Adding second Ip range on interface

jeffreysmith · Mar 4, 2014, 8:16 AM

I have two blocks of /27 IP addresses assigned to my by my ISP that are both presented on one cable.

I have a cluster of 2 pfsense boxes and assigned the first /27 to the WAN interface on both machines and setup carp IP addresses for the rest of the range.

I am now trying to add the second range as IP Aliases onto one of the carp IP addresses which I believe is the recommended way to add these addresses and get them to failover between the firewalls but I am getting this error

The following input errors were detected:

    Sorry, we could not locate an interface with a matching subnet for 80.193.xxx.xxx/27\. Please add an IP alias in this subnet on this interface

What am I doing wrong ?

podilarius · Mar 4, 2014, 11:55 AM

I remember someone else running into this situation not to long ago. The issue is that CARP has to be defined within the same subnet as the interface you are using it on. In this case WAN. IIRC the way around this was to add an IPAlias either on the WAN or localhost such that you can add in a second IP range. I will do a little googleing when I get back and post if I find anything.

podilarius · Mar 4, 2014, 11:59 AM

Here it is:
https://forum.pfsense.org/index.php?topic=64910.0

jeffreysmith · Mar 4, 2014, 1:00 PM

thanks for the reply.

I am actually trying to route these to a default gateway from the WAN interface so I am assuming I can't just create a VIP on localhost.

Or do i still need to add one IP to localhost so i can then attach the rest to a carped IP on the WAN interface.

podilarius · Mar 4, 2014, 2:19 PM

Not sure how you are going to do this if your isp is not routing the second ips to the first. Perhaps another nic and 2 $20 switches?
I am not close to my allocation, but I am interested in other options here. I was going to have my ISP route and to the localhost expansion. Is this problem going to resolved in 2.2? I think I remember hearing mention that single IP CARP might be possible.

jeffreysmith · Mar 5, 2014, 10:06 PM

my ISP is routing the pair of ranges to me which is handled by a pair of cisco router in front of my pair of pfsense boxes. I have a single gateway address that I need to forward all the traffic to that deals with the traffic for both ranges.

I have tried adding the first two ips in each range as an IP alias on the localhost interface and on the wan interface but neither will allow me to attach a IP alias of the next IP up to the carped address on the wan.

Is this the right way to configure them or have i just got this wrong ?

podilarius · Mar 6, 2014, 2:02 AM

Honestly, it doesn't seem like a good setup. But I think more details are required. Can you describe in more detail the routing of the public IPs through the Ciscos to the pfSense pair. Are the Cisco routers working together also?

jeffreysmith · Mar 6, 2014, 12:20 PM

The two Cisco routers are connected together using HSRP which provides a Virtual IP that floats between the machines depending on which is the master(cisco's version of carp). Both firewall can connect to both routers through a pair of stacked switches. I just need to set a single default gateway on both firewalls and any router failure is handled by these cisco routers.

That is not really the problems it is more I cannot add multiple IP ranges to a single interface and have them float between two pfsense boxes. If it was a single box It would lets me add "IP aliases" on the WAN interface and that would be fine. The minute i try to add them onto a CAPP IP it throws errors like

Sorry, we could not locate an interface with a matching subnet for xx.xx.xx.xx/27\. Please add an IP Alias in this subnet on the interface

I have added the IP alias in the same subnet on the WAN and tried localhost interface but still get this error. Is it a bug, am I doing something wrong, does a service need restarting, There is currently nothing plugged into the WAN as I am setting this up before shipping to a different site does this affect it, I don't have High availability setup yet i was just testing this on one firewall does that need to be in place?

Sorry for the bombardment of question it just seems I am doing what the docs say and it doesn't work and gives an error that doesn't make sense as i have done what it says.

jeffreysmith · Mar 6, 2014, 3:32 PM

I think I have worked it out after looking at the code.

on the first machine I have added an IP alias of the first address in the range for example

IP ALIAS = xx.xx.xx.01/26 (pfsense1)

on the second machine I added an IP Alias of the second address in the range

IP ALIAS = xx.xx.xx.02/26 (pfsense2)

I then added a carped IP address using the third IP address in the range.

CARP = xx.xx.xx.03 /26

I can now create addresses in the xx.xx.xx.04+/ 26 range as IP aliases and set the interface to be the carped IP xx.xx.xx.03

No idea if this actually works but pfsense inst complaining and the configurations get replicated between the servers which is a start. Im also guessing the first two addresses in each range will be unusable for HA as they don't replicate.

podilarius · Mar 6, 2014, 8:17 PM

That is what the original link I posted talked about. Please let us know if it works for you.

jeffreysmith · Mar 7, 2014, 9:36 AM

I have tried this setup on two other pfsense boxes and it seems to work and passes traffic.

Thank you for the help