Virtual IP using different subnet
-
Sorry, forgot to mention that I already tried Proxy ARP and Other. My configuration really doesn't allow for me to assign one of the IPs in the block to the LAN interface. According to the quote you posted, it should work. Not sure why it isn't.
-
What are you trying to do with the VIP?
-
1:1 NAT it to a internal private IP. Basically I am trying to create virtual IPs for a subnet that is not assigned to any interfaces. Can do this with the Cisco ASA (just have to setup 1:1 NAT then create firewall rule to allow traffic and the ASA does the rest).
-
If the provider is routing the secondary block through the /30, an alias or a proxy-arp should work fine. My hunch is that the fault lies in your lab configuration. Do an after-hours test and see if it works in the production environment.
-
Ok, my method for testing if the Virtual IP is working was not thorough enough. It looks like it is working after plugging into the WAN side network of my pfSense with a laptop and pinging the virtual IPs. don't ask me why, but I have a pfsense as a OpenVPN server on the inside network of this pfsense box and another pfsense box as the OpenVPN client on the WAN network. For some reason the WAN side pfsense cannot ping the virtual IP but my laptop can on the WAN side. Not sure why this is the case but since my real world implementation will not have the OpenVPN client on the WAN subnet, I am going to put a plain (non-NAT) router between the OpenVPN client box and the pfsense box I am doing the virutal IP on and see if it works. Will update once I have tested.
-
As I understand it, the type of VIP you choose depends on what you want the behavior to be.
Personally, I would not use an IP Alias unless I needed to bind services on pfSense itself to the VIP.
That leaves Proxy ARP, Other and CARP. I believe if you use Proxy ARP, pfSense will ARP and respond to pings until you put the 1:1 NAT through then it will pass the pings to the inside host. Other will not ARP nor respond to pings. In your situation, I would probably choose Other.
-
An IP Alias will respond to pings. I generally use Alias IPs when I need to add CARP VIPs on a secondary subnet.
CARP VIPs will respond to pings. They must be within the interface subnet (or an Alias IP subnet).
Proxy arp and Other VIPs will not respond to pings. -
You want type "Other" in that scenario since it's routed to you, and you'll have to configure the routing in your lab accordingly so you actually do have an equivalent routed subnet.
-
I put a basic Cisco IOS router between the WAN of the pfSense box I am doing the VIP on and the WAN of the pfSense that is the OpenVPN client. Also took out the routes that pointed the networks in the right direction and just made the Cisco the default gateway (had Clear modem setup on VIP box WAN side to provide Internet). Now everything works. will remove the Cisco to see which it was and let ya'll know. Thanks for all the responses.
-
well, looks like the problem had to do with the pfSense routing. I had 192.168.15.1 as the default gateway on both boxes and had a route setup on the OpenVPN client to route 192.168.16.0/24 to 192.168.15.2. That does not seem to work and had to make 192.168.15.2 the default gateway. What I need works so I will move on, just a possible bug I guess.
-
I'm not entirely clear on what IPs/subnets are where, but it's certainly not a bug, sounds like you had a general routing issue of some sort. If the default gateway is now set the same as it will be in production, it's likely not worth tracking down where your routing issue was.
-
@jonspeegle Finally after many years? how you solved it?
-
You probably want to start a new thread. Locking this moldy one.
