Carp IP adress /31



  • Hi,

    We have an issue of the graphical interface when we set /31 for the subnet mask of a CARP IP address whereas it's the correct subnet mask (ISP Link).

    I have tested to modify the configuration file directly with the /31 netmask and it's works fine.

    Is it possible to correct this bug, restore of configuration is not very easy in production ;-)

    Thanks in advance,

    Olivier GUENET


  • Rebel Alliance Developer Netgate

    Can you provide a bit more detail about your specific WAN IP address and CARP IP address configuration?

    It's possible the input validation needs to be relaxed in the special /31 case. Support for /31 masks in still relatively recent in FreeBSD (and pfSense) so there are bound to be some areas that were overlooked.



  • Yes, I provide for example 185.X.X.X/31 IP address with an interface IP address 10.1.1.254/31 and 10.1.1.255/31 on the second pfsense.

    The graphical interface reject the CARP configuration, because it's seems to be a bad netmask.

    Thanks,


  • Rebel Alliance Developer Netgate

    Have you tried editing the code on the virtual IP configuration page to remove that input validation? If the input validation is removed and it actually works, then it's a very easy fix.



  • Hi,

    yes I have edited the firewall_virtual_ip_edit.php :

    /* ipalias and carp should not use network or broadcast address */
    if ($_POST['mode'] == "ipalias" || $_POST['mode'] == "carp") {
    if (is_ipaddrv4($_POST['subnet']) && $_POST['subnet_bits'] != "32" && $_POST['subnet_bits'] != "31") {
    $network_addr = gen_subnet($_POST['subnet'], $_POST['subnet_bits']);
    $broadcast_addr = gen_subnet_max($_POST['subnet'], $_POST['subnet_bits']);
    } else if (is_ipaddrv6($_POST['subnet']) && $_POST['subnet_bits'] != "128" ) {
    $network_addr = gen_subnetv6($_POST['subnet'], $_POST['subnet_bits']);
    $broadcast_addr = gen_subnetv6_max($_POST['subnet'], $_POST['subnet_bits']);
    }

    if (isset($network_addr) && $_POST['subnet'] == $network_addr)
    $input_errors[] = gettext("You cannot use the network address for this VIP");
    else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr)
    $input_errors[] = gettext("You cannot use the broadcast address for this VIP");
    }

    Is it possible to integer this modification for the newers releases please?

    Thanks,

    Olivier


  • Rebel Alliance Developer Netgate

    You can submit it as a pull request on Github, and/or open an entry on https://redmine.pfsense.org/ stating that the input validation needs corrected.


Log in to reply