15.355 28624] Querying gravity database for client 10.0.10.182 (getting groups)
[2020-06-11 10:05:15.355 28624] Querying gravity database for client 10.0.1.3 (getting best match)
[2020-06-11 10:05:15.356 28624] SQL: Comparing 10.0.1.3 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.356 28624] SQL: Comparing 10.0.1.3 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.356 28624] SQL: Comparing 10.0.1.3 vs. 10.0.10.1/24 (subnet 255.255.255.0) - NO MATCH
[2020-06-11 10:05:15.356 28624] SQL: Comparing 10.0.1.3 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.356 28624] Querying gravity database for client 10.0.1.3 (getting groups)
[2020-06-11 10:05:15.357 28624] Querying gravity database for client 10.0.1.4 (getting best match)
[2020-06-11 10:05:15.357 28624] SQL: Comparing 10.0.1.4 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.357 28624] SQL: Comparing 10.0.1.4 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.357 28624] SQL: Comparing 10.0.1.4 vs. 10.0.10.1/24 (subnet 255.255.255.0) - NO MATCH
[2020-06-11 10:05:15.357 28624] SQL: Comparing 10.0.1.4 vs. 10.0.1.0/16 (subnet 255.255.0.0) - !! MATCH !!
[2020-06-11 10:05:15.357 28624] Querying gravity database for client 10.0.1.4 (getting groups)

Unfortunately it will not tell you which group was assigned in the end. That's why I wrote in the other topic

Note: There is an PR which greatly enhances the possible client definitions which has a debug output which client got which group ID. But the commit has not been backported.

Yes it will win if it is assigned to the client. That's the reason

workes.

As a crude workaround you could try to delete 192.168.2.0/24 as a client and re-add it so that the client ID is greater than for 192.168.2.1 and pihole will assign the right group for it.

If it doesn't work and you don't want to wait for v5.1 you could checkout the development branch of ftl which should fix the subnet assignments. But be aware that this code is still under development und could fail in other circumstances.

rossc719 · June 11, 2020, 11:15pm

Excellent, thanks!

Now that I understand the behavior of v5.0, I am happy to workaround it until v5.1, which I understand is coming very soon.

Adding 192.168.2.0/24 to Group2 is fine for now. It just ends up whitelisting a site for more clients than I need. But it is relatively harmless.

system · July 2, 2020, 11:15pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.