Multiple Virtual IPs not working with PPPoE

[marco35]

Hi, first time question having setup OPNsense a few weeks ago...

Basic problem is that I don't seem to be able to get services 'bound' to the virtual IPs.
I have a range of 16 IPs (a /28) provided by the ISP. I am using em0 which then uses pppoe0(em0) for its connection. I have enties for each of the 14 usable IPs in the interfaces | Virtual IPs page.
(I have also tried entering a IP/28 range in this section)
I tried entering a static IP range for em0, but this disappears when saved.

OPNsense is up and running, and also IS mapping some of those virtual IPs to inside services via Port Forwarding - which is working.

My issue was revealed when I wished to set up a VPN... I couldn't apparently bind to the VPN external IP.

Using the SSH console, I can see from netstat that the services seem to bind to another IP given by the ISP (they give us one static, then the additional netblock that we use).
It isn't an ISP issue as we have just switched form a Cisco solution that was running fine.

If I temporarily swap to configure the interface as PPP, then the Virtual IPs do bind to services. Of course PPP won't goive me any service as that won't log in to the ISP - it was just for test.

With PPPoE, I see
udp4       0      0 xxxxx.ISP-address.co.uk.openvpn  *.*

with PPP (just as a test), I see
udp4       0      0 our-IPs-01.co.uk.openvpn   *.*
udp4       0      0 our-IPs-02.co.uk.ntp       *.*
udp4       0      0 our-IPs-03.co.uk.ntp       *.*
udp4       0      0 our-IPs-04.co.uk.ntp       *.*
udp4       0      0 our-IPs-05.co.uk.ntp       *.*
etc.

It seems that I should be able to bind our netblock to the outside interface - there is even a place to do it - it just gets ignored.

Firstly, should my Virtual IPs be a 'network' i.e. IP/28 or should it be a separate list of 14 IPs?
If the former, I assume then I should just have Firewall | Aliasses to access the individual IPs by name.

Any clues as to how to solve this?

Thanks

[marco35]

Just 'bumping' this thread as I got a lot of 'reads' but no replies.
Back on trying to solve this now, with little success.

ISP tells me the netblock is just routed to us, my OPNsense question must therefore be;
How do I assign a static netblock to the PPPoE interface?

Thanks

[Patrick M. Hausen]

How do I assign a static netblock to the PPPoE interface?

In most cases you don't. You get a single dynamic address via PPPoE for the PPPoE interface. And the netblock, i.e. a /28 in your case (?) is routed to that IP address.

If you want to use this netblock for some servers, you assign it to a DMZ interface by using one (usually first or last) IP address from that netblock.

I.e. if that netblock was 192.168.100.64/28, you would assign 192.168.100.65/28 to that interface and have 192.168.100.66-78 free to assign to your servers. The servers get .65 as their default router, you disable NAT for that network and then you can e.g. permit ports 80 and 443 in to server .66 on the WAN interface ...

HTH,
Patrick

[marco35]

Hi Patrick,

Thanks for the reply.

With the Cisco device, I just assigned the x.x.x.14/28 address to the interface and the dialer picked up the PPPoE IP that just got used for the 'dial-up'.

So, at present I have Virtual IPs labeled 'Outside01 -> Outside14' for my /28 block.
I can do a static NAT from say Outside02 -> mailserver.inside and the mailserver is accessible as you would expect.
It isn't quite how I would expect it to look, but it is working.
I can't however, bind my OpenVPN to Outside01

In the VPN console, if I select all or WAN then the VPN binds, if I select Outside01, then it does not bind.
I just want the VPN service to be listening on Outside01 only.
(Bound to 'all' then the external IP doesn't appear to respond, so then the client cant access it)

Thanks for your help so far.

[marco35]

An update for those who come across this later...

It appears I may have misread the Virtual IP config screen.
I had a missing gateway for each VirtualIP.
Adding the gateway as reported as WAN_PPPOE 'gateways' in the lobby screen then made the IP show up when using ifconfig in the command line console.

I can now bind the services as I intended.

Thanks all for reading, and those who gave me a few pointers.