Bug #9786
closed
pfSense GUI allows incorrect VIP alias subnet.
0%
Description
As of last weeks updates for 2.5 (about Sept 20th, 2019) my VIP aliases stopped working, however the issue does not appear to be something broken, but something now working, breaking because it was incorrect due to an otherwise invalid configuration.
As of current build 2.5.0.a.20190923.0844, any attempt to configure an IP alias in the same sub-net as the primary interface IP with a /24 to match the primary interface IP results in ifconfig error and the IP alias not binding.
Tracing the problem I found the following error in the system log:
"/firewall_virtual_ip.php: The command '/sbin/ifconfig 'vtnet0' inet '192.168.xx.99'/'24' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): File exists' "
A quick internet search on this error found that using the same subnet as the primary IP, when they alias is in the same sub-net as the primary IP, is incorrect, however the pfSense documentation states otherwise.
When configuring an IP alias on an interface that is in the same sub-net as primary interface IP, the netmask should be a /32.
References:
https://www.freebsddiary.org/phorum/read.php?f=1&i=7526&t=7526
https://markmail.org/message/uttocjmuijy4kuxe
http://www.linuxmisc.com/8-freebsd/a88507c03bad2373.htm
However the pfSense documentation states:
"Subnet mask should match the interface IP, or be /32. Matching the interface subnet is advised. For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet."
1) the pfSense gui should not allow configuring an IP alias in the same sub-net as the primary interface, and perhaps default with a /32, , and any attempt to do so results in ifconfig error and alias IP not binding. (sub-nets less than /24 work, but based on the broadcast behaviours noted in the referenced URL's, does not seem advisable.)
2) the documentation should be updated to correctly note that sub-nets other than /32, in this scenario, should not be used.
Updated by