VIP alias without NAT
-
Hi All ,
this is my first post , anyway …
im setting a simple FW , with a network that looks like this (i will not put my IPs , but any public IPs ) :LAN em0 -> 1.2.3.34/28
WAN em1 -> 1.2.3.51/28
PUB em2 -> 1.2.3.28/28
SYNC em3 -> 10.1.1.1/29 (later will be for CARP sync)all works good so far , including openvpn and all .
now i come to a point where i need to add another subnet to PUB interface ( alias IP )
1.2.3.0/28
i come from the land of Linux so basiclly i would do it via ifconfig <int>: <number>ip/subnet .
reading posts on this forum , and trying to figure it out my self
http://forum.pfsense.org/index.php?topic=14654.0
i know i need to use "Proxy ARP" type of Virtual IP because its different subnet then the PUB interface .
but i have 2 problems . 1st is that its not working , i set up the virtual ip , set up firewall rules from WAN and PUB (enable that net to go out)
but what ever i did , i could not get to the servers behing that subnet . i also try setting static route with no help .
the 2nd problem is that when i come to the point where i will need to set and enable CARP , i will loose this network as failover .
is there anything i can do to make it work ? i cannot use the SYNC interface for that because the alias subnet
is part of my load-balancer ips , and there are no interfaces left on the load-balancer to use .
i have only 4 interfaces on my pfsense server .</number></int> -
There is a PDF linked on the doc wiki that shows how to add an IP alias to an interface.
However, if you choose to go that route, it will not work with CARP on that interface, since the aliases are not supported in the GUI, only by manually "hacking" them into the configuration, so it won't allow you to add CARP IPs for that subnet in the GUI later on.
After adding the IP alias, you will also need to add firewall rules and manual outbound NAT rules, but that is also covered in the PDF.
-
Well , i must say its a strange way of setting things :-
anyway i followed this manual , but it dowsnt seams to work . as i was saying i do not use NAT at all ,
all my IPs are WAN ip's ( the reason is VOIP problems ) so i do not need NAT .
i have set the
<shellcmd>ifconfig em2 inet 1.2.3.1 netmask 255.255.255.240 alias</shellcmd>
and loaded the configuration , but i dont seams to work only if do it manually# ifconfig em2 em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 08:00:27:45:da:53 inet 1.2.3.28 netmask 0xfffffff0 broadcast 1.2.3.31 inet6 fe80::a00:27ff:fe45:da53%em2 prefixlen 64 scopeid 0x3 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 1.2.3.62 UGS 0 326 em1 10.1.1.0/29 link#4 UC 0 0 em3 127.0.0.1 127.0.0.1 UH 0 0 lo0 1.2.3.16/28 link#3 UC 0 1 em2 1.2.3.20 08:00:27:db:51:56 UHLW 1 5 em2 160 1.2.3.32/28 link#1 UC 0 0 em0 1.2.3.48/28 link#2 UC 0 0 em1 1.2.3.62 00:1c:c0:7a:ed:91 UHLW 2 1547 em1 1180</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>when i set manually , all is working , but i need it across boot
so im back to where i was in the first place .# ifconfig em2 inet 1.2.3.14 netmask 255.255.255.240 alias # ifconfig em2 em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 08:00:27:45:da:53 inet 1.2.3.28 netmask 0xfffffff0 broadcast 1.2.3.31 inet6 fe80::a00:27ff:fe45:da53%em2 prefixlen 64 scopeid 0x3 inet 1.2.3.14 netmask 0xfffffff0 broadcast 1.2.3.15 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active # netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 1.2.3.62 UGS 0 391 em1 10.1.1.0/29 link#4 UC 0 0 em3 127.0.0.1 127.0.0.1 UH 0 0 lo0 1.2.3.0/28 link#3 UC 0 1 em2 1.2.3.1 08:00:27:37:e5:23 UHLW 1 22 em2 1110 1.2.3.16/28 link#3 UC 0 1 em2 1.2.3.32/28 link#1 UC 0 0 em0 1.2.3.48/28 link#2 UC 0 0 em1 1.2.3.62 00:1c:c0:7a:ed:91 UHLW 2 2148 em1 598</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>and the solution for that , created a script /usr/local/etc/rc.d/alias-ips.sh
and put ifconfig command , after reboot , all works
i do hope this will be fixed on future release -
It's a non-issue on 2.0, where IP aliases are handled in the GUI as a type of Virtual IP.
