Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Carp IP adress /31

    HA/CARP/VIPs
    2
    6
    1420
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anhackers last edited by

      Hi,

      We have an issue of the graphical interface when we set /31 for the subnet mask of a CARP IP address whereas it's the correct subnet mask (ISP Link).

      I have tested to modify the configuration file directly with the /31 netmask and it's works fine.

      Is it possible to correct this bug, restore of configuration is not very easy in production ;-)

      Thanks in advance,

      Olivier GUENET

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Can you provide a bit more detail about your specific WAN IP address and CARP IP address configuration?

        It's possible the input validation needs to be relaxed in the special /31 case. Support for /31 masks in still relatively recent in FreeBSD (and pfSense) so there are bound to be some areas that were overlooked.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          anhackers last edited by

          Yes, I provide for example 185.X.X.X/31 IP address with an interface IP address 10.1.1.254/31 and 10.1.1.255/31 on the second pfsense.

          The graphical interface reject the CARP configuration, because it's seems to be a bad netmask.

          Thanks,

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Have you tried editing the code on the virtual IP configuration page to remove that input validation? If the input validation is removed and it actually works, then it's a very easy fix.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              anhackers last edited by

              Hi,

              yes I have edited the firewall_virtual_ip_edit.php :

              /* ipalias and carp should not use network or broadcast address */
              if ($_POST['mode'] == "ipalias" || $_POST['mode'] == "carp") {
              if (is_ipaddrv4($_POST['subnet']) && $_POST['subnet_bits'] != "32" && $_POST['subnet_bits'] != "31") {
              $network_addr = gen_subnet($_POST['subnet'], $_POST['subnet_bits']);
              $broadcast_addr = gen_subnet_max($_POST['subnet'], $_POST['subnet_bits']);
              } else if (is_ipaddrv6($_POST['subnet']) && $_POST['subnet_bits'] != "128" ) {
              $network_addr = gen_subnetv6($_POST['subnet'], $_POST['subnet_bits']);
              $broadcast_addr = gen_subnetv6_max($_POST['subnet'], $_POST['subnet_bits']);
              }

              if (isset($network_addr) && $_POST['subnet'] == $network_addr)
              $input_errors[] = gettext("You cannot use the network address for this VIP");
              else if (isset($broadcast_addr) && $_POST['subnet'] == $broadcast_addr)
              $input_errors[] = gettext("You cannot use the broadcast address for this VIP");
              }

              Is it possible to integer this modification for the newers releases please?

              Thanks,

              Olivier

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                You can submit it as a pull request on Github, and/or open an entry on https://redmine.pfsense.org/ stating that the input validation needs corrected.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post