Virtual IP

Started by SenseX, May 19, 2026, 08:57:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 19, 2026, 08:57:44 AM
Hi,

I'd like to group multiple IP addresses into a virtual IP, but I can't find where to do it in OPNsense. 
I have two Pi-holes and want to group them into one virtual IP.
May 19, 2026, 09:00:36 AM #1
A virtual IP is really something different, namely an additional IP address on an OPNsense interface.

But if I read you correctly you want "something" for firewall rules containing two or more addresses? That's Firewall > Aliases.

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 19, 2026, 03:08:03 PM #2
I suspect the OP wants to use something akin to the F5s virtual ips where you have in the UI a way to pretty much do a load balancer setup. Say you have a vip of 172.26.27.1 that "points" to both 192.168.10.1 and 192.168.10.2 and chose your algorithm like round-robin.
Essentially what we can do with a reverse proxy in OPN but I don't know what the flow would be to setting up the vip. Perhaps creating a VIP in the UI first with a type "IP Alias" but that gives only a vip assigned to an interface. Or maybe I totally misunderstand the question :)
May 19, 2026, 03:35:47 PM #3
Quote from: SenseX on May 19, 2026, 08:57:44 AMI have two Pi-holes and want to group them into one virtual IP.
You can do that by running VRRP for your Pi-Hole DNS Servers :)

Take a look at some of the topics @ https://discourse.pi-hole.net/ like this one for example : https://discourse.pi-hole.net/t/clustered-pihole-ive-done-it/12716
But keep in mind that was for Pi-Hole v5.x.x and not Pi-Hole v6.x.x so you might want to find more recent solutions for some parts of the setup !!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
May 19, 2026, 03:42:11 PM #4
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
May 19, 2026, 04:18:33 PM #5
Quote from: Seimus on May 19, 2026, 03:42:11 PMhttps://github.com/SeimusS/Pihole-HA
I always feel like this :
QuoteSubnet:    192.168.1.0/24
PRIMARY:   192.168.1.1/24
SECONDARY: 192.168.1.2/24
VIP:       192.168.1.3/24
Should be :
QuoteSubnet:    192.168.1.0/24
PRIMARY:   192.168.1.2/24
SECONDARY: 192.168.1.3/24
VIP:       192.168.1.1/24
But maybe I am just weird :)

Thanks for posting exactly what I was talking about though! Nicely done! ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
May 19, 2026, 04:28:05 PM #6
Not at all. You can change the IPs or set the VIP as you like.
In this example its like this just for simpler explanation and allocation of IPs.


Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
May 19, 2026, 09:48:18 PM #7
Thank you all for the suggestions and for the links, I'm going to check them out as well.
I also read that you can use HAProxy, so I was playing around with that and managed to get it working.

Yes, I have two Pi-holes acting as primary and secondary DNS servers. But instead of using two IPs, I'd like to use a virtual IP.
May 19, 2026, 09:56:52 PM #8
Quote from: SenseX on May 19, 2026, 09:48:18 PMYes, I have two Pi-holes acting as primary and secondary DNS servers. But instead of using two IPs, I'd like to use a virtual IP.

That's not an OPNsense topic. Just configure CARP on both Pi-holes. Done.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 20, 2026, 09:17:47 AM #9
Quote from: SenseX on May 19, 2026, 09:48:18 PMI also read that you can use HAProxy, so I was playing around with that and managed to get it working.

That is not the solution you are looking for....

As mentioned by Patrick, you want to configure VRRP.
In FBSD its under CARP, in Linux its under keepalived.

This is an implementation local to the devices you want to co-join to be reachable with a single VIP for active/backup or loadblancing state.
So if its the Pihole you want to have the VIP, you need to configure it on the servers Piholes run. And not on the FW/GW.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
May 20, 2026, 10:01:08 AM #10
Quote from: Seimus on May 20, 2026, 09:17:47 AMAs mentioned by Patrick, you want to configure VRRP.
In FBSD its under CARP, in Linux its under keepalived.

As far as I know both Linux and FreeBSD implement CARP and not VRRP, because the latter is patented. These are two different protocols.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 20, 2026, 10:07:43 AM #11 Last Edit: May 20, 2026, 10:11:50 AM by Seimus
True to that that, lets say CARP is an "improved" version of VRRP, definitely an alternative.

But on Linux you can use both.

Keepalived is a direct implementation of VRRP.
uCARP is a direct implementation on CARP.

https://manpages.debian.org/trixie/ucarp/ucarp.8.en.html
https://manpages.debian.org/trixie/keepalived/keepalived.8.en.html


VRRP is an open standard protocol under RAND licensing. CISCOs proprietary is HSRP.
https://wiki.endsoftwarepatents.org/wiki/VRRP

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
May 20, 2026, 10:25:53 AM #12
Quote from: Seimus on May 20, 2026, 10:07:43 AMKeepalived is a direct implementation of VRRP.
uCARP is a direct implementation on CARP.

I only ever used uCARP, so I learned something. Thanks.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 20, 2026, 10:35:18 AM #13
Personally I like to use VRRP where I can.

Reason is, I am more used to it and it has extra tracking statements, for example via scripts, as I have on the git repo example. But you can track as well, processes, files etc.

https://manpages.debian.org/trixie/keepalived/keepalived.conf.5.en.html

To me it feels contra-intuitive to have failover only due to a device failure or port failure.
Because you can run into a situation where the Device + Port is UP, but the process/application for which you have the redundancy setup in the first place could be down. In this case no failover would happen and you have an outage.

At least my deployment strategy for redundancy is to track dynamically where I can.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
May 20, 2026, 10:09:01 PM #14
Well I learned something today. I will need to read up on these concepts.
Seems like I was thinking wrong about how the OP could have wanted to see if possible with OPN. My thinkng was along the lines as I said of F5 BigIP hardware load balancers ie https://f5-agility-labs-adc.readthedocs.io/en/latest/class1/module1/lab1.html https://clouddocs.f5.com/training/community/adc/html/class1/module1/lab1.html
Print
Go Up Pages1
User actions