Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ifconfig throws error when adding VIP

    HA/CARP/VIPs
    1
    1
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jimsworld
      last edited by

      Hi,

      Background

      I am in the process of setting up a Site-to-Site VPN (ipsec or openvpn) that terminates on one of our pool of 8 static public ip address assigned to us by BT (UK). In this case A.B.C.27

      (BT Static IP Pool. First three octets replaced with A.B.C)

      • Subnet Size:  8

      • Subnet Mask:  255.255.255.248

      • User IP Range Start:  A.B.C.25

      • User IP Range End:  A.B.C.29

      • IP Addr(Base):  A.B.C.24

      • IP Addr(End):  A.B.C.31

      • Default Gateway:  A.B.C.30

      Due to the way BT route their static IP's, the pfsense box is assigned a dynamic IP (A.X.Y.42 currently) on the PPP WAN interface and BT routes everything related to our our assigned pool of static public IPs to that dynamic address (hope that makes sense). Note that this dynamic ip assigned to the WAN interface is in a different subnet (octets A.X.Y.?) from our static pool (A.B.C.?) The static pool of public IPs are not supplied to the pfsense router via PPP / DHCP but have to be manually added as virtual IPs.

      Currently I have the IPs setup as type "ip alias" each one addressed as per this example A.B.C.27/29. The addresses i have added are the User range and the default gateway shown above.

      The article here suggest that "ip alias" should support a VPN endpoint; However one of the bullets is causing me confusion

      • Subnet mask should match the interface IP, or be /32. Matching the interface subnet is advised. For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet

      The system is;
      Version 2.0.3-RELEASE (i386)
      built on Fri Apr 12 10:22:57 EDT 2013
      FreeBSD 8.1-RELEASE-p13

      So here is the questions?.

      Since the dynamic address assigned to my WAN interface is always going to be different from my static pool, should i assign all but one of the IP aliases a 32 bit mask and the remaining one a 29 bit mask?

      If so, which IP alias should I assign the 29 bit mask too?

      The reasons i ask;

      when adding the IP alias i see the following error in the system.log
      php: /firewall_virtual_ip.php: The command '/sbin/ifconfig 'pppoe1' A.B.C.27/'29' alias' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required'

      when configuring the openvpn or ipsec service both complain of bind problems when using the ip alias.

      The IP alias appear to work correctly when NAT'ed to services on the internal LAN, but not for services on the pfsense box itself.

      I have searched the forum and bug track etc, but the issue could just be my understanding of how IP aliases work. I think the issue is more with the IP Alias than VPN, hence posting here.

      Any help would be appriciated. currently I have to anchor the VPNs on our dynamically assigned WAN IP. This is not ideal.

      regards

      Jim

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.