Assigning uplinks to VIPs



  • I've been playing all day with the network doing some experiments with uplinks, and messing up stuff a little but before going too deep (I made a huge huge mess last week,) I'd like to clear out if it would be possible to map uplinks (PPPoE /32 IPv4, or maybe even OpenVPN interfaces) to Virtual IP addresses as if they were local gateways.

    What I want to do is something like assigning ISP1 random address to 172.22.22.22/32 and ISP2 address to 172.22.22.23/32 , then, create a new interface on some unused VLAN but without assigning it any address, like when OpenVPN or GIF tunnels are made into interfaces. And lastly--here's where I got lost coming up with this insanity, "drop" the VIPs--somehow--into the interface without an address. Since there wouldn't be any DHCP service and the interfaces are singles I figured there'd be no problem.

    I don't know exactly how would I drop the VIPs into the "blank" interface--or if they would respond as gateways. It's like I closed my eyes and I'm feeling my way through it really. Maybe static routes?

    I made some doodles, hopefully you understand the mess I'm trying to come up with. If I do succeed I'm adding another layer somewhere. 😌

    0_1539370427930_Note Oct 12, 2018 11_21_46 AM 2.png
    This, uhm, "masterpiece" took me over an hour. 😂

    Can I assign such interface? I'd be adding an any-to-any fw rule, I really really really think it should work because except for floating rules, rules are the to greenlight traffic and the router's supposed to route all immediate attached interfaces but I not sure if interface with no address is ignored--how does it "grab" it?

    I think I'm stuck in ethernet vs it's-not-ethernet all over again.



  • I have a /28 from our ISP. I assign 13 IP Alias VIPs, one for each public IP. I can use any of them as gateways. I do NOT have an interface per VIP -- just the one WAN. VIPs are not interfaces, just IP masqs.



  • Oh I get it, so there's no chance? I actually never have tried this and didn't quite perfectly fit but I've time to kill--and so do routers it seems. When you're doing 1:1 like in your case which--I'm envious of, BTW-- can you still take single out an address from the lot and masquerade it? Or do all have to be 1:1?

    You just pulled in a completely different direction. I'm coming up with search terms and mentally correcting them already. Thanks!



  • @umademelosemyusernamepfsense said in Assigning uplinks to VIPs:

    can you still take single out an address from the lot and masquerade it? Or do all have to be 1:1?

    I'm not sure I understand your question.

    Like I said earlier, I have 13 VIPs. One of them is our gateway. I could specify any of the others as gateways. I use NAT port forwards to connect some of those VIPs to internal servers such as our web server, Nextcloud server etc. I used to also run mail and DNS via NATs but I've scaled back lately and just have the one gateway and two web servers.

    Maybe if you described the Big Picture of what you really want to accomplish from a high-level view. A lot of times, we get people who have dreamed up a half-baked solution and then they want specific help with each step when the better course would have been to ask for guidance about the project as a whole. I'm an intermediate-level brain here so maybe one of the bigger brains can see what you're trying to do.