Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Second Lan network same interface

    Scheduled Pinned Locked Moved General pfSense Questions
    45 Posts 4 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      No idea what you are showing us there. that is em0 and bge0.

      A parent interface of a VLAN will show like that if it is not assigned to an interface and numbered.

      igb1 is not assigned in interfaces > assignments:

      igb1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
      options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:0a:59:42
      hwaddr 00:08:a2:0a:59:42
      inet6 fe80::208:a2ff:fe0a:5942%igb1 prefixlen 64 scopeid 0x2
      nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      status: active

      VLAN 223 is…

      igb1_vlan223: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
      options=3 <rxcsum,txcsum>ether 00:08:a2:0a:59:42
      inet 192.168.223.1 netmask 0xffffff00 broadcast 192.168.223.255
      inet6 2600:dead:beef:cafe:208:a2ff:fe0a:5942 prefixlen 64
      inet6 fe80::1:1%igb1_vlan223 prefixlen 64 scopeid 0xb
      nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      status: active
      vlan: 223 vlanpcp: 0 parent interface: igb1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast>

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        I was showing the LAN4 interface, which doesn't appear to have a MAC address, though it does in ifconfig.  I also don't know why it shows opvpns1 on it.
        Curious.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Because it is assigned to an OpenVPN instance. Look in Interfaces > (assign).

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            Openvpn was assigned, but I have absolutely no idea how that wound up on there.  I deleted that assignment and created a new one as em0 and it came up.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              I just came across something curious.  I've set up the new interface for LAN4 and enabled both IPv4 and IPv6.  The IPv6 prefix is within my /56.  When I ping my desktop computer, on it global IPv6 address, it's successful.  When I try on it's ULA, I get a "Destination unreachable: No route" error.  Traceroute show the path ending at 2607:f798:10:10ac:0:690:6325:5193.  I have no idea where that is, but it's certainly not on my network.  Host lookup doesn't provide a host name.  Why is pfSense trying to route a ULA off my network?  Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

                Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.

                Those block inbound connections, not outbound. You have to specifically block RFC1918 and ULA from egressing outbound using floating rules on WAN out. At least that's how I like to do it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  @Derelict:

                  Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

                  Does it require a specific route to be added?  In Cisco & Linux routers, the interface networks are added automatically, so it's not necessary to specify the route.  The prefix is correct in RA subnets and the computer gets the correct address.

                  Netstat -r doesn't show the ULA route for the LAN or LAN4.  However, the first column, showing networks, is truncated, so the full address is not shown for all networks, but I think all interfaces show the global address routes.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    You wouldn't need to add a route for anything directly connected via pfsense.  But pfsense has to have a ULA address in that prefix on the interface connected to the network your using the ULA on.

                    If you just setup the RA to hand out the ula prefix, pfsense wouldn't have to have an actual ULA address that interface.. So yeah it  would try routing it out its default IPv6 gateway..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott
                      last edited by

                      I tried adding a virtual IPv6 address to the LAN interface and it shows in ifconfig.  I can ping it from the pfSense command shell, but not from another computer.  The RAs advertise the ULA network, but not the pfSense interface address.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        I tried setting up a static route, but the only choices for gateway were the WAN or loopback interfaces.  I couldn't select the actual interface.  When I select the loopback ::1, traceroute shows multiple lines of the firewall address.

                        Is it not possible to get pfSense to route ULA networks?  If not, that is a serious fault, as ULAs are just like RFC1918 IPv4 addresses, in that they can be routed, but not onto the Internet.  I have no problem routing IPv4 RFC1918 addresses properly.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott
                          last edited by

                          I set up the LAN interface as a gateway for the ULA address.  I can ping the interface ULA from my notebook, but pinging the desktop ULA displays "Time Exceeded: Hop limit" and traceroute6 shows the firewall repeatedly and not going beyond it.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott
                              last edited by

                              @Derelict:

                              Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.

