Add VirtualIP will not apply automatically when interface is not wan

[StormYudi]

Hi, thank you for your work.
Today I was trying to add virtualip via api,
What's different from the past is that the interface is opt3, not the wan, and then I found it can't be active:

I have to enter the setting of that vip record, click 'save' button, and it will active immediately, is that a bug related to the interface or something wrong? I have never met this problem when I was trying to add vip on wan.

Thanks again !

[jaredhendrickson13]

Hmm, this is an interesting one. It seems to work for me within a virtualized environment. I'll take a deeper look. Could you provide the ifconfig before and after you manually save the VIP?

[StormYudi]

Thank you for your reply, I tried many times and I found something weird.
Because this IP has already bound, So I was trying to unbind it and try again, IP: 124.132.136.23, which is bound to vlan 111 before via API.

After I deleted it from the VIP list in pfsense, it still exists in ifconfig, not the vlan 111, but the wan, so it still pingable:

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=d00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,LINKSTATE>
ether 7a:66:fb:3b:0e:69
hwaddr 7a:66:fb:3b:0e:69
inet6 fe80::7866:fbff:fe3b:e69%vtnet0 prefixlen 64 scopeid 0x1
inet 119.188.248.195 netmask 0xffffff00 broadcast 119.188.248.255
inet 119.188.248.140 netmask 0xffffffff broadcast 119.188.248.140
inet 124.132.136.23 netmask 0xffffffff broadcast 124.132.136.23
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T
status: active
vtnet1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether 46:f9:78:65:0e:5d
hwaddr 46:f9:78:65:0e:5d
inet6 fe80::44f9:78ff:fe65:e5d%vtnet1 prefixlen 64 scopeid 0x2
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T
status: active
vtnet2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether f2:25:ea:95:7f:16
hwaddr f2:25:ea:95:7f:16
inet6 fe80::f025:eaff:fe95:7f16%vtnet2 prefixlen 64 scopeid 0x3
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T
status: active
vtnet3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c00b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE>
ether 3e:c1:82:6a:91:26
hwaddr 3e:c1:82:6a:91:26
inet6 fe80::3cc1:82ff:fe6a:9126%vtnet3 prefixlen 64 scopeid 0x4
inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
enc0: flags=0<> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
pflog0: flags=100 metric 0 mtu 33160
groups: pflog
vtnet0.111: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000
ether 7a:66:fb:3b:0e:69
inet6 fe80::7866:fbff:fe3b:e69%vtnet0.111 prefixlen 64 scopeid 0x9
inet 124.132.136.12 netmask 0xffffff00 broadcast 124.132.136.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T
status: active
vlan: 111 vlanpcp: 0 parent interface: vtnet0
groups: vlan

[StormYudi]

But I was tried to add an fake IP like 1.1.1.1, It will exist only in vtnet0.111, not the vtnet0, after delete it, it's not exists anymore.

so I think there is the wrong thing..

[jaredhendrickson13]

I've been trying to reproduce this using several different interfaces and interface types but I still can't seem to replicate this behavior simply by adding and removing virtual IPs using the API or UI. However, looking at your ifconfig I think I understand what is happening here. There is a misalignment between your pfSense configuration and the actual interfaces on your system. At some point the virtual IP 124.132.136.23 was applied to vtnet0 which I'm assuming is your WAN interface. For whatever reason the corresponding pfSense configuration does not exist. This likely causes a conflict when you try to add the same 124.132.136.23 IP to a different interface as it is technically already in use.

If my assumption is correct, you should be able to fix this fairly easily. Within pfSense, create the virtual IP 124.132.136.23 on your WAN interface (make sure the IP doesn't exist on any other interface). Then delete that virtual IP after applying it. This should remove the virtual IP's binding to that interface and allow you to use it on your other interface as expected.

Hopefully this helps. Let me know if you find anything else.

Thanks!

[StormYudi]

Thank you for your reply :)

I follow your guide and I have successfully unbind the IP from pfsense, But after I removed 124.132.136.23 from pfsense, and try to bind it again via API, it still have some trouble.

I can see that VIP in pfsense UI shows it is bound to VLAN111, but in ifconfig, it shows that it has been bound to vtenet0, which is not the vlan111, or opt3: vtnet0.111 as I except. Like I've tried before, add a fake IP: 1.1.1.1 in UI, bind it to vlan111, it will only shows in vtnet0.111 not in the vtnet0.

UI:

ifconfig:

Here is my interface configuration, I hope it will help.

1. Create a VLANs with tag 111.
2. Create a interface from the vlan named vlan111.
3. Call API /api/v1/firewall/virtual_ip", {
   "mode": "ipalias",
   "interface": "opt3",
   "subnet": "124.132.136.23",
   "descr": "VIP:124.132.136.23"
   })

And if I try too apply it in UI, it will add the IP to vtnet0.111 with record in vtnet0 existing.....

Thanks again.