OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: gdur on September 30, 2022, 03:22:16 pm

Title: Virtual IP mode may not be changed for an existing entry.
Post by: gdur on September 30, 2022, 03:22:16 pm

Does anyone has an idea how to handle this Warning?
A virtual IP on my production OPNSense box needs to be changed to a different mode but is not allowed.
Should I delete this Virtual IP first and than create it anew? Or is there another way...

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: Patrick M. Hausen on September 30, 2022, 03:26:57 pm

Quote from: gdur on September 30, 2022, 03:22:16 pm

Should I delete this Virtual IP first and than create it anew?

Yes.

Patrick

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: gdur on September 30, 2022, 03:55:03 pm

That's a short but clear answer, thanks a lot!

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: gdur on September 30, 2022, 04:57:37 pm

Hi Patrick,
As your suggestion didn't result in success here's a modified version of my question:

I've tried that but I can't get what I'm trying to achieve.
I have an IP block of 14 usable IP addresses (/28) and I would like NGINX (on OPNSenese box) to catch traffic from a number of these addresses. These addresses are assigned as Virtual IPs to WAN as IP Alias but if I run a 443 port check on a virtual IP it is closed thus requests are not reaching NGINX. Next I tried to change a Virtual IP from IP Alias to Proxy ARP or Other and neither setting was resulting in opening port 443 on this interface. What needs to be done to make that happen.
(the first available IP address of my IP block which is used to set-up a PPPoE connection does respond to port 443 successfully).

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: Patrick M. Hausen on September 30, 2022, 06:37:46 pm

What does your inbound allow rule for port 443 on WAN look like?

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: gdur on September 30, 2022, 07:12:09 pm

Hi Patrick,
The inbound rule is quite generic and works as expected. It allows 443 traffic on the main IP address which is activated through PPPoE and using a port checker it is confirmed to be open on this IP address but its not for the Virtual IPs assigned to WAN. I just did another post regarding NGINX about this problem, hopefully I will get a positive response on that.

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: Patrick M. Hausen on September 30, 2022, 07:33:20 pm

You need to explicitly allow your virtual IP addresses, too. Otherwise the connections never reach your Nginx.

Title: Re: Virtual IP mode may not be changed for an existing entry.
Post by: gdur on September 30, 2022, 08:57:49 pm

Currently the WAN rule is:
Protocol -> IPv4 TCP/UDP
Source -> *
Port -> *
Destination -> WAN address
Port -> 443 (HTTPS)
Gateway -> *
Schedule -> *

Changing Destination with the specific Virtual IP address doesn't help, port is still closed...