Project

General

Profile

Actions
Copy link

Bug #9786

closed

pfSense GUI allows incorrect VIP alias subnet.

Added by Anonymous over 4 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Virtual IP Addresses
Target version:
-
Start date:
09/23/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.5.0
Affected Architecture:

Description

As of last weeks updates for 2.5 (about Sept 20th, 2019) my VIP aliases stopped working, however the issue does not appear to be something broken, but something now working, breaking because it was incorrect due to an otherwise invalid configuration.

As of current build 2.5.0.a.20190923.0844, any attempt to configure an IP alias in the same sub-net as the primary interface IP with a /24 to match the primary interface IP results in ifconfig error and the IP alias not binding.

Tracing the problem I found the following error in the system log:

"/firewall_virtual_ip.php: The command '/sbin/ifconfig 'vtnet0' inet '192.168.xx.99'/'24' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): File exists' "

A quick internet search on this error found that using the same subnet as the primary IP, when they alias is in the same sub-net as the primary IP, is incorrect, however the pfSense documentation states otherwise.

When configuring an IP alias on an interface that is in the same sub-net as primary interface IP, the netmask should be a /32.

References:

https://www.freebsddiary.org/phorum/read.php?f=1&i=7526&t=7526
https://markmail.org/message/uttocjmuijy4kuxe
http://www.linuxmisc.com/8-freebsd/a88507c03bad2373.htm

However the pfSense documentation states:

"Subnet mask should match the interface IP, or be /32. Matching the interface subnet is advised. For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet."

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html?highlight=virtual

1) the pfSense gui should not allow configuring an IP alias in the same sub-net as the primary interface, and perhaps default with a /32, , and any attempt to do so results in ifconfig error and alias IP not binding. (sub-nets less than /24 work, but based on the broadcast behaviours noted in the referenced URL's, does not seem advisable.)

2) the documentation should be updated to correctly note that sub-nets other than /32, in this scenario, should not be used.

Actions
Copy link
 #1

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Rejected

It was true years ago that /32 was required but that has not been the case for many years.

I have several /24 VIPs (CARP and IP Alias) on a current snapshot without errors. The only time I see an error is at the CLI if I attempt to add the exact same VIP twice.

It sounds like something specific to your configuration or environment. Please post on the Netgate Forum or the pfSense Subreddit to discuss and diagnose the issue.

See Reporting Issues with pfSense Software for more information.

Actions
Copy link
 #2

Updated by Anonymous over 4 years ago

Thank you Jim, but I tested this via GUI, Not via CLI, and have been able to reproduce this multiple times with todays current build.

Actions
Copy link
 #3

Updated by Jim Pingle over 4 years ago

Same here, and it works fine for me. It is not repeatable as you state. That's why it needs moved to the forum to gather more info.

: ifconfig vmx1
vmx1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 00:0c:29:78:6e:58
    inet 10.6.0.1 netmask 0xffffff00 broadcast 10.6.0.255 
    inet 10.6.0.254 netmask 0xffffff00 broadcast 10.6.0.255 vhid 1 
    inet 10.6.0.253 netmask 0xffffff00 broadcast 10.6.0.255 
    inet 10.6.0.252 netmask 0xffffff00 broadcast 10.6.0.255 vhid 1 
    inet6 fe80::1:1%vmx1 prefixlen 64 scopeid 0x2 
    carp: MASTER vhid 1 advbase 1 advskew 0
    media: Ethernet autoselect
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
: ifconfig 'vmx1' inet '10.6.0.200'/'24' alias
: ifconfig vmx1
vmx1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=60009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 00:0c:29:78:6e:58
    inet 10.6.0.1 netmask 0xffffff00 broadcast 10.6.0.255 
    inet 10.6.0.254 netmask 0xffffff00 broadcast 10.6.0.255 vhid 1 
    inet 10.6.0.253 netmask 0xffffff00 broadcast 10.6.0.255 
    inet 10.6.0.252 netmask 0xffffff00 broadcast 10.6.0.255 vhid 1 
    inet 10.6.0.200 netmask 0xffffff00 broadcast 10.6.0.255 
    inet6 fe80::1:1%vmx1 prefixlen 64 scopeid 0x2 
    carp: MASTER vhid 1 advbase 1 advskew 0
    media: Ethernet autoselect
    status: active
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
: ifconfig 'vmx1' inet '10.6.0.200'/'24' alias
ifconfig: ioctl (SIOCAIFADDR): File exists
Actions
Copy link

Also available in: Atom PDF