                              The LAN interface has both global and ULA addresses on it.  Global addresses work fine.  How do I assign a 2nd address?  I created the subnet on the RA page and even created an alias on the Virtual IPs page.  Ifconfig shows the virtual IP and I can ping it from the pfSense computer, but not from the desktop computer, which has both global and ULA addresses.  The virtual address on the pfSense computer is fd48:1a37:2160::1 and the desktop has fd48:1a37:2160:0:61af:b555:ad10:3fd2

                              When I ping from pfSense to the desktop, this is what I see.
                              ping6 fd48:1a37:2160:0:61af:b555:ad10:3fd2
                              PING6(56=40+8+8 bytes) fd48:1a37:2160::1 –> fd48:1a37:2160:0:61af:b555:ad10:3fd2

                              There is no response from the desktop.  If I have a static route configured, traceroute keeps cycling through the pfSense computer.  If I don't have a static route configured, it tries to go out to the 'net.

                              Also, Wireshark does not show any pings, in either direction.  However, the RA contains "ICMPv6 Option (Prefix information : fd48:1a37:2160::1/128)" and "ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)" , so the router ULA address is being advertised.

                              Either I'm missing something, or ULA routing isn't working properly.  As I mentioned, IPv4 RFC1918 addresses route properly.

                              The desktop system is running openSUSE 42.3.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott
                                last edited by

                                Just to update, I have 3 interfaces as follows
                                LAN global and ULA
                                VLAN3 ULA only
                                LAN4 global only.

                                From the pfSense computer or a computer on LAN4, I cannot ping the ULA on the desktop on either LAN or VLAN3.  On the pfSense computer, I can ping it's own ULA on both LAN and VLAN3.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott
                                  last edited by

                                  Assigning a virtual IP on the LAN interface caused it to lose the global address.  There's definitely something wrong with the way pfSense handles ULA.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    IDK, man. I just did it and it worked fine.

                                    DHCP WAN, Track Interface LAN, ULA IP Alias VIP /64 on LAN, Added ULA /64 as a subnet for RA on LAN, firewall rule passing all traffic from ULA::/64 on LAN, booted test VM:

                                    pfSense LAN:
                                    re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
                                    options=80098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether fe:e0:54:6e:79:49
                                    hwaddr fe:e0:54:6e:79:49
                                    inet 172.25.233.1 netmask 0xffffff00 broadcast 172.25.233.255
                                    inet6 2001:dead:beef:fd01:fce0:54ff:fe6e:7949 prefixlen 64
                                    inet6 fe80::1:1%re0 prefixlen 64 scopeid 0x1
                                    inet6 fd08:1e26:8fea:525b::1 prefixlen 64
                                    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
                                    status: active

                                    Test host interface:
                                    derelict@Host-B1:~$ ifconfig
                                    eth0      Link encap:Ethernet  HWaddr 9a:b3:de:87:fa:4b 
                                              inet addr:172.25.233.100  Bcast:172.25.233.255  Mask:255.255.255.0
                                              inet6 addr: fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b/64 Scope:Global
                                              inet6 addr: fe80::98b3:deff:fe87:fa4b/64 Scope:Link
                                              inet6 addr: 2001:dead:beef:fd01:98b3:deff:fe87:fa4b/64 Scope:Global
                                              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                                              RX packets:205 errors:0 dropped:0 overruns:0 frame:0
                                              TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
                                              collisions:0 txqueuelen:1000
                                              RX bytes:34081 (34.0 KB)  TX bytes:15844 (15.8 KB)

                                    To pfSense LAN VIP:
                                    derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b fd08:1e26:8fea:525b::1
                                    PING fd08:1e26:8fea:525b::1(fd08:1e26:8fea:525b::1) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
                                    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=1 ttl=64 time=0.518 ms
                                    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=2 ttl=64 time=0.294 ms
                                    64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=3 ttl=64 time=0.684 ms

