4. VIP alias without NAT

VIP alias without NAT

  • V

    Hi All ,
    this is my first post , anyway …
    im setting a simple FW , with a network that looks like this (i will not put my IPs , but any public IPs ) :

    LAN em0  -> 1.2.3.34/28
    WAN em1  -> 1.2.3.51/28
    PUB  em2  -> 1.2.3.28/28
    SYNC em3 -> 10.1.1.1/29  (later will be for CARP sync)

    all works good so far , including openvpn and all .
    now i come to a point where i need to add another subnet to PUB interface ( alias IP )
    1.2.3.0/28
    i come from the land of Linux so basiclly i would do it via ifconfig <int>: <number>ip/subnet .
    reading posts on this forum , and trying to figure it out my self
    http://forum.pfsense.org/index.php?topic=14654.0
    i know i need to use "Proxy ARP" type of Virtual IP because its different subnet then the PUB interface .
    but i have 2 problems . 1st is that its not working , i set up the virtual ip , set up firewall rules from WAN and PUB (enable that net to go out)
    but what ever i did , i could not get to the servers behing that subnet . i also try setting static route with no help .
    the 2nd problem is that when i come to the point where i will need to set and enable CARP , i will loose this network as failover .
    is there anything i can do to make it work ? i cannot use the SYNC interface for that because the alias subnet
    is part of my load-balancer ips , and there are no interfaces left on the load-balancer to use .
    i have only 4 interfaces on my pfsense server .</number></int>

    0
  • Rebel Alliance Developer Netgate

    There is a PDF linked on the doc wiki that shows how to add an IP alias to an interface.

    However, if you choose to go that route, it will not work with CARP on that interface, since the aliases are not supported in the GUI, only by manually "hacking" them into the configuration, so it won't allow you to add CARP IPs for that subnet in the GUI later on.

    After adding the IP alias, you will also need to add firewall rules and manual outbound NAT rules, but that is also covered in the PDF.

    0
  • V

    Well , i must say its a strange way of setting things  :-
    anyway i followed this manual , but it dowsnt seams to work . as i was saying i do not use NAT at all ,
    all my IPs are WAN ip's ( the reason is VOIP problems ) so i do not need NAT .
    i have set the
    <shellcmd>ifconfig em2 inet 1.2.3.1 netmask 255.255.255.240 alias</shellcmd>
    and loaded the configuration , but i dont seams to work only if do it manually

    # ifconfig em2
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 08:00:27:45:da:53
	inet 1.2.3.28 netmask 0xfffffff0 broadcast 1.2.3.31
	inet6 fe80::a00:27ff:fe45:da53%em2 prefixlen 64 scopeid 0x3 
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active

# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            1.2.3.62     UGS         0      326    em1
10.1.1.0/29        link#4             UC          0        0    em3
127.0.0.1          127.0.0.1          UH          0        0    lo0
1.2.3.16/28  link#3             UC          0        1    em2
1.2.3.20     08:00:27:db:51:56  UHLW        1        5    em2    160
1.2.3.32/28  link#1             UC          0        0    em0
1.2.3.48/28  link#2             UC          0        0    em1
1.2.3.62     00:1c:c0:7a:ed:91  UHLW        2     1547    em1   1180</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

    when i set manually , all is working , but i need it across boot
    so im back to where i was in the first place .

    # ifconfig em2 inet 1.2.3.14 netmask 255.255.255.240 alias
# ifconfig em2
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 08:00:27:45:da:53
	inet 1.2.3.28 netmask 0xfffffff0 broadcast 1.2.3.31
	inet6 fe80::a00:27ff:fe45:da53%em2 prefixlen 64 scopeid 0x3 
	inet 1.2.3.14 netmask 0xfffffff0 broadcast 1.2.3.15
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active

# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            1.2.3.62     UGS         0      391    em1
10.1.1.0/29        link#4             UC          0        0    em3
127.0.0.1          127.0.0.1          UH          0        0    lo0
1.2.3.0/28   link#3             UC          0        1    em2
1.2.3.1      08:00:27:37:e5:23  UHLW        1       22    em2   1110
1.2.3.16/28  link#3             UC          0        1    em2
1.2.3.32/28  link#1             UC          0        0    em0
1.2.3.48/28  link#2             UC          0        0    em1
1.2.3.62     00:1c:c0:7a:ed:91  UHLW        2     2148    em1    598</full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

    and the solution for that , created a script /usr/local/etc/rc.d/alias-ips.sh
    and put ifconfig command , after reboot , all works
    i do hope this will be fixed on future release

    0
  • Rebel Alliance Developer Netgate

    It's a non-issue on 2.0, where IP aliases are handled in the GUI as a type of Virtual IP.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy