Virtual Interface

Simon 3 · May 20, 2024, 3:47 PM

Hi, i would like to know if anyone can tell me how to create a second temporary virtual interface which Zyxel defines as Virtual Interface, on the LAN which allows me to simulate a second gateway.
Example I have the LAN on 192.168.5.0/24 with pfsense with IP 192.168.5.254/32, I would like to have a second IP to assign as Gateway on 192.168.3.1/32 but I don't understand how to do it.
I tried to create it with the Virtual IP as Alias but I can't make it work.
If anyone can give me a hand I thank them in advance.

viragomann · May 20, 2024, 6:08 PM

@Simon-3 said in Virtual Interface:

Example I have the LAN on 192.168.5.0/24 with pfsense with IP 192.168.5.254/32

The mask of the interface IP has to be /24 as well, otherwise it would not be able to communicate with any other device in this subnet.

I would like to have a second IP to assign as Gateway on 192.168.3.1/32

Same here

I tried to create it with the Virtual IP as Alias but I can't make it work.

Yes, that's the way to achieve this, however, even if such set up is not recommended.
Don't you have another free interface on pfSense?

Simon 3 · May 23, 2024, 8:20 AM

@viragomann said in Virtual Interface:

do per raggiungere questo obiettivo, anche se tale impostazione non è consigliata.
Non hai un'altra interfaccia gratuita su pfSense?

I don't have a second free interface, at least it's not usable, it's just a temporary configuration; I assigned a Virtual IP /24 but I still have the problem that the virtual network does not appear on the internet.
login-to-view

viragomann · May 23, 2024, 10:07 AM

@Simon-3 said in Virtual Interface:

I assigned a Virtual IP /24 but I still have the problem that the virtual network does not appear on the internet.

What do you mean? A device in this subnet has no internet access?

Check the firewall rules. Ensure access from the additional subnet is allowed on LAN.
If so, I expect, that you can ping the virtual IP from a connected device.

If it has still no internet access check if pfSense has added an outbound NAT rule if the outbound NAT is in automatic mode. Maybe you have to switch into hybrid mode and add a proper rule manually.

Simon 3 · May 23, 2024, 10:28 AM

@viragomann

login-to-view

I allowed the subnet on the firewall on the LAN but unfortunately it doesn't allow me to ping, it was only allowed when the single address was set in the virtual IP configuration i.e. /32 while with the entire subnet /24 it doesn't allow me to ping.

viragomann · May 23, 2024, 10:43 AM

@Simon-3 said in Virtual Interface:

I allowed the subnet on the firewall on the LAN but unfortunately it doesn't allow me to ping

To ping what?

The pass rule is showing traffic and states, so obviously some traffic matches it.
login-to-view

Simon 3 · May 23, 2024, 10:50 AM

@viragomann

If from a device on the virtual subnet with manually set IP address 192.168.3.x and gateway 192.168.3.1, I try to ping 192.168.3.1, it gives me an expired request, and I don't understand why.

viragomann · May 23, 2024, 11:15 AM

@Simon-3
Did you set the network mask correctly on the device?

This is straight forward. If the network is configured properly the device and you ping the interface IP, the device requests the belonging MAC address, adds it to its ARP table and then send the request packet.

Can you see the gateway in its ARP table? I suspect, you can't due to a layer 2 failure.

On pfSense you can sniff the ARP traffic. But I assume, there is nothing to see due to a misconfiguration.

Simon 3 · May 23, 2024, 11:42 AM

@viragomann
The network card configuration is correct, what surprised me is that only towards Virtual IP 192.168.3.1/24 I had the problem. If I create another one like 192.168.88.1/24 the problem doesn't exist, I solved it simply by running a reboot of pfsense. But I still don't understand why this happened. Thank you very much for helping