Services bind to VIP instead of interface IP

[perryflynn]

OPNSense Version: 18.7.5_1
Interface: 172.23.19.254/24
VIP Addr: 172.23.19.253/24 (IP Alias)

Hi,

I've created a VIP address on my management interface for NATing stuff. Now services like SNMP and OpenVPN bind to the VIP address instead of the interface IP.

Example:

root@gw-juli:~ # netstat -p udp -n
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
udp4       0      0 172.23.19.253.161      *.*

Is there a way to change this behavior?

[mimugmail]

You can hardcode the listen address for OpenVPN and net-snmp

[fichtner]

I'm unsure why it's supposed to latch onto a VIP in the first place. Can we focus on OpenVPN for now as a core component single issue?

[fichtner]

Also, need an ifconfig dump for your 172.23.19.254/24 interface.

[perryflynn]

On OpenVPN was following line in the "Advanced" text field a workaround:

local 172.23.254.19

The interface:

bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:90:c3:8f:08:00
        inet 172.23.19.253 netmask 0xffffff00 broadcast 172.23.19.255
        inet 172.23.19.254 netmask 0xffffff00 broadcast 172.23.19.255
        nd6 options=1<PERFORMNUD>
        groups: bridge JuLiFloating
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: ath0_wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 10 priority 128 path cost 33333
        member: re2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 20000

[fichtner]

Your VIP became your primary IP, that's why the system picks it up. The order matters to FreeBSD and us, but normally the real IP should be first. Is this a static IP setup?

[perryflynn]

Yes, the interface is static configured.

[fichtner]

This describes the same issue for IPv6 #2189 (comment)

Does this persist through a reboot or does it order correctly then? That may be temporary, I just want to know if it triggers later or on boot.

[perryflynn]

Rebooted:

root@gw-juli:~ # uptime
 7:44PM  up 1 min, 1 users, load averages: 1.57, 0.45, 0.17
root@gw-juli:~ # ifconfig bridge0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:90:c3:8f:08:00
        inet 172.23.19.253 netmask 0xffffff00 broadcast 172.23.19.255
        inet 172.23.19.254 netmask 0xffffff00 broadcast 172.23.19.255
        nd6 options=1<PERFORMNUD>
        groups: bridge JuLiFloating
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: ath0_wlan1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 10 priority 128 path cost 33333
        member: re2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 20000

[fichtner]

Thanks, we'll continue this in #2189 as it's the same issue for IPv4 so at least it's a class of issues with VIPs itself -- I'm not 100% clear about the solution but it should be fixed for 19.1 in any case.