Virtual IP Consistently Loses Connection
-
Good Evening Sirs/Mas,
There is a dedicated Pfsense firewall here that servers behind it consistently lose connection.The ISP provided a /29 block of IP addresses (155.70.7.55/29) and said the first usable IP would typically be the gateway.
Hence 155.70.7.56/24 was set up as a virtual IP(IP Alias type). The remainder, save the broadcast, were used by various services.A static route 155.70.7.0/24 was setup too using 155.70.7.56 as the gateway; needless to say 155.70.7 56 is also configured as a gateway for the Interface
that all servers are connected too.The same IP - 155.70.7.56 was entered as the alternative IP at the same Interface, which uses DHCP as IPv4 Configuration type.
The entire setup works beautifully well and ISP raised no report of misconfiguration so far. The problem is that the servers all go down at the same time.
The problem has been traced to the VIP. When servers are down, the only fix is to (1) change the VIP subnet mask from /24 to /32 and apply changes (2) change back to /24 and apply changes. At this time, the Internet access for other devices on another interface with DHCP is never affected. Users would continue surfing - outbound connections fine - only the servers are not accessible to the public across the globe.
Firewall configs are fine - rules, nat, redirect, etc - but for the VIP. All services are operational.
I have tried writing script to restart routing, networking, netif etc when the firewall cannot ping the servers@155.70.7.[57-62] (which also means servers are not reaching the firewall/gateway) but none worked. If netif for all interfaces is restarted, pfsense goes down. And restarting only the interface for the servers would not work.
ThIs entire setup has worked for years - not 2 or 3 years. VIP may not go down for days and sometimes four or more time in a day. Firewall rules & VPN block access to the IP outside our network.
Kindly advise on how to fix this problem.
-
@lamia
Your setup is pretty unclear. Could you provide some more details of your interface and network configuration?The ISP provided a /29 block of IP addresses (155.70.7.55/29) and said the first usable IP would typically be the gateway.
Are you using this /29 block inside your network on your machines behind pfSense?
If so, it's solely on you which IP to use as gateway.Hence 155.70.7.56/24 was set up as a virtual IP(IP Alias type).
Why a /24? If the above is true, why an IP Alias?
-
@viragomann Thank you for your input.
I have thoroughly played with the software. No other subnet mask would work.ISP Public IP visible when services are accessed is 155.70.3.15
ISP Static IP as frame route: 155.70.7.55/29
Pfsense runs on 4port hardware
WAN interface using DHCP was configured to use155.70.3.15 as Alias IPv4 Address
LAN1 is using Static IP 192.168.1.1 (web access, ssh etc to pfsense)
LAN2 is using DHCP with 155.70.7.56
as Alias IPv4 Address.
Gateway 1 (as default) autogenerated for using DHCP on WAN
Gateway 2 on LAN2 is 155.70.7.56 with static route 155.70.7.0/24 using it (Again sticking to the block from ISP - 155.70.7.55/29 fails)
Virtual IP (IP Alias type) on LAN2 is 155.70.7.56/24 (Again subnet mask /29 here fails i.e. servers inaccessible)Network connection (i.e. access to server s across the globe and clients/users surf the Internet) runs well enough for few hours or days before access to servers fail only. Then we need cycle the VIP subnet mask to get servers back online.
I hope this information prints a better picture.
Many thanks.
-
@viragomann said in Virtual IP Consistently Loses Connection:
Are you using this /29 block inside your network on your machines behind pfSense?
If so, it's solely on you which IP to use as gateway.Indeed, most devices were configured to used /29. For instance, a BSD server uses ifconfig eth0 inet 155.70.7.57 netmask 255.255.255.248.
-
@viragomann said in Virtual IP Consistently Loses Connection:
If so, it's solely on you which IP to use as gateway.
I concur. We just stick with the first usable once and for all. Infact, I am exploring the possibility of using all the 8 IP addresses (i.e. including network and broadcast addresses). That would be the task after resolving the current one. I'm think Proxy-ARP could do the trick.
And perhaps, I could stop using any of the static IP as gateway. The same static IP is also currently used in the BSD server as the default router in rc.conf. If we could use the 192.168.1.1 generated by Pfsense during setup based on its wizard, that would be lovely.
@viragomann said in Virtual IP Consistently Loses Connection:
Why a /24? If the above is true, why an IP Alias?
We have tried deleting the IP Alias. Servers went down at that time.
-
@lamia
So you use the public network behind pfSense.
However, some of your settings seems pretty weird to me.LAN2 is using DHCP with 155.70.7.56
as Alias IPv4 Address.
Gateway 1 (as default) autogenerated for using DHCP on WAN
Virtual IP (IP Alias type) on LAN2 is 155.70.7.56/24 (Again subnet mask /29 here fails i.e. servers inaccessible)The IP 155.70.7.56 can be set as primary LAN2 address in the interface settings for gateway usage. Why adding it as IP Alias?
Gateway 2 on LAN2 is 155.70.7.56 with static route 155.70.7.0/24 using it (Again sticking to the block from ISP - 155.70.7.55/29 fails)
Which gateway? There must no gateway be defined in the interface settings! And at all, there is no static route needed for that subnet!
Did you read the relevant chapter to your setup in the docs:
Routing Public IP Addresses
Follow these steps first excactly. I guess, this will resolve your issue. -
@viragomann Thank you Sir.
As I looked over the documentation, I saw that the ISP WAN is 198.51.100.64/30 there yielding two usable IP addresses. The .65 was set to upstream gateway. In our case, our ISP sent us 155.70.3.15, which is presumably one IP at /32.
We requested for additional IP addresses for our various services; hence the 155.70.7.55/29 frame route was sent to us.
Would you agree that we use the 155.70.3.15 as upstream gateway and LAN1/OPT2 as 155.70.7.56?
It is amazing that the current setup works. We never used the documentation yet most of information there were already used in our setup. We were using the Manual Outbound NAT(Advanced Outbound NAT).
The static route and Virtual IP would now be deleted. Yet, we think this current setup provide a double-Wall of protection. We're also using NAT, Redirect, Pass/Block rules in the servers. For every new service introduced in the servers, we always have to come make corresponding changes - NAT & Rules - at the Firewall.
Another thing is that there are several Private IP blocks in use in the offices over various Access Points. The static routes, setup for those private IPs - e.g. 192.168.100.0/24, 10.0.8.0/24 etc -, had helped. Kindly advise on this too.
Thanks.
-
@lamia said in Virtual IP Consistently Loses Connection:
155.70.7.55/29
uhm the gateway for that network should be 155.70.7.48
?Network Address: 155.70.7.48
Usable Host IP Range: 155.70.7.49 - 155.70.7.54
Broadcast Address: 155.70.7.55
Total Number of Hosts: 8
Number of Usable Hosts: 6 -
@kiokoman Thank you Sir. You're correct.
I can see from here - https://www.calculator.net/ip-subnet-calculator.html?cclass=any&csubnet=29&cip=155.70.7.55&ctype=ipv4&printit=0&x=109&y=13 -
that the first usable is 155.70.7.49, which will be the ISP router (pfSense default gateway) set into the WAN interface. Can I rather use 155.70.7.48, the network address in a bid not to waste IP addresses?Invariably, is this how to reuse IPs (network and broadcast addresses)?
Pardon me, it was indeed 155.70.7.56/29. And sorry, I'm trying to learn the IP addresses by heart. In this case, can I use 155.70.7.56 in the WAN as against 155.70.7.57, the first usable IP? I'm trying to maximize the IP addresses.
