Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IP using different subnet

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    15 Posts 5 Posters 9.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonspeegle
      last edited by

      Sorry, forgot to mention that I already tried Proxy ARP and Other. My configuration really doesn't allow for me to assign one of the IPs in the block to the LAN interface. According to the quote you posted, it should work. Not sure why it isn't.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What are you trying to do with the VIP?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jonspeegle
          last edited by

          1:1 NAT it to a internal private IP. Basically I am trying to create virtual IPs for a subnet that is not assigned to any interfaces. Can do this with the Cisco ASA (just have to setup 1:1 NAT then create firewall rule to allow traffic and the ASA does the rest).

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            If the provider is routing the secondary block through the /30, an alias or a proxy-arp should work fine. My hunch is that the fault lies in your lab configuration. Do an after-hours test and see if it works in the production environment.

            1 Reply Last reply Reply Quote 0
            • J
              jonspeegle
              last edited by

              Ok, my method for testing if the Virtual IP is working was not thorough enough. It looks like it is working after plugging into the WAN side network of my pfSense with a laptop and pinging the virtual IPs. don't ask me why, but I have a pfsense as a OpenVPN server on the inside network of this pfsense box and another pfsense box as the OpenVPN client on the WAN network. For some reason the WAN side pfsense cannot ping the virtual IP but my laptop can on the WAN side. Not sure why this is the case but since my real world implementation will not have the OpenVPN client on the WAN subnet, I am going to put a plain (non-NAT) router between the OpenVPN client box and the pfsense box I am doing the virutal IP on and see if it works. Will update once I have tested.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                As I understand it, the type of VIP you choose depends on what you want the behavior to be.

                Personally, I would not use an IP Alias unless I needed to bind services on pfSense itself to the VIP.

                That leaves Proxy ARP, Other and CARP.  I believe if you use Proxy ARP, pfSense will ARP and respond to pings until you put the 1:1 NAT through then it will pass the pings to the inside host.  Other will not ARP nor respond to pings.  In your situation, I would probably choose Other.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • dotdashD
                  dotdash
                  last edited by

                  An IP Alias will respond to pings. I generally use Alias IPs when I need to add CARP VIPs on a secondary subnet.
                  CARP VIPs will respond to pings. They must be within the interface subnet (or an Alias IP subnet).
                  Proxy arp and Other VIPs will not respond to pings.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    You want type "Other" in that scenario since it's routed to you, and you'll have to configure the routing in your lab accordingly so you actually do have an equivalent routed subnet.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jonspeegle
                      last edited by

                      I put a basic Cisco IOS router between the WAN of the pfSense box I am doing the VIP on and the WAN of the pfSense that is the OpenVPN client. Also took out the routes that pointed the networks in the right direction and just made the Cisco the default gateway (had Clear modem setup on VIP box WAN side to provide Internet). Now everything works. will remove the Cisco to see which it was and let ya'll know. Thanks for all the responses.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jonspeegle
                        last edited by

                        well, looks like the problem had to do with the pfSense routing. I had 192.168.15.1 as the default gateway on both boxes and had a route setup on the OpenVPN client to route 192.168.16.0/24 to 192.168.15.2. That does not seem to work and had to make 192.168.15.2 the default gateway. What I need works so I will move on, just a possible bug I guess.

                        K 1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          I'm not entirely clear on what IPs/subnets are where, but it's certainly not a bug, sounds like you had a general routing issue of some sort. If the default gateway is now set the same as it will be in production, it's likely not worth tracking down where your routing issue was.

                          1 Reply Last reply Reply Quote 0
                          • K
                            karanik @jonspeegle
                            last edited by

                            @jonspeegle Finally after many years? how you solved it?

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              You probably want to start a new thread. Locking this moldy one.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.