Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can not create inet alias in webconfigurator, workaround or alternatives?

    HA/CARP/VIPs
    1
    1
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CHFO
      last edited by

      Hi
      Background:
      The company has control over two distinct external /24 nets.
      Today we have two firewalls running openbsd 4.6 (old!) and pf, configuration files handcrafted by some other guys. Now there are strange errors occuring with these machines (possible hardware related). The are outside of warranty now and two new has been ordered. In preparation I started setting up the network environment on a few desktops with pfsense instead of openbsd+pf.
      Firewalls (and the two replacing them) routes general traffic from desktop machines but also a lot of DMZ servers where it is 1:1 IP mapping.

      The thing is that the current firewalls has 4 real interfaces, WAN, LAN, DMZ and PFsync. The WAN interface is simple and uses CARP, only on one external network. But the DMZ has "physical" IP to the external net we can call 'X' and virtual IP to the other external net 'Y', i.e. the /etc/hostname.bnx0 includes a second line "inet alias …".
      The way the guys has managed to set it up is that the /etc/hostname.carp0 (which uses bnx0) has a normal IP in the X net and also a virtual IP in the Y net. No physical interface has a normal IP in the Y net.

      On the testmachine under firewall\virtual IPs in webConfigurator I have set up the 3 normal CARPs (WAN, DMZ, LAN). And a IF alias (the image icon says IF) for the Y net IP on the DMZ interface.

      So that's how it's set up, I don't know pf/carp best practises so I don't know if it strays far away from good practice.
      I read in the documentation of pfsense about CARP virtual IP type: "The VIP has to be in the same subnet as the real interface's IP "

      Thing is that it seems to work with openbsd+pf. Is it some problem with doing this in freebsd+pf or is it a too tight restriction of the pfsense webconfigurator?
      When I try to create a IP alias using the CARP interface I run into trouble and get this error:
      "Sorry, we could not locate an interface with a matching subnet for a.b.c.d/25. Please add an IP alias in this subnet on this interface." (censored IP).
      Googling the last sentence gave me a few hits in this forum which I read and some webview of the source code, which seems to look only on physical interfaces (as the error suggests).

      What are my options? The most time effective and cost+spent seems to get another network card so I have 5 in total where one has a presence in X net and another in the Y net. Sounds reasonable? The testmachines are maxed out with 4 network cards (incl. internal) and I don't have any dual/quad port available.

      Edit:
      I noticed that after I created the virtual IP for the real interface (not CARP) I had no trouble creating another carp in the Y net. When thinking about it can not see any reason not to use several Carp interfaces instead of trying to use several alias (virtual) IPs inside one Carp-interface. The rules from the current pf.conf that I will add to pfsense might require some modification but that's okay.
      If no one thinks this is bad I guess this could thread can be seen as "resolved".

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.