Carp: ip-aliases in different subnet ignored

casper4242

I'm trying to replace some outdated F5 load balancers with haproxy.  About the only show stopper at the
moment is the routing setup. Currently, we route the IP addresses of the virtual servers to a VIP on the F5. These
are all /32 routes, and are thus bound to not be in the same network as the connecting LAN. From a routing
perspective, I see no problem with such a setup:

lan:  {pfsense1} – {vip} -- {pfsense2}

ifconfig {vip} alias {vsvip1}/32
ifconfig {vip} alias {vsvip2}/32
...

on the upstreams routers:
ip route {vsvip1} 255.255.255.255 {vip}
ip route {vsvip2} 255.255.255.255 {vip}

the {vip} MAC should change between {pfsense1} and {pfsense2} as needed, thus causing the static route
above to also change between the two firewalls. Still, when i try to enter the ip alias to the vip, the GUI accepts
the entry, but I can't find it configured anywhere on an interface afterwards. It looks like the entry is silently
ignored. When I manually go into the shell and do

ifconfig opt10_vip8

I don't see any extra address except the carp IP. If I then do:

ifconfig opt10_vip8 alias {vsvip1}/32

the system accepts the address just fine.

this is with 2.1 snapshot of yesterday, July 28. Is there a good reason for this weird behavior?

Cheers,
Markus

UPDATE: interestingly, things work if I make the IP-Alias a child of Loopback...

jimp

If you are using IPs routed to you, then Loopback IP aliases are preferred.

You only need IP aliases on a WAN interface if that subnet is using Layer 2 on WAN to reach a "gateway" on WAN inside of their subnet.

Route all of the IPs to your external CARP VIP, use IP alias on localhost, and it works fine.

casper4242

Seems I have to get used to being able to work with the Loopback interface in pfsense, glad to hear this is now fully supported. Thanks!

And by the way: thanks for a great job with the conversion of old configurations. I recently migrated two old pfsense 1.x to 2.1
without a hitch!