Secondary LAN IP (same subnet) for management?
-
I think the subject is pretty self-explanatory… I would like to add a second IP to the LAN interface (in the same subnet as the primary), with the intent to use it for management access.
I'm in the process of moving hardware around on IPs and will be changing the pfSense LAN IP / replacing it with a Cisco router on the same IP, so I wanted an additional LAN access IP so I can still manage the unit without having to access it from the WAN (currently disabled) or use the console.
I tried adding a VIP of type "IP Alias", but I can't ping it or access that IP from a client on the same network... am I doing something wrong, or is this not supposed to work?
-
Make sure you have a pass firewall rule for that VIP on your LAN interface.
-
I do…
Pass all from LAN subnet to (alternate management IP)
Pass all from (alt management IP) to *I am getting an arp response (this is arp -a from my laptop) from the alternate IP, it just doesn't answer ping...
(192.168.136.253) at 0:0:24:ce:99:85 on en0 ifscope [ethernet]
That's the correct MAC address for the pf LAN interface where the VIP was added.
-
You're doing something wrong. With just the default rules, you should automatically be able to access the web interface on the LAN interface using an IP Alias.
-
Would having a VPN tunnel possibly be "doing it wrong" in this case? The ruleset was the default, with the addition of a rule allowing traffic from the remote end of the VPN to hit the LAN side and vice versa. There are zero deny rules in the LAN ruleset.
The VPN tunnel is configured with a remote endpoint of 192.168.0.0/16… the LAN is 192.168.136.1, I was trying to add .253 as the alternate VIP. The system did happen to be running 2.0.2 rather than 2.0.3.
I've pulled it out of production at this point (made the cut-over and didn't need to access it again), but I'm still curious as to why it didn't work.
-
Did it have a route to the VPN client subnet using the VPN server as the gateway?
-
@KurianOfBorg:
Did it have a route to the VPN client subnet using the VPN server as the gateway?
I'm not exactly sure what you mean by "VPN client subnet" and "VPN server" here. I have no VPN "clients" here other than pfsense itself.
This pf box was using IPsec for a P2P VPN to a corporate office, through which it also needed to be able to access other P2P sites (NOT on VPN).
Rather than having a separate IPsec phase 2 entry for every single remote subnet (all of which would be /24s), there are two "summary" phase2 entries (each /16) that cover all of the remote ranges. In the "Local Network" column we have the LAN subnet of the pfSense machine (192.168.136.0/24) and the "Remote Network" was 192.168.0.0/16.
I would think that the VIP being a more specific "connected" route should win, but I've seen strangeness with pfSense + IPsec and routing in the past so I suspect that the /16 summary may somehow be clobbering the VIP.
For the same reason, I can't get to a cable modem's management page on the WAN side of a system, even if I have a VIP setup in the same subnet on the WAN, because Raccoon seems to "win" over any other routing on pfSense. (Same VPN setup, 192.168.0.0/16, a different /24 LAN subnet, and the typical cable modem of 192.168.100.1 on the WAN.)
I'd say that the weirdness around routing and IPsec in pfSense is one of its largest weaknesses at this point. :(
-
Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it.
-
@KurianOfBorg:
Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it.
There were no routes added manually to the system, so it has to be something with Racoon/ipsec and the way it "takes over" in a sense.