Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secondary LAN IP (same subnet) for management?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      ZPrime
      last edited by

      I think the subject is pretty self-explanatory… I would like to add a second IP to the LAN interface (in the same subnet as the primary), with the intent to use it for management access.

      I'm in the process of moving hardware around on IPs and will be changing the pfSense LAN IP / replacing it with a Cisco router on the same IP, so I wanted an additional LAN access IP so I can still manage the unit without having to access it from the WAN (currently disabled) or use the console.

      I tried adding a VIP of type "IP Alias", but I can't ping it or access that IP from a client on the same network...  am I doing something wrong, or is this not supposed to work?

      1 Reply Last reply Reply Quote 0
      • T Offline
        timthetortoise
        last edited by

        Make sure you have a pass firewall rule for that VIP on your LAN interface.

        1 Reply Last reply Reply Quote 0
        • Z Offline
          ZPrime
          last edited by

          I do…

          Pass all from LAN subnet to (alternate management IP)
          Pass all from (alt management IP) to *

          I am getting an arp response (this is arp -a from my laptop) from the alternate IP, it just doesn't answer ping...

          (192.168.136.253) at 0:0:24:ce:99:85 on en0 ifscope [ethernet]

          That's the correct MAC address for the pf LAN interface where the VIP was added.

          1 Reply Last reply Reply Quote 0
          • K Offline
            kathampy
            last edited by

            You're doing something wrong. With just the default rules, you should automatically be able to access the web interface on the LAN interface using an IP Alias.

            1 Reply Last reply Reply Quote 0
            • Z Offline
              ZPrime
              last edited by

              Would having a VPN tunnel possibly be "doing it wrong" in this case?  The ruleset was the default, with the addition of a rule allowing traffic from the remote end of the VPN to hit the LAN side and vice versa.  There are zero deny rules in the LAN ruleset.

              The VPN tunnel is configured with a remote endpoint of 192.168.0.0/16…  the LAN is 192.168.136.1, I was trying to add .253 as the alternate VIP.  The system did happen to be running 2.0.2 rather than 2.0.3.

              I've pulled it out of production at this point (made the cut-over and didn't need to access it again), but I'm still curious as to why it didn't work.

              1 Reply Last reply Reply Quote 0
              • K Offline
                kathampy
                last edited by

                Did it have a route to the VPN client subnet using the VPN server as the gateway?

                1 Reply Last reply Reply Quote 0
                • Z Offline
                  ZPrime
                  last edited by

                  @KurianOfBorg:

                  Did it have a route to the VPN client subnet using the VPN server as the gateway?

                  I'm not exactly sure what you mean by "VPN client subnet" and "VPN server" here.  I have no VPN "clients" here other than pfsense itself.

                  This pf box was using IPsec for a P2P VPN to a corporate office, through which it also needed to be able to access other P2P sites (NOT on VPN).

                  Rather than having a separate IPsec phase 2 entry for every single remote subnet (all of which would be /24s), there are two "summary" phase2 entries (each /16) that cover all of the remote ranges.  In the "Local Network" column we have the LAN subnet of the pfSense machine (192.168.136.0/24) and the "Remote Network" was 192.168.0.0/16.

                  I would think that the VIP being a more specific "connected" route should win, but I've seen strangeness with pfSense + IPsec and routing in the past so I suspect that the /16 summary may somehow be clobbering the VIP.

                  For the same reason, I can't get to a cable modem's management page on the WAN side of a system, even if I have a VIP setup in the same subnet on the WAN, because Raccoon seems to "win" over any other routing on pfSense.  (Same VPN setup, 192.168.0.0/16, a different /24 LAN subnet, and the typical cable modem of 192.168.100.1 on the WAN.)

                  I'd say that the weirdness around routing and IPsec in pfSense is one of its largest weaknesses at this point.  :(

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kathampy
                    last edited by

                    Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it.

                    1 Reply Last reply Reply Quote 0
                    • Z Offline
                      ZPrime
                      last edited by

                      @KurianOfBorg:

                      Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it.

                      There were no routes added manually to the system, so it has to be something with Racoon/ipsec and the way it "takes over" in a sense.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.