Multihoming the LAN (not WAN) not possible?
-
We have seen two types of post - those saying pfsense 1.2.3 does support multiple LAN subnets on a single nic, and those which say it does not.
VLANS are not necessarily subnets.
If we consider a pfsense box with 2 nics, a WAN and a LAN nic. Easy.
The LAN nic is plugged into a single switch.
On this swich are two servers, one with an ip of say 192.168.1.1/24 and one with say 10.10.10.1/24. These could be VLAN tagged to keep the traffic separate, or not. We have not, to try and keep it simple.
Now there seems to be no way to assign two IPs to a single Interface in the pfsense 1.2.3 GUI. you CAN assin VLAN IDs, but this is something completely different, and there is no optino to assign IP range to a VLAN that we can see.
Also, when we simply added a VLAN to an existing working interface, we lost all VPN connectivity to the pfesnes box, and had to go to the DC to fix. We dont know why adding a "new" VLAN to an interface should screw up a working system so badly but it did. It appears to have had the side effect of enabling VLAN tagging on the existing un-vlaned interface or similar, which the switch did not like (the switch is configured that everything is in an untagged VLAN of 10).
So the questions is, does pfsense gui 123 support multiple subnets on one interface, aka multihoming?
We actually have a spare NIC in the box. We could in theory attach this to a couple of spare ports in the switch and VLAN them, but we can risk doing this in our prod env as it is likely to bring down the network again.
-
What you're describing is a form of multihoming, but more specifically, IP aliasing. It is not simpler than vlans, but potentially more complicated, particularly if you already have a vlan switch.
I don't believe it is doable in the GUI in 1.2.3, but I'm sure I've seen the option in 2.0. To accomplish it in either version of pfsense you could add a shell command tag to your config like this:
ifconfig em0 inet 10.10.10.1 netmask 255.255.255.0 alias
-
What you're describing is a form of multihoming, but more specifically, IP aliasing. It is not simpler than vlans, but potentially more complicated, particularly if you already have a vlan switch.
I don't believe it is doable in the GUI in 1.2.3, but I'm sure I've seen the option in 2.0. To accomplish it in either version of pfsense you could add a shell command tag to your config like this:
ifconfig em0 inet 10.10.10.1 netmask 255.255.255.0 alias
Nice, thanks for the reply.
I assume that VLANS can't have different IP ranges, i.e. you cant do "ip aliasing" with VLANs using the 1.2.3 GUI?
When you say add a shell command tag, do you mean open a ssh session, and simply enter that command at the prompt? Im assuing that it will be lost after reboot unless we put it in the BSD equiv. of rc2.d script. (I know zero about BSD, unfortunately, but enough about Solaris & some CentOs). If we add the multihoming, we would have to add it to the master and carp backup no? -
@ace:
Nice, thanks for the reply.
I assume that VLANS can't have different IP ranges, i.e. you cant do "ip aliasing" with VLANs using the 1.2.3 GUI?vlans are a layer 2 construct, while IP addresses and subnetting are layer 3. Once you create a vlan interface you can then configure that virtual interface with an IP address and subnet mask, exactly as you would a physical NIC.
When you say add a shell command tag, do you mean open a ssh session, and simply enter that command at the prompt? Im assuing that it will be lost after reboot unless we put it in the BSD equiv. of rc2.d script.
Correct. If you paste that command into a terminal it will take effect until a reboot. Don't use an rc script with pfsense, just place the command between tags in your config file at the correct place and restore it. Better yet, install the shell command package (I assume it's available for 1.2.3) and just paste the command in there and let it do the work for you.
f we add the multihoming, we would have to add it to the master and carp backup no?
I have no experience with carp, but my understanding is that both systems need to be configured the same with the exception of their pfsync bits.
-
You can't do CARP on alias subnets in 1.2.3. You must use 2.0.
If you have the capability of using VLANs, use VLANs. Adding multiple subnets to the same NIC is in no way the same thing. With aliases, both subnets are still part of the same broadcast domain on the switches. Hopping between networks is as easy as hardcoding an IP in the other subnet on your client NIC. You also can't have DHCP in more than one subnet (not in the way most people expect it to work).
With VLANs it's completely segregated. From a broadcast point of view as well as a security view. You can't just hop from one network to another, and you don't have all of the broadcast/multicast traffic from both subnets getting mixed together.
On 2.0 you can do CARP in IP Alias subnets, but you still have the same requirements as the main interface. You have to add a different IP alias to each box inside the new subnet, and then setup a CARP VIP in that subnet.
-
Thanks for all the advice. Adding a VLAN to the LAN interface would be the way forward, but every time will do it, it kills the firewalls built in openvpn access, and we have to send someone to the datacerter, restore a config, reboot it then it works.
Agreed, multihoming is not the answer.
So we thought of another solution: to connect the spare interface (opt-2) to a separate (VLANed) network. We have done this, but the machine on this new network (anothe pfsense box) cant even ping the main pfsense box. What magic has to be done in pfsense to make opt-2 behave like the LAN, not a WAN? When you go into the LAN interface settings in pfsense, you can just set the ip (and optionally bridge).
When you go into opt-2, you have a lot of WAN type settings which I dont think we need. I set the address to static, bridge:none, ip is 10.10.10.1/24.
Now I connect another pfsense box on this network (i.e. connected to the same switch, with both ports in the same VLAN), give it 10.10.10.2 for its WAN, try and ping 10.10.10.1 and it cant see it. Do I have to bridge anything?
the reason there is two pfsense boxes, is that the first one is the datacenter main perimiter box, and the second one is a staging environment ment to act the same as the production environment, so we want to be able to play with a staging copy of the production fws etc).
Any ideas?