Virtual IP using different subnet
-
I've searched for days without any luck on my issue, so I figured I would reach out to see if anybody can help. I am looking to move from Cisco ASA to pfSense and am testing configurations in my lab. My ISP has assigned me a /30 block where 1 IP is the WAN of my firewall and the other is on their end (my gateway). They also assigned a /28 block for me to use that route to my WAN ip. On my test lab I have a WAN IP of 192.168.15.2 and and LAN IP of 10.14.1.254. I have setup a Virtual IP (IP Alias) to map 192.168.16.65 to 10.14.1.1. (Firewall rules are set to allow all IPv4 traffic on al linterfaces, so I don't have to mess with that right now). The only way I was able to get the Virtual IP to work is if I changed it to 192.168.15.65 (an IP in the same subnet as my WAN IP) I need to be able to get a virtual IP that is not in the same subnet as my WAN IP to work. Any ideas? Thanks in advanced for any help.
-
Try type proxy arp instead of ip alias.
ETA: Actually, you might want "Other"
"Other" VIPs allow you to define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other VIP is making that address available in the NAT configuration screens. This is useful when you have a public IP block routed to your WAN IP address, IP Alias, or a CARP VIP.”
Excerpt From: Jim Pingle. “pfSense-2.1-book.epub.”
If you are not going to NAT these and want, instead, to place server NICs on the routed subnet, you probably want to assign the routed block to a LAN interface. You'd probably have more flexibility with Other VIPS and 1:1 NAT, but then you're natting.
What do you want to do with the addresses in the routed subnet?
-
Sorry, forgot to mention that I already tried Proxy ARP and Other. My configuration really doesn't allow for me to assign one of the IPs in the block to the LAN interface. According to the quote you posted, it should work. Not sure why it isn't.
-
What are you trying to do with the VIP?
-
1:1 NAT it to a internal private IP. Basically I am trying to create virtual IPs for a subnet that is not assigned to any interfaces. Can do this with the Cisco ASA (just have to setup 1:1 NAT then create firewall rule to allow traffic and the ASA does the rest).
-
If the provider is routing the secondary block through the /30, an alias or a proxy-arp should work fine. My hunch is that the fault lies in your lab configuration. Do an after-hours test and see if it works in the production environment.
-
Ok, my method for testing if the Virtual IP is working was not thorough enough. It looks like it is working after plugging into the WAN side network of my pfSense with a laptop and pinging the virtual IPs. don't ask me why, but I have a pfsense as a OpenVPN server on the inside network of this pfsense box and another pfsense box as the OpenVPN client on the WAN network. For some reason the WAN side pfsense cannot ping the virtual IP but my laptop can on the WAN side. Not sure why this is the case but since my real world implementation will not have the OpenVPN client on the WAN subnet, I am going to put a plain (non-NAT) router between the OpenVPN client box and the pfsense box I am doing the virutal IP on and see if it works. Will update once I have tested.
-
As I understand it, the type of VIP you choose depends on what you want the behavior to be.
Personally, I would not use an IP Alias unless I needed to bind services on pfSense itself to the VIP.
That leaves Proxy ARP, Other and CARP. I believe if you use Proxy ARP, pfSense will ARP and respond to pings until you put the 1:1 NAT through then it will pass the pings to the inside host. Other will not ARP nor respond to pings. In your situation, I would probably choose Other.
-
An IP Alias will respond to pings. I generally use Alias IPs when I need to add CARP VIPs on a secondary subnet.
CARP VIPs will respond to pings. They must be within the interface subnet (or an Alias IP subnet).
Proxy arp and Other VIPs will not respond to pings. -
You want type "Other" in that scenario since it's routed to you, and you'll have to configure the routing in your lab accordingly so you actually do have an equivalent routed subnet.
-
I put a basic Cisco IOS router between the WAN of the pfSense box I am doing the VIP on and the WAN of the pfSense that is the OpenVPN client. Also took out the routes that pointed the networks in the right direction and just made the Cisco the default gateway (had Clear modem setup on VIP box WAN side to provide Internet). Now everything works. will remove the Cisco to see which it was and let ya'll know. Thanks for all the responses.
-
well, looks like the problem had to do with the pfSense routing. I had 192.168.15.1 as the default gateway on both boxes and had a route setup on the OpenVPN client to route 192.168.16.0/24 to 192.168.15.2. That does not seem to work and had to make 192.168.15.2 the default gateway. What I need works so I will move on, just a possible bug I guess.
-
I'm not entirely clear on what IPs/subnets are where, but it's certainly not a bug, sounds like you had a general routing issue of some sort. If the default gateway is now set the same as it will be in production, it's likely not worth tracking down where your routing issue was.
-
@jonspeegle Finally after many years? how you solved it?
-
You probably want to start a new thread. Locking this moldy one.
