OPNsense Forum

English Forums => 26.1, 26,4 Series => Topic started by: SenseX on May 19, 2026, 08:57:44 AM

Title: Virtual IP
Post by: SenseX on May 19, 2026, 08:57:44 AM
Hi,

I'd like to group multiple IP addresses into a virtual IP, but I can't find where to do it in OPNsense. 
I have two Pi-holes and want to group them into one virtual IP.
Title: Re: Virtual IP
Post by: Patrick M. Hausen on May 19, 2026, 09:00:36 AM
A virtual IP is really something different, namely an additional IP address on an OPNsense interface.

But if I read you correctly you want "something" for firewall rules containing two or more addresses? That's Firewall > Aliases.

Title: Re: Virtual IP
Post by: cookiemonster on May 19, 2026, 03:08:03 PM
I suspect the OP wants to use something akin to the F5s virtual ips where you have in the UI a way to pretty much do a load balancer setup. Say you have a vip of 172.26.27.1 that "points" to both 192.168.10.1 and 192.168.10.2 and chose your algorithm like round-robin.
Essentially what we can do with a reverse proxy in OPN but I don't know what the flow would be to setting up the vip. Perhaps creating a VIP in the UI first with a type "IP Alias" but that gives only a vip assigned to an interface. Or maybe I totally misunderstand the question :)
Title: Re: Virtual IP
Post by: nero355 on May 19, 2026, 03:35:47 PM
Quote from: SenseX on May 19, 2026, 08:57:44 AMI have two Pi-holes and want to group them into one virtual IP.
You can do that by running VRRP for your Pi-Hole DNS Servers :)

Take a look at some of the topics @ https://discourse.pi-hole.net/ like this one for example : https://discourse.pi-hole.net/t/clustered-pihole-ive-done-it/12716
But keep in mind that was for Pi-Hole v5.x.x and not Pi-Hole v6.x.x so you might want to find more recent solutions for some parts of the setup !!
Title: Re: Virtual IP
Post by: Seimus on May 19, 2026, 03:42:11 PM
https://github.com/SeimusS/Pihole-HA

Regards,
S.
Title: Re: Virtual IP
Post by: nero355 on May 19, 2026, 04:18:33 PM
Quote from: Seimus on May 19, 2026, 03:42:11 PMhttps://github.com/SeimusS/Pihole-HA
I always feel like this :
QuoteSubnet:    192.168.1.0/24
PRIMARY:   192.168.1.1/24
SECONDARY: 192.168.1.2/24
VIP:       192.168.1.3/24
Should be :
QuoteSubnet:    192.168.1.0/24
PRIMARY:   192.168.1.2/24
SECONDARY: 192.168.1.3/24
VIP:       192.168.1.1/24
But maybe I am just weird :)

Thanks for posting exactly what I was talking about though! Nicely done! ;)
Title: Re: Virtual IP
Post by: Seimus on May 19, 2026, 04:28:05 PM
Not at all. You can change the IPs or set the VIP as you like.
In this example its like this just for simpler explanation and allocation of IPs.


Regards,
S.
Title: Re: Virtual IP
Post by: SenseX on May 19, 2026, 09:48:18 PM
Thank you all for the suggestions and for the links, I'm going to check them out as well.
I also read that you can use HAProxy, so I was playing around with that and managed to get it working.

Yes, I have two Pi-holes acting as primary and secondary DNS servers. But instead of using two IPs, I'd like to use a virtual IP.
Title: Re: Virtual IP
Post by: Patrick M. Hausen on May 19, 2026, 09:56:52 PM
Quote from: SenseX on May 19, 2026, 09:48:18 PMYes, I have two Pi-holes acting as primary and secondary DNS servers. But instead of using two IPs, I'd like to use a virtual IP.

That's not an OPNsense topic. Just configure CARP on both Pi-holes. Done.
Title: Re: Virtual IP
Post by: Seimus on May 20, 2026, 09:17:47 AM
Quote from: SenseX on May 19, 2026, 09:48:18 PMI also read that you can use HAProxy, so I was playing around with that and managed to get it working.

That is not the solution you are looking for....

As mentioned by Patrick, you want to configure VRRP.
In FBSD its under CARP, in Linux its under keepalived.

This is an implementation local to the devices you want to co-join to be reachable with a single VIP for active/backup or loadblancing state.
So if its the Pihole you want to have the VIP, you need to configure it on the servers Piholes run. And not on the FW/GW.

Regards,
S.
Title: Re: Virtual IP
Post by: Patrick M. Hausen on May 20, 2026, 10:01:08 AM
Quote from: Seimus on May 20, 2026, 09:17:47 AMAs mentioned by Patrick, you want to configure VRRP.
In FBSD its under CARP, in Linux its under keepalived.

As far as I know both Linux and FreeBSD implement CARP and not VRRP, because the latter is patented. These are two different protocols.
Title: Re: Virtual IP
Post by: Seimus on May 20, 2026, 10:07:43 AM
True to that that, lets say CARP is an "improved" version of VRRP, definitely an alternative.

But on Linux you can use both.

Keepalived is a direct implementation of VRRP.
uCARP is a direct implementation on CARP.

https://manpages.debian.org/trixie/ucarp/ucarp.8.en.html
https://manpages.debian.org/trixie/keepalived/keepalived.8.en.html


VRRP is an open standard protocol under RAND licensing. CISCOs proprietary is HSRP.
https://wiki.endsoftwarepatents.org/wiki/VRRP

Regards,
S.
Title: Re: Virtual IP
Post by: Patrick M. Hausen on May 20, 2026, 10:25:53 AM
Quote from: Seimus on May 20, 2026, 10:07:43 AMKeepalived is a direct implementation of VRRP.
uCARP is a direct implementation on CARP.

I only ever used uCARP, so I learned something. Thanks.
Title: Re: Virtual IP
Post by: Seimus on May 20, 2026, 10:35:18 AM
Personally I like to use VRRP where I can.

Reason is, I am more used to it and it has extra tracking statements, for example via scripts, as I have on the git repo example. But you can track as well, processes, files etc.

https://manpages.debian.org/trixie/keepalived/keepalived.conf.5.en.html

To me it feels contra-intuitive to have failover only due to a device failure or port failure.
Because you can run into a situation where the Device + Port is UP, but the process/application for which you have the redundancy setup in the first place could be down. In this case no failover would happen and you have an outage.

At least my deployment strategy for redundancy is to track dynamically where I can.

Regards,
S.
Title: Re: Virtual IP
Post by: cookiemonster on May 20, 2026, 10:09:01 PM
Well I learned something today. I will need to read up on these concepts.
Seems like I was thinking wrong about how the OP could have wanted to see if possible with OPN. My thinkng was along the lines as I said of F5 BigIP hardware load balancers ie https://f5-agility-labs-adc.readthedocs.io/en/latest/class1/module1/lab1.html https://clouddocs.f5.com/training/community/adc/html/class1/module1/lab1.html