Loopback VIP type that is not synced
-
I need to use unique per-router loopback addresses on both members of a cluster. I have tried using IP Alias on lo0, but if I enable VIP sync the slave looses its VIP. Is there any VIP type I can use on lo0 that will not get synced?
For context, I use this VIP to ensure the members are reachable over multiple interfaces using a single IP, so it needs to show up in the routing table.
Based on jimp's comments in the following threads I suspect this is not currently possible, although I would like to understand if there is a fundamental limitation or just a design choice. Coming from an ISP world, where all routers are addressed and managed using lo0 addresses, it seems odd this use case is not fully supported.
-
https://forum.pfsense.org/index.php?topic=77540.msg422764#msg422764
-
https://forum.pfsense.org/index.php?topic=65243.msg355069#msg355069
-
-
You answered your own question.
I need to use unique per-router loopback addresses on both members of a cluster. I have tried using IP Alias on lo0, but if I enable VIP sync the slave looses its VIP.
Either do not sync, or configure both VIPs on lo0 on both nodes. VIPs are not meant to act like interface addresses in the way you are attempting to use them.
In all likelihood, anything you could do with a per-host VIP on lo0 could be done by using the individual LAN IP addresses directly.
-
Thanks for the reply, Jim.
In all likelihood, anything you could do with a per-host VIP on lo0 could be done by using the individual LAN IP addresses directly.
The problem with this approach is that a LAN interface is not nailed up, but I need an IP address that is always available. As the routers are reachable via multiple interfaces, I don't want a single interface state to influence the availability of servies over other interfaces.
Either do not sync, or configure both VIPs on lo0 on both nodes. VIPs are not meant to act like interface addresses in the way you are attempting to use them.
I need to sync VIPs to ensure CARP VIP IDs are consistent on master and slave (as the CARP VIP IDs are referenced elsewhere in the config). What official options are available to have a nailed up IP address that is not sync'ed from master to slave? Configuring all VIPs on all routers will not work as the IPs need to be unique to the router.
-
Reach it from where? A VPN?
Even when the LAN is unplugged, the firewall itself will respond to pings to the LAN IP address from other interfaces.
-
Reach it from where? A VPN?
Mostly physical interfaces, but VPNs are also an option.
Even when the LAN is unplugged, the firewall itself will respond to pings to the LAN IP address from other interfaces.
I wasn't aware of this feature, though I think it could suit my use case. Are there any docs on this behavior? Checking the routing table it seems the interface IP is bound to "lo0", which I find a bit counter-intuitive, so I'd like to read a bit more before proceeding.
Is the "LAN" interfaces treated special in this way, or does this apply to any optional interface? Would "LAN" ingress rules apply to traffic destined to an IP or VIP configured on the LAN interface that ingresses via a different interface?
-
That sort of documentation would be from FreeBSD - The OS/interfaces/routing behavior at that level is all determined by how FreeBSD handles it.
That behavior isn't special or unique to LAN. All interface addresses behave that way.