                                    –- fd08:1e26:8fea:525b::1 ping statistics ---
                                    3 packets transmitted, 3 received, 0% packet loss, time 1998ms
                                    rtt min/avg/max/mdev = 0.294/0.498/0.684/0.161 ms

                                    To the WAN address of upstream pfSense:
                                    derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b 2001:dead:beef:7fff::ed96:eec5
                                    PING 2001:dead:beef:7fff::ed96:eec5(2001:dead:beef:7fff::ed96:eec5) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
                                    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=1 ttl=64 time=0.524 ms
                                    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=2 ttl=64 time=0.287 ms
                                    64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=3 ttl=64 time=0.320 ms

                                    –- 2001:dead:beef:7fff::ed96:eec5 ping statistics ---
                                    3 packets transmitted, 3 received, 0% packet loss, time 2000ms
                                    rtt min/avg/max/mdev = 0.287/0.377/0.524/0.104 ms

                                    I don't have routing for that ULA from anything else.

                                    Note this is a recent 2.4-RC since that's what my test environment is currently running.</full-duplex></performnud,auto_linklocal></vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast>

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      And with NPt to an unused /64 on pfSense WAN:
                                      derelict@Host-B1:~$ ping6 -n -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b www.google.com
                                      PING www.google.com(2607:f8b0:400e:c05::63) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
                                      64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=1 ttl=46 time=59.6 ms
                                      64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=2 ttl=46 time=83.8 ms
                                      64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=3 ttl=46 time=58.7 ms

                                      –- www.google.com ping statistics ---
                                      3 packets transmitted, 3 received, 0% packet loss, time 2003ms
                                      rtt min/avg/max/mdev = 58.704/67.398/83.847/11.640 ms

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • JKnottJ
                                        JKnott
                                        last edited by

                                        I'll have to go through the stuff you provided, howerver I made some changes and did some more testing.  At the moment, the configuration is as follows:

                                        LAN global & ULA
                                        LAN4 ULA only
                                        VLAN3 ULA only

                                        The desktop computer has both LAN and VLAN3 configured and the notebook is on LAN4 only.

                                        If I ping the laptop by forcing ping over VLAN3, it works.  However, when via LAN, no response.  Wireshark on the notebook shows both request and reply, but on the desktop, only the request.  From the pfSense computer, I can ping the notebook and the VLAN3 address of the desktop, but not the LAN address.  Wireshark does not show any ping requests from pfSense to the LAN interface  So, there is still something about the LAN interface that's causing problems.

                                        I see you have a ULA address fd08:1e26:8fea:525b::1 on the LAN interface.  How did you put it there?  I do not have one.  I used a virtual IP last night, but this morning, the virtual IP was there, but the global address was gone.

                                        The network ULA addresses are as follows:
                                        LAN  fd48:1a37:2160:0::
                                        VLAN3  fd48:1a37:2160:3::
                                        LAN4  fd48:1a37:2160:4::

                                        Netstat -r on pfSense shows:

                                        fd48:1a37:2160:3:: link#8            U      bge0_vla
                                        fd48:1a37:2160:3:: link#8            UHS        lo0
                                        fd48:1a37:2160:4:: link#2            U          em0
                                        fd48:1a37:2160:4:: link#2            UHS        lo0

                                        Note there is no line for fd48:1a37:2160:0::.

                                        There is also this on the WAN interface:

                                        fd07:f798:3:16e::  link#3            U          re0
                                        fd07:f798:3:4172:: link#3            U          re0

                                        There are no other ULA addresses listed.  So, pfSense doesn't have a route to fd48:1a37:2160:0::.

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 0
                                        • JKnottJ
                                          JKnott
                                          last edited by

                                          I think I found it.  I had to set the VIP prefix to /64.  Also, curious that the pfSense graphical admin doesn't show the 2nd address on either the dashboard or interface status.  Netstat -r does though.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            "I had to set the VIP prefix to /64"

                                            what else would you have set it too?

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.