Hello!
We're on 23.10, WAN is a PPPoE interface. It works fine. I've added two new virtual IPs (IP Alias) to it (WAN -> pppoe1), I can see incoming ICMP requests, but they seem to be *forwarded* to the default gateway instead of replied to. So they come in through WAN, then go out through WAN again.
19:50:39.291317 IP XXX.XXX.144.157 > XXX.XXX.162.48: ICMP echo request, id 70, seq 26, length 64
19:50:39.291327 IP XXX.XXX.144.157 > XXX.XXX.162.48: ICMP echo request, id 70, seq 26, length 64
The web ui shows the same [see screenshot]. How can I check with command line tools whether the IP aliases are correctly added to the pppoe1 interface?
Thanks for any help with this,
Greetings
It is working exactly as it should. IP aliases on PPPoE require a gateway. You cannot add an IP alias without it. Example:
# ifconfig pppoe0 inet 192.0.2.123/32 alias pppoe-isp-gw-ip
Look at
ifconfig pppoe0
to see what's set up there.
On another note - CARP and proxy ARP should never be allowed for PPPoE in the GUI -- because it's not supported and does not work:
# ifconfig pppoe0 inet 192.0.2.123/32 alias vhid 10
ifconfig: SIOCGVH: Operation not supported
# choparp pppoe0 auto 192.0.2.123/32
pppoe0: not found
Proxy ARP definitely can be configured (I tried it), it didn't work ;)
So I "just" need to set the gateway for the Virtual IP Alias to the correct gateway for the PPPoE connection?
Yes, this works ;) now ICMP works.
I don't understand how to correctly use this though, I *don't* want all of these IPs to automatically work the same way the main IP does, so I tried to enable "Deny service binding", but then they stop being pingable. Will NAT rules specifically targetting these IPs still work? Can I create such NAT rules even if "Deny service binding" is disabled?
Sorry to ask so many questions, but I haven't been able to find much documentation on how these things work.
It would be great if the UI could just show (and require) the gateway setting for PPPoE connections ;)
Thank you very much for your help with this!
Simple - no way to put an alias on PPPoE without GW. If you don't supply one yourself, it's "guessed". Relevant feature request and details: https://github.com/opnsense/core/issues/2060
I filed a bug about the VIP types that should not be available in the GUI for PPPoE since they have no chance of working - https://github.com/opnsense/core/issues/7005
NAT rules should work just fine. I cannot test this, I get a /32 and no chance of anything better from the ISP. (At least they give a /56 for IPv6.)
Thanks for the answer!
I just tried a NAT rule for the additional IP, it seems to work fine ;)
I'd love to get *any* IPv6, but alas a /29 additional IPv4 is all we can get.
Quote from: HankG on November 12, 2023, 09:09:54 PM
I just tried a NAT rule for the additional IP, it seems to work fine ;)
Good to hear.
Quote from: HankG on November 12, 2023, 09:09:54 PM
I'd love to get *any* IPv6, but alas a /29 additional IPv4 is all we can get.
Well, that one is DHCPv6/PD so that's another can of worms. Though, both the single IPv4 and the /56 prefix are
de facto static, they just don't guarantee anything - i.e., until they do some major revamp on their side.
Well, well – same boat, same errors. Only I'm still on 23.1.11_2
Situation: PPPoE with fixed IPv4 and an additional /29 Subnet routed via it.
The Virtual IPs have been setup with the correct Gateway from the beginning on.
/usr/local/opnsense/scripts/interfaces/reconfigure_vips.php: The command '/sbin/ifconfig 'pppoe0' inet 'x.x.x.x'/'32' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Destination address required'
Everything i wanted worked (alas everything of that has a NAT rule associated to it), except for pings, but why?
I can ping every WAN interface with a simple rule allowing the ICMP protocol, no NAT needed – if the Virtual IPs are associated to that Interface, there shouldn't be a NAT rule necessary, no? Else what traffic could be a also a victim of not getting recognized correctly?