2 LANs interfaces, behaviour
-
Config:
2.1-RC2 (amd64)
built on Wed Sep 4 23:56:00 EDT 2013
FreeBSD 8.3-RELEASE-p10
run on vmware 5.1 , E1000 network cards.Problem:
LAN if : 10.2.1.1 /16
OPT1 if: 10.2.255.1 /16
both if active, I can reach FW web interface on both IPs, all pingable
as soon as I disconnect LAN cable, OPT1 stop working as well, but it should be active
disconnect OPT1 affecting only this interfaceis this something wrong, or my understanding of connectivity is not right ?
Note:
basically I need all but one opt1 interface inactive to have access and change configuration using opt1 if only. avoiding duplicates IP on the network. -
Subnet mask is incorrect.
-
"Subnet mask is incorrect. "
again, both interfaces LAN and OPT1 on the same segment -
You are doing it wrong. The configuration makes no sense, as already noted by ssheikh.
-
That is not a valid configuration. If you want two interfaces to be on the same subnet you have to create a bridge and put the two interfaces as members on the bridge.
-
on freebsd-9 i have 2 interfaces with different IPs on the same broadcast segment in the same network, ( roughly, connecting to the same switch)
I would like to understand where LAN and OPT1 is differ from my bsd9 configuration , and how the bridge can help, (BTW, i do remember a coax bridge, seems they extinct now in any form)
Please explain me …..
"The configuration makes no sense"
from some point of view it does .... , I did this on CISCO PIX firewall for some custom configuration, and don't see a behavior when disconnecting cable from one interface a second interface affected....So ....
adding one more interface OPT2 ...
How it works:
cable disconnection on OPT1 or OPT2 , turn off only according interface only. (OPT1 or OPT2)
cable disconnection on LAN shut down ALL 3 interfaces (LAN, OPT1, OPT2 ) ......
Disable all packet filtering - ON -
From the perspective of a firewall it does not make sense to have two interfaces on the same subnet. How would firewall rules apply in that case? Which interface would the firewall use to communicate on that dual connected subnet? How would NAT work?
What exactly are you trying to accomplish?
-
i know it doesn't ….
but i need something that i can connect to, with BOTH, LAN and WAN physical interfaces disconnected, to avoid IP collision.
to transfer configuration manually ...so I introduce OPT1 interface , it works, i can connect ..... but disconnecting LAN, I'm loosing both interfaces , that not suppose to be, I'm thinking it somewhere inside of firewall that behave like this ....
-
Yeah. So assign it to a different subnet. I have a management port for this exact purpose on multiple boxes. With DHCP enabled, plug in a laptop, connect, fix it. You seriously are doing it wrong.
-
From theoretical point I do not see any wrong configuration … I can have any numbers of interfaces as far as , MACs and IPs is unique on following segments\domains ..
I also believe that cable disconnection from one interface should not affect the other interface ....
Hope a Firewalls GURU will judge me
-
A firewall guru will tell you that you have a serious design flaw if this is necessary.
-
Lots of actual gurus just did judge… They are modest.
I'm not much of a guru, but if it helps, I'll add in.
Don't put 2 NICS on the same subnet.
-
Eh. Seriously. All you need for management port is a /30 outside of your LAN. One IP for the pfsense interface, one for the connected laptop or whatever else. Not 65K hosts in a /16. Let alone overlapping with the LAN.
P.S. I see people configuring their multi-NIC NAS boxes like 192.168.1.1/24 and 192.168.1.2/24 all the time and complaining immediately that their networking is broken. It not broken idea just on firewalls.
-
I'm so glad I'm not smart enough to over-think my network.
-
So … Gurus ....
Any one can explain why do operate on LAN Interface, such as disconnect cable, will affect other interfaces like OPT1 and OPT2.
BUT disconnection OPT1 or OPT2 do not affect other.....
Without empty chat, "it wrong", "outsmart" e.t.c. ; don't watering threadI have tons of installation of pix, netsceen some times, they behave out of logic, but none of them just shut interface 1 and 2 when interface 1 got disconnected....
back to the business:
will check if such behavior exist on 2.0.3 later ...
and it remote network, i can operate within existing /16 network ... so any advise of separate nets, don't work -
So, there is no way for you to make this simple, neat and tidy with zero overlaps of subnets?
