# IP Alias versus Cloned Interface



## nitin (Feb 7, 2022)

Hi,

This might just be basic stuff... but I am not sure I understand the difference between a cloned interface and a ip alias. I know how to create them both but how are they different at a lower level? 

Can someone please enlighten me?

Thanks in advance.

Nitin


----------



## SKull (Feb 7, 2022)

I'm no networking expert. So there might be some more valuable information coming up from other people.
But what strikes me as the benefit of having a cloned interface instead of just an adress alias is the fact that it's easier to make pf rules for interfaces, than single addresses.

For example, I have all my jails on the cloned interface lo1.
So i can do some basic rules on lo1 that are valid for all the jails, and then some fine grained rules for specific ip addresses on that interface.

If you have your DB server, your webserver and some media server all on alias IPs on your main network interface, writing rules for those gets quite the task.


----------



## nitin (Feb 8, 2022)

Thanks SKull for taking out time to share your thoughts. 

I am trying to run multiple instances of postfix and it doesn't seem to bind to the aliased IPs. So I was wondering if I should try cloned interfaces, instead of aliased IPs, to accomplish this. Which made me wonder what the difference is really between the two... 

Thanks again


----------



## SirDice (Feb 8, 2022)

nitin said:


> it doesn't seem to bind to the aliased IPs


It does, but you have to make sure _all_ instances are bound to specific IPs. If any one of those instances bind to * or 0.0.0.0 it will bind to _all_ IP addresses, which means that another instance cannot bind to one of the IP/port combinations anymore (it's already in use).


----------



## nitin (Feb 8, 2022)

Thanks SirDice

I have set different ports for each instance, but it is not binding to anyone other than the one which is having the original real ip.

sockstat -4 -l outputs:

```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
postfix  postscreen 64369 6  tcp4   192.168.1.11:2525     *:*
unbound  unbound    46046 4  udp4   127.0.0.1:53          *:*
unbound  unbound    46046 5  tcp4   127.0.0.1:53          *:*
unbound  unbound    46046 6  udp4   192.168.0.11:53       *:*
unbound  unbound    46046 7  tcp4   192.168.0.11:53       *:*
unbound  unbound    46046 8  udp4   192.168.1.11:53       *:*
unbound  unbound    46046 9  tcp4   192.168.1.11:53       *:*
root     master     25573 13 tcp4   192.168.1.11:2525     *:*
root     master     25573 26 tcp4   192.168.0.11:5871     *:*
spamd    perl       88130 6  tcp4   127.0.0.1:783         *:*
spamd    perl       87899 6  tcp4   127.0.0.1:783         *:*
root     perl       87741 6  tcp4   127.0.0.1:783         *:*
postgrey perