IPv4 VTI tunnel - set network mask



  • Prior to upgrading to 2.4.5 I was able to select the size of the VTI local and remote networks in the interface.

    I used this to set /31 networks for my links. They are point-to-point, and it makes numbering them a little easier for me. ( Using (10.0.0.0,10.0.0.1), (10.0.0.2,10.0.0.3) as pairs is easier to remember than (10.0.0.1,10.0.0..2), (10.0.0.5,10.0.0.6) )

    In 2.4.5 the option to change this is not available, see screenshot. VTI.png

    Is this intended behaviour of the new version? I am worried that this will force me to renumber all my links, as next time I update I will not be able to set the correct network size, and they will default to a /30.


  • Rebel Alliance Developer Netgate

    It is intended to assume /30 there since it's point-to-point. Though I could see how /31 might work for some.

    We recently did fix a bug here, https://redmine.pfsense.org/issues/10418, but that was after 2.4.5 was created.

    In 2.4.5 you could change the mode to tunnel, change the type to network, then fix the mask, then switch back to VTI and save.

    We might have to revisit https://redmine.pfsense.org/issues/10418 before the next release yet.



  • @jimp said in IPv4 VTI tunnel - set network mask:

    It is intended to assume /30 there since it's point-to-point. Though I could see how /31 might work for some.

    We recently did fix a bug here, https://redmine.pfsense.org/issues/10418, but that was after 2.4.5 was created.
    Ok, then I know why.

    In 2.4.5 you could change the mode to tunnel, change the type to network, then fix the mask, then switch back to VTI and save.
    We might have to revisit https://redmine.pfsense.org/issues/10418 before the next release yet.

    The work-around works. I can live with that for now. Thanks for the hint.
    Edit: the assigned interface does not seem to come up.

    I changed this particular tunnel to be a /30 to check. The interface does not show up when calling "ifconfig" from the command line. It can be assingned under "Interfaces / Interface Assignments". The IPsec tunnel shows as up in the IPSec status tab. -> New thread for this issue as I see it with a separate tunnel as well: https://forum.netgate.com/topic/152246/interface-ipsec6000-not-being-added-for-vti-tunnel


Log in to reply