Multiple subnets

MadDog2K · Nov 2, 2006, 1:12 PM

Hello,

I'm currently looking into pfSense, to replace our 2 FreeBSD 6.1 firewalls (fail-over).
The setup is however not straight forward:

I have a WAN interface and a LAN interface.
The WAN interface currently has multiple subnets routed to it's IP. (VIP from CARP, but doesn't matter).
The LAN interface has various IP aliases (CARP interfaces actually - for fail-over) with always 1 ip from the routed subnets configured to act as gateway for the machines behind it.

How can I accomplish this with pfSense ?
Cause I can only find a way to assign one subnet to an interface…
I guess I could create various OPT interfaces and put every subnet in a different VLAN, but that's not very usefull I think.

hoba · Nov 2, 2006, 1:23 PM

Have a look at interfaces>virtual IPs. Also the CARP tutorial should be helpful: http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm

MadDog2K · Nov 2, 2006, 3:38 PM

@hoba:

Have a look at interfaces>virtual IPs. Also the CARP tutorial should be helpful: http://pfsense.com/mirror.php?section=tutorials/carp/carp-cluster-new.htm

Thx, but I already tried that :>
For the first subnet, this works ok.

However, since I need more subnets, I need to add another one.
This gives me the following error :

Firewall: Virtual IP Address: Edit

The following input errors were detected:

Sorry, we could not locate an interface with a matching subnet for 1.2.2.1/29. Please add an ip in this subnet on a real interface.

That is technically correct, since I don't have an ip from 1.2.2.x/29 configured yet on an interface. And CARP depends on this.
I just cannot find a method to add this 2nd subnet to my LAN-interface.

The problem is thus that I need multiple subnets on my LAN interface, so eventually I can add more CARP interfaces.
But CARP is just step 2.

I've noticed after some reading that 'IP Aliases' will be implemented in pfSense 1.1 … would this fix my problem ? (Running 1.0.1)
Is there a method to do this manually (and save on reboot :>)

hoba · Nov 2, 2006, 3:44 PM

You could try to add this using hidden config.xml commands (see http://faq.pfsense.com/index.php?action=artikel&cat=10&id=38&artlang=en&highlight=hidden ) but this still wouldn't let you save the carp IPs that are on the 2nd subnet as the webgui doesn't know about it. However if you edit the config.xml manually and enter the CARP IPs for the second subnet and upload it it might work. However, this of course is unsupported.

MadDog2K · Nov 2, 2006, 3:50 PM

Many thanks ! :>

Do you happen to have any idea if pfSense 1.1 will have support for what I need ?

MadDog2K · Nov 2, 2006, 3:54 PM

@hoba:

You could try to add this using hidden config.xml commands (see http://faq.pfsense.com/index.php?action=artikel&cat=10&id=38&artlang=en&highlight=hidden ) but this still wouldn't let you save the carp IPs that are on the 2nd subnet as the webgui doesn't know about it. However if you edit the config.xml manually and enter the CARP IPs for the second subnet and upload it it might work. However, this of course is unsupported.

The link on that page gives me a forbidden … when I look higher in the repository, there is no conf.default/ directory.

hoba · Nov 2, 2006, 6:50 PM

I was talking about downloading the config.xml from diagnostics>backup/restore, then editing it to add the custom options that you can't create with the webgui and adding the interface alias commands as shellcommand or maybe even filter reload items. Then upload the customized config.xml again at diagnostics>backup/restore.

MadDog2K · Nov 2, 2006, 7:03 PM

@hoba:

I was talking about downloading the config.xml from diagnostics>backup/restore, then editing it to add the custom options that you can't create with the webgui and adding the interface alias commands as shellcommand or maybe even filter reload items. Then upload the customized config.xml again at diagnostics>backup/restore.

Ah, ok. Thanks, I will try this.

Owen · Nov 13, 2006, 8:46 AM

MadDog2k,

Have you had any success with this suggestion, or found an alternate workaround?

MadDog2K · Nov 13, 2006, 6:16 PM

Have not been able to try this yet.

Hope to do so this week :)

tetard · Nov 25, 2006, 1:38 PM

Here's how I solved this problem for our office (migrating a legacy 4.9 firewall with ipfw to pfSense).

The first thing I noticed is the lack of support for alias IPs (in the traditional definition of the concept, i.e. "ifconfig xxx0 1.2.3.4/27 alias").

So I went around the forums, and didn't find a good solution that wouldn't confuse CARP or require sticking a custom startup script in /usr/local/etc/rc.d/

One solution I did come up with, and that I have used before with success in NAT-before-tunnel IPSEC encapsulations, is as follows:

create Virtual IP of type "proxy arp" on the inside interface (Firewall -> Virtual IPs), for example "172.31.31.1/32" (what we use)
create a an advanced outbound NAT rule of the type: nat on EXT_IF inet from 172.31.31.0/24 to any -> (EXT_IF) round-robin
the tricky bit: route add 172.31.31.0/24 -iface INT_IF

Now the last part is tricky because the forms don't support -iface sis0 (the inside IF). Looking in the CVS code:

http://cvstrac.pfsense.com/chngview?cn=10696
http://cvstrac.pfsense.com/rlog?f=pfSense/usr/local/www/system_routes.php

… this was introduced, then rolled back:

http://cvstrac.pfsense.com/chngview?cn=10869

Scott's explanation:

"Remove interface gateway option. It doesnt do what I wanted, and the same can be achieved by plugging in the next hop gateway."

Well, it would have done what I wanted :) Additionally, I am missing an example for the scenario described in the above commit message -- I am doubting about the correct way to go about doing this kind of forwarding with PF, through the pfSense interface...

So in the meantime I have an rc.d script doing "route add 172.31.31.0/24 -iface sis0" and everybody's happy. Hope the input helps, and hope real IP aliases will be introduced sometime in the future.

Phil