I'm trying to understand why not?
-
So … Gurus ....
Any one can explain why do operate on LAN Interface, such as disconnect cable, will affect other interfaces like OPT1 and OPT2.
BUT disconnection OPT1 or OPT2 do not affect other.....
I think you are so determined in trying to make this physical disconnection scheme of your to work that you are overlooking the obvious.
The behavior you are seeing is what would be expected. The binding order in which the interfaces are configured and bound put LAN higher up in the order. When that interface is configured with an IP that belongs to a particular subnet and you take that interface down by disconnecting it, your pathway to that network/subnet also goes down. Once that happens, even if OPT2 still has link, your pathway to that subnet is still down. If you are expecting traffic to now miraculously start getting dumped out of OPT2 interface then that is not going to happen. If PIX OS dynamically switches the active interface from one to another then that doesn't make what PIX OS is doing right and what BSD is doing wrong because your configuration inherently is incorrect. That probably just means that PIX developers thought of yet another misconfiguration that we may be able to throw at the device and still have the device function somewhat.
In todays world when switch ports are at a premium, I am not sure why you want to waste one.
And you still haven't told us what is it exactly that you are trying to achieve. If you are trying to disable management access to the firewall by the act of disconnecting a cable yet keep the webconfigurator bound to your LAN subnet, then try creating a phantom subnet bound to your opt2 interface. Create appropriate rules to block management access to firewall IPs on all subnets except for the phantom subnet, then use the firewall's routing table to get to the management apps bound to the IP on this phantom subnet. In that case when you down the interface by downing the link on that interface, your route should disappear as well and the management access should be lost. Or you could do things like that using NAT and port forwarding as well. Something like this would be a borderline absurd setup IMO.
In basic network you want to follow these very basic rules:
1. Connect only one interface to one network or trunk unless you have an aggregate link or have a bridge group.
2. Use VIPs if you need to have one device have multiple IPs on the same subnet. -
so any advise of separate nets, don't work
Not even going to think about why, but… forget that the port exists. Just forget it. Put a duct tape on the port. Not needed and only causing borkage by your wrong configuration. It won't work as explained in the post right above (and multiple times before).
Some reading before I abandon this thread as utter waste of time:
https://doc.pfsense.org/index.php/LAGG_Interfaces
https://doc.pfsense.org/index.php/Interface_Bridges
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F -
Ah..
Bonding subnet to the interface ….. Didn't think about at all; kill that particular interface kills all rabbits.as I said:
my goal to mimic configuration from another box, with the same ext\int IPs, only way to do so, down all ports and copycat config using an additional "management port", everything remote.so the first idea was: an additional interface with the same IP range as a web management active, everything works, until I down the LAN port, everything went down and that was bloody surprised.
ok thank you guys, will do plan XYZ ...
-
Actually, I do think we have a general problem in FreeBSD ever since the networking stack was revamped. If having
ifconfig em0 inet 192.168.1.10/24 up
then
ifconfig em1 inet 192.168.1.11/24 up
should fail with an error, probably EINVAL or EADDRINUSE. And this was the case with the older
network stack. Nowadays, it's just adding an implicit interface alias to em0, which is IMHO just wrong,
but probably a side effect of the mentioned changes. In the old days, you were also not able to
misconfigure your interface aliases by doingifconfig em0 alias 192.168.1.123/24
(with the above setup). You had to
ifconfig em0 alias 192.168.1.123/32
Just for comparison, if you try to do the above on a Cisco, you get a proper error message:
x(config)#int loop 100
x(config-if)#ip add 192.168.1.10 255.255.255.0
x(config-if)#int loop 101
x(config-if)#ip add 192.168.1.11 255.255.255.0
% 192.168.1.0 overlaps with Loopback100If the current FreeBSD behavior is not considered a bug, I have no idea what the benefits of that behavior
are. The current thread problem wouldn't have come up, because the attempted wrong configuration wouldn't
have been possible in the first place.