4

Note: maybe the "Background" and "Plan" are not really necessary; feel free to skip to the "Problem" immediately...

Background

We have recently migrated a bunch of servers from one subnet into another. They used to have the IP addresses 192.168.0.0/24; now they have 10.1.2.0/24.

To avoid having to actually change the addresses on the servers and make the switch as simple as possible, we did not change anything on them; they still are configured to use 192.168.0.x and know nothing at all about 10.1.2.x.

Instead, the router (pfSense 2.3.2) in front of them does 1:1 NAT, mapping between the two subnets.

There is no VLAN or other special networking going on here; just the two regular physical ethernet ports of some machine, one for LAN, one for WAN (the WAN side is a simple ethernet uplink, no dial-up/DSL or something like that).

Everything works great, and all is well. I can reach the servers from the outside using their 10.1.2.x addresses (NATted by the router); and I can reach the outside from the servers - and they appear with their 10.1.2.x addresses as one would expect.

Plan

Right now, the router has the IP 192.168.0.1 on the LAN interface, and this IP is configured as default gateway for the servers (the usual, trivial setup).

Now we want to get rid of the old 192.168.0.x addresses and the NAT translation. To avoid having a single instance in time where we have to do the switch, I would like to make it so that I can move one server after the other around.

To my understanding, this could be done by giving the physical interface of the router the additional IP address 10.1.2.1 (on a Linux machine, I would simply add an IP alias), add the new IP addresses on the servers as IP aliases (does not matter whether all at the same time or individually), switch the servers to use 10.1.2.1 as default gateway instead of 192.168.0.1, disable the 1:1 NAT for that server IP, and be done with it. The server would then use its 10.1.2.x IP as "main" IP, and still listen on the old IP in case someone else inside the LAN still uses that. We can then phase out the old IPs over time.

Problem

How do we configure pfSense to have an IP alias on its LAN interface? Is that even possible? I can find no mention about IP aliases (secondary IPs on the physical interfaces) at all.

Is there another way to achieve what we want using pfSense?

AnoE
  • 163
  • 1
  • 7

1 Answers1

9

Yes, it's possible but its configuration is in a location that isn't intuitive. Here's how:

  • Go to the Firewall > Virtual IPs menu
  • Click Add
  • Click IP Alias
  • Select the Interface to add the IP alias to
  • Add the IP alias to the Address field and set its prefix length
  • Click Save
Robert Mooney
  • 386
  • 3
  • 5
  • 1
    Thank you for the answer! Considering the fact that the question was unanswered for over a year, it indeed does seem to be unintuitive... ;) – AnoE Mar 22 '18 at 09:26
  • pfSense choosing "Firewall" rather than "Interfaces" as the top-level menu runs contrary to my intuition. But I'm not a project contributor, so I don't get to complain. :) – Jason Oct 25 '18 at 22:49