Carp IP adress /31
-
Hi,
We have an issue of the graphical interface when we set /31 for the subnet mask of a CARP IP address whereas it's the correct subnet mask (ISP Link).
I have tested to modify the configuration file directly with the /31 netmask and it's works fine.
Is it possible to correct this bug, restore of configuration is not very easy in production ;-)
Thanks in advance,
Olivier GUENET
-
Can you provide a bit more detail about your specific WAN IP address and CARP IP address configuration?
It's possible the input validation needs to be relaxed in the special /31 case. Support for /31 masks in still relatively recent in FreeBSD (and pfSense) so there are bound to be some areas that were overlooked.
-
Yes, I provide for example 185.X.X.X/31 IP address with an interface IP address 10.1.1.254/31 and 10.1.1.255/31 on the second pfsense.
The graphical interface reject the CARP configuration, because it's seems to be a bad netmask.
Thanks,
-
Have you tried editing the code on the virtual IP configuration page to remove that input validation? If the input validation is removed and it actually works, then it's a very easy fix.
-
Hi,
yes I have edited the firewall_virtual_ip_edit.php :
/* ipalias and carp should not use network or broadcast address */
if ($_POST['mode'] == "ipalias" || $_POST['mode'] == "carp") {
if (is_ipaddrv4($_POST['subnet']) && $_POST['subnet_bits'] != "32" && $_POST['subnet_bits'] != "31") {
$network_addr = gen_subnet($_POST['subnet'], $_POST['subnet_bits']);
$broadcast_addr = gen_subnet_max($_POST['subnet'], $_POST['subnet_bits']);
} else if (is_ipaddrv6($_POST['subnet']) && $_POST['subnet_bits'] != "128" ) {
$network_addr = gen_subnetv6($_POST['subnet'], $_POST['subnet_bits']);
$broadcast_addr = gen_subnetv6_max($_POST['subnet'], $_POST['subnet_bits']);
}if (isset($network_addr) && $_POST['subnet'] == $network_addr)
$input_errors[] = gettext("You cannot use the network address for this VIP");
else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr)
$input_errors[] = gettext("You cannot use the broadcast address for this VIP");
}Is it possible to integer this modification for the newers releases please?
Thanks,
Olivier
-
You can submit it as a pull request on Github, and/or open an entry on https://redmine.pfsense.org/ stating that the input validation needs corrected.
