pfsense Virtual IP as LAN clients host default gateway

nuclearstrength · Feb 12, 2021, 2:12 PM

Hello!
we have been migrating a number of network thinghys (switches, firewalls) to a virtualized pfsense, it's working great so far, we'll prob be buying some netgate hardware in the future.

so far during the transition (which took almost a year, yeah, there's that) we've kept the older gear and did some asymmetric rouitng to avoid downtimes, soon we will be shutting down all the older gear, my question is if I add the older gear IP to the pfsense as a VIP will the routing be working as if it was a "native" IP on the relevant interface?

As far as I understand a VIP works more or less the same way as keepalived works on a linux stack, asnwering the the arp requests to that IP the same way it answers to ARP requests to the "native" IP on the interfaces.

all the routing/firewall/network rules do work, but I'm wondering how to not just drop the older network gear IPs (that would require even more work) I can just add it as a VIP and leave the client's config based on those addressed unchanged.

stephenw10 · Feb 15, 2021, 3:46 PM

Yes it will route traffic arriving on that VIP IP. You will need to add rules to cover that traffic, it's not in the LANnet system alias for example.
It's obviously better to avoid that if you can but in as a temporary workaround it can work.

Steve

nuclearstrength · Feb 15, 2021, 3:46 PM

@stephenw10 thanks, thought so.
To be on the safe side I was thinking about a DNAT, rewriting the destination IP address to the LANNet address for all the packets with the VIP as destination IP.
I'm not quite certain about the order in which this NAT would be applied tho, if it's applied before evaluating routing/fw rules it should work, or maybe everything gets re-evaluated again after the NAT is applied?

stephenw10 · Feb 15, 2021, 4:09 PM

It's NAT then firewall rules for incoming traffic.
https://docs.netgate.com/pfsense/en/latest/nat/process-order.html

You could forward that traffic but you would need the need VIP to respond to ARP requests anyway.

Steve

nuclearstrength · Feb 16, 2021, 11:05 AM

@stephenw10 thanks, it should definitely work as I was envisioning.

Yes, I'd still have the VIP answering to ARP requests on that IP, and it will use the mac address of the interface where it was created to do so, then the destination IP field on those packets will be rewritten, then the rules will be applied and packets routed accordingly to the routing table.

I will then use tcpdump to identify all the hosts that are still using those IP I assigned as VIP and modify the config on the fly little by little.

btw netmap is amazing, the BSD network stack and what you guys built on top of it it's absolutely stunning, I have some small feedback on the UI but overall pfsense is definitely comparable to the major players firewall solutions out there, for sure you beat sonicwall and fortinet in my mind and I'm pushing to buy the actual netgate hardware because of that.