Version 1.2.3 and Virtual IP on LAN

  • I cannot get my head wrapped around VIPs and I have searched and "think" I have this figured out. BUT, I am just asking for confirmation that what I think I should do to add a VIP to my LAN is what I should in fact do. In Googling and searching there is a lot out there, but nothing definitive… yet.

    I have a wireless LAN, eth2, with captive portal and DHCP. The WLAN doles out IPs in the range of - .250. I have several access points that have web admin IPs of - .10.

    Step One, add an "Other VIP" of, or would it be CARP or the other one?
    Step Two, add a rule to the WLAN firewall rules allowing all traffic to this IP range. Not certain this is necesary.
    Step Three, add a NAT setting, which I am not certain about how to go about.

    Is this it? And is an "Other VIP" correct? Don't need to ping it, but from another LAN, eth1, I should be able to access the web admin AP addresses.

    Please advise and any and all help is appreciated. And thanks!


  • What is your subnet mask on these networks?

  • Virtual:


    I guess I could do a virtual mask of /27 (



  • Is my subnetting not correct for the real IP?

    Should both IP's subnets allow both IP ranges (and everything in between)?

    Can this be done with pfSense?



  • If you setup a CARP VIP in, pfSense should be able to route if you have setup the firewall rules and NAT to account for that additional subnet.

  • Thank-you so much for the reply!

    When ever I try adding a CARP VIP I get the following error:

    The following input errors were detected:
    Sorry, we could not locate an interface with a matching subnet for Please add an ip in this subnet on a real interface.

    Do I need to subnet my real 55.1 IP to something like (

    Thanks again. Not certain what I am doing wrong as this should be pretty simple.


  • One DOES have to set the real IP Net Mask with appropriate subnetting. SO I set it to: (

    And was able to create the CARP VIP.

    Set up a simple firewall rule, and could not ping anything.

    Using straight IP, no natting should be needed or warranted as all I would 'like' to do is access the webgui of the wireless access points. Just allow the IP in and out of the OptLAN.

    So… back to square one. Maybe I should try and figure out how to add a virtual Interface.


  • Okay so if you have that setup go to advanced setup and set the option to bypass firewall rules if destination is on the same interface. If you only want to access the mgmt of the wifi why are they on a seperate subnet.

  • Podialrius,

    Thanks so much for your time and help.

    The APs were set up there some time ago and not certain why things changed but they did. One good thing, guests can't try and hack the APs when they can't see the webgui or their IP. We can access them but just a heck of a lot easier if it was simpler.

    I did not see in the 1.2.3  advanced page anything about bypassing firewall rules. Still need them and NAT for everything else this box is doing.

    Will probably move the net back to 50.X. Less hassle other than an occasional attack against one of the APs.


Log in to reply