Carp: ip-aliases in different subnet ignored



  • I'm trying to replace some outdated F5 load balancers with haproxy.  About the only show stopper at the
    moment is the routing setup. Currently, we route the IP addresses of the virtual servers to a VIP on the F5. These
    are all /32 routes, and are thus bound to not be in the same network as the connecting LAN. From a routing
    perspective, I see no problem with such a setup:

    lan:  {pfsense1} – {vip} -- {pfsense2}

    ifconfig {vip} alias {vsvip1}/32
    ifconfig {vip} alias {vsvip2}/32
    ...

    on the upstreams routers:
    ip route {vsvip1} 255.255.255.255 {vip}
    ip route {vsvip2} 255.255.255.255 {vip}

    the {vip} MAC should change between {pfsense1} and {pfsense2} as needed, thus causing the static route
    above to also change between the two firewalls. Still, when i try to enter the ip alias to the vip, the GUI accepts
    the entry, but I can't find it configured anywhere on an interface afterwards. It looks like the entry is silently
    ignored. When I manually go into the shell and do

    ifconfig opt10_vip8

    I don't see any extra address except the carp IP. If I then do:

    ifconfig opt10_vip8 alias {vsvip1}/32

    the system accepts the address just fine.

    this is with 2.1 snapshot of yesterday, July 28. Is there a good reason for this weird behavior?

    Cheers,
    Markus

    UPDATE: interestingly, things work if I make the IP-Alias a child of Loopback...


  • Rebel Alliance Developer Netgate

    If you are using IPs routed to you, then Loopback IP aliases are preferred.

    You only need IP aliases on a WAN interface if that subnet is using Layer 2 on WAN to reach a "gateway" on WAN inside of their subnet.

    Route all of the IPs to your external CARP VIP, use IP alias on localhost, and it works fine.



  • Seems I have to get used to being able to work with the Loopback interface in pfsense, glad to hear this is now fully supported. Thanks!

    And by the way: thanks for a great job with the conversion of old configurations. I recently migrated two old pfsense 1.x to 2.1
    without a hitch!