How to map to 3 alias static ips on same FreeBSD server NIC?



  • Need to static map from pfsense gateway (192.168.34.1) to four LAN static ips on the same server NIC.

    Was running main server under static dhcp, but now that I have 3 alias, pfsense does not allow for static dhcp to the same MAC address. Tried without DHCP enabled on LAN, no go.

    Server has 3 jails assigned static ips of 192.168.34.51, 52, 53 as aliases to same NIC as main static ip (192.168.34.50).

    rc.conf (FreeBSD server 192.168.34.50)
    ~
    ifconfig_em1="192.168.34.50/24"
    ifconfig_em1_alias0="192.168.34.51/24"
    ifconfig_em1_alias1="192.168.34.52/24"
    ifconfig_em1_alias2="192.168.34.53/24"
    defaultrouter="192.168.34.1"
    ~

    The FreeBSD server (192.168.34.50) can ping the pfsense 2.0.2 gateway (192.168.34.1) and outside.  But can not ping from pfsense to 192.168.34.50, ssh to 192.168.34.50, and NAT rules do not work to access webserver in jail J0.

    I've read the PFSense book sections numerous times, gone over all my settings, retested, searched, …, but no avail.

    It has to be something simple.  Any ideas or solutions?

    Thanks,
    Peter



  • @PSprague:

    But can not ping from pfsense to 192.168.34.50, ssh to 192.168.34.50,

    Please post the command and system response. That is almost always more informative than "cannot ping".

    @PSprague:

    and NAT rules do not work to access webserver in jail J0.

    Access from where? From the internet? From your local network 192.168.34.x/24? What NAT rule? Did you mean your port forward? If you mean access from your pfSense box or from the internet then the web access is probably not going to work until you get the ping issue sorted out and that might not be sufficient.



  • In a nutsheel, my focus is for my pfsense box to communicate with my jails on the FreeBSD server.  All jails are aliases on the same NIC MAC as the main ip of the server.

    @PSprague:

    But can not ping from pfsense to 192.168.34.50, ssh to 192.168.34.50,

    @wallabybob:

    Please post the command and system response. That is almost always more informative than "cannot ping".

    Ping output: (from pfsense ping panel)

    PING 192.168.34.50 (192.168.34.50) from 192.168.34.1: 56 data bytes

    –- 192.168.34.50 ping statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    @PSprague:

    and NAT rules do not work to access webserver in jail J0.

    @wallabybob:

    Access from where? From the internet?

    From internet, though this is the least of my worries at the moment.  First need to have pfsense be able to communicate internally with the jails.
    @wallabybob:

    From your local network 192.168.34.x/24? What NAT rule? Did you mean your port forward?

    Port Forwarding is a component of NAT from my understanding. This is not my focus at this step.  Just mentioned it because the end point is to have access to J0 webserver from internet.  Once its reachable internally, my NAT/Firewall rules will likely work.  Did prior when not using jails.
    @wallabybob:

    If you mean access from your pfSense box or from the internet then the web access is probably not going to work until you get the ping issue sorted out and that might not be sufficient.

    Yup, I understand that.  See above about end point.

    What I don't understand is that I thought this should be automatic through ARP, and I don't even need to declare any static dhcp mappings.



  • @PSprague:

    What I don't understand is that I thought this should be automatic through ARP

    Yes it should be automatic.

    1, Is the FreeBSD interface in the running state with the alias addresses listed? (Please post the output of FreeBSD shell command```
    ifconfig

    
    2\. With a ping running on pfSense does a packet capture on the FreeBSD system show the ARP requests? Does it show responses?


  • Fixed/Solved.

    Was a series of comedy of errors.

    Had to use a console on FreeBSD server, a console on pfsense, and web access to pfsense.

    1. in pfsense shut-off DHCP server
    2. while there also removed static DHCP to 192.168.34.50 with bogus MAC to act as a placeholder. 
      This was first error.  ARP picked up address and showed in ARP table, but obviously it was linked to the wrong MAC address.
    3. cleaned out the ARP cache or reboot on pfsense
    4. arp -a on FreeBSD shows pfsense gateway
    5. ping to pfsense works
    6. arp on pfsense now shows 192.168.34.50 mapped to correct MAC address !!
    7. ping to FreeBSD still not working ?
      8.) FreeBSD firewall rule drops (blocks) packets instead of reject.  Hence no ping.  Duh! Sort of error #2 (mental error?)
      Adjust firewall rules for testing.  Reset.
    8. Ok, now what about ssh into FreeBSd from pfsense console?  Nope - reject.  So its getting a response of sorts.
    9. Error #3 - FreeBSD ssh config was set to only listen on old address of server, not 192.168.34.50.  Fixed.
    10. Now have ssh access from pfsense console to FreeBSd server.
    11. Now what about original endpoint - WAN access to webserver 192.168.34.51? Yup.

    Thanks for pointing to arp to help trouble-shoot this.

    Peter


Locked