Unable to bind services on virtual ip



  • I'm having a hard time making my virtual ip's available to be able to used by a service like openvpn or haproxy.
    I have just a single PPPoE WAN with a /29 subnet. On the interface itself i got a .97/32 assigned.
    In the past the virtual ip's (.98 - .102) were added as PROXY ARP, working perfectly for NAT.
    However, they are not listed as an interface option in e.g openvpn or haproxy. Switched to IP alias, same story. Then i found some hints suggesting for PPPoE the additional IP's should be assigned to the localhost interface instead of WAN, but that didn't help either.
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses has nice info, but I couldn't resolve the issue with it.
    It might have to do something with PPPoE WAN. How can I make a service running on a additional IP different from the default assigned WAN IP?



  • @wickeren:

    I'm having a hard time making my virtual ip's available to be able to used by a service like openvpn or haproxy.
    I have just a single PPPoE WAN with a /29 subnet. On the interface itself i got a .97/32 assigned.
    In the past the virtual ip's (.98 - .102) were added as PROXY ARP, working perfectly for NAT.
    However, they are not listed as an interface option in e.g openvpn or haproxy. Switched to IP alias, same story. Then i found some hints suggesting for PPPoE the additional IP's should be assigned to the localhost interface instead of WAN, but that didn't help either.
    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses has nice info, but I couldn't resolve the issue with it.
    It might have to do something with PPPoE WAN. How can I make a service running on a additional IP different from the default assigned WAN IP?

    I do it this way:

    WAN = pppoe on say igb0
    WANNIC = igb0

    • WAN will get itself an address via DHCP as now
    • Set the IP for WANNIC and your PPPoE modem's "internal" address, for example a Draytek 120/130 will default to something like 192.168.2.1/24 so put 192.168.2.11/24 on WANNIC
    • Put an outbound NAT on WANNIC to the modem, assuming the modem has no default gateway. You should be able to access it's web interface from LAN now.
    • Add the IP aliases or CARP addresses to WANNIC for .98-.102
    • The extra IPs will appear at the end of the lists for things like IPSEC, OpenVPN etc
    • Inbound rules go on WAN and not WANNIC
    • Outbound NAT rules happen on WAN and not WANNIC apart from teh one I mentioned if there is a web interface on the modem
    • WANIC should not have any firewall rules apart from a reject/block rule with logging

    You can put the IP aliases on localhost but creating the extra WANNIC interface allows access to the modem and makes life a lot easier when there is more than one WAN to deal with .


Log in to reply