Are Virtual Interfaces possible



  • Hi, I might be looking for this using incorrect terms, so if I am, please enlighten me.

    I'm wondering if it's possible to create "virtual" interfaces in pfSense.  What I mean with virtual interface is that you could assign more than one interface to a particular NIC.  From what I read, I understand you could accomplish this with VLANS but a VLAN would requires that the Switch the NIC is connected to also understand VLANS, and I'm wondering if it's possible to do this without a switch than understands VLANS.

    Here is the scenario of what the goal is.
    pfSense firewall with two nics, one for the WAN and one for the LAN.
    The Regular LAN uses a private IP space of 192.168.0.0/24
    The pfSense IP address for the LAN is 192.168.0.1

    A secondary private IP space is setup with 192.168.1.0/24
    Assign a new "interface" to Pfsense with 192.168.1.1 which would "regulate" the traffic between 192.168.1.0 and 192.168.0.1 using the rules, so only specified traffic would be shared between both Ip spaces.

    I'm aware that this setup is less than ideal.  The separation is only at the logical level, and it offers minimal security enhancement, as ANY machine could easily just switch IP space, but current cabling infrastructure doesn't allow for anything else at the present time.

    I know that if I stick pfSense inside a XenServer I could add as many virtual nics as my heart desires, but my question is if I can accomplish this with pfSense without the need to virtualize it.

    Thanks,

    -Art


  • Netgate Administrator

    Perhaps this page will enlighten you.
    Only thing similar to this I've tried is having both real WAN IP and a local IP on my WAN/PPPoE NIC in order to talk to my modem. Works fine.

    Steve



  • Thank you,  that's one place I looked, but I must not be getting the full understanding of Virtual IP's.  I have set one up on the LAN, and it won't even answer a ping.

    I'm trying on a 1.2.2 which is the one I had already installed.

    I set up
    192.168.3.5/32 [Proxy ARP]
    and
    192.168.4.5/17 [Proxy ARP]

    Neither is replies to ping.
    And my lan rule is
    Pass * * * * * *  
    So If I understand something, it should reply to pings.

    The Lan interface is set up as:
    192.168.0.1 / 17

    @stephenw10:

    Perhaps this page will enlighten you.
    Only thing similar to this I've tried is having both real WAN IP and a local IP on my WAN/PPPoE NIC in order to talk to my modem. Works fine.

    Steve



  • Try to update.
    1.2.2 is really really old.

    You should read the page stephen posted a bit more carefully

    Proxy ARP
       * Can not be used by the firewall itself but can be forwarded
       * Generates Layer2 traffic for the VIP
       * The VIP can be in a different subnet than the real interface's IP
    **   * Will not respond to ICMP ping.**

    Do you have your pfSense as default gateway?
    Your second VIP is conflicting with everything.
    You actually create a /17 block of IPs (32768 addresses) (see the note on the page where you create VIPs: This is a CIDR block of proxy ARP addresses.)



  • @GruensFroeschli:

    Try to update.
    1.2.2 is really really old.

    Thanks, I'll do that.

    @GruensFroeschli:

    You should read the page stephen posted a bit more carefully

    Geez, no kidding, I saw the last line that said: Will respond to ICMP ping if allowed by firewall rules. and totally missed the fact that A: does not apply to Proxy ARP, B) It's available in the 2.x release.

    I apologize for my lack of paying attention.

    @GruensFroeschli:

    Do you have your pfSense as default gateway?
    Your second VIP is conflicting with everything.
    You actually create a /17 block of IPs (32768 addresses) (see the note on the page where you create VIPs: This is a CIDR block of proxy ARP addresses.)

    Thanks, yeah, that was not my original setup, I was just so blinded by the fact that it didn't reply to pings, that I tried everything I could throw at it, trying to get it to reply to a single ping.  I tried everything except being carefull when I read the post.  :-[

    Thank you.

    Is 2.0RC-1 stable enough to use in production, or should I stick with the 1.2.3?



  • Yes according to the blog
    http://blog.pfsense.org/?p=585
    it is ready for production.

    If you create, lets say a CARP type VIP, and you create firewall rules that allow ICMP pings, then yes it should response to pings.
    If you did try that, maybe you've set up your firewall rule wrong.
    Could you show a screenshot of the rule you used?



  • Thanks,

    I did not try to use a CARP type because I wanted it to be on a different subnet.  Basically act like it was a whole new interface.

    If I understand things correctly, the correct solution would be to use an IP Alias, but that page does not state if it has to be in the same subnet.

    Thanks again for the help.

    @GruensFroeschli:

    Yes according to the blog
    http://blog.pfsense.org/?p=585
    it is ready for production.

    If you create, lets say a CARP type VIP, and you create firewall rules that allow ICMP pings, then yes it should response to pings.
    If you did try that, maybe you've set up your firewall rule wrong.
    Could you show a screenshot of the rule you used?



  • Yes IP Alias would work for that.
    You can use a different subnet.

    (actually this was possible before with 1.2.3 but just not via the webgui)


  • Rebel Alliance Developer Netgate

    @artgug:

    Assign a new "interface" to Pfsense with 192.168.1.1 which would "regulate" the traffic between 192.168.1.0 and 192.168.0.1 using the rules, so only specified traffic would be shared between both Ip spaces.

    FYI that will never work the way you want. Anyone could simply change their IP into the other subnet and bypass the rules.

    You also can't do DHCP for two subnets on one interface this way.

    To do this properly, and securely, you either need another NIC and another switch, or a proper switch that supports VLANs.


Log in to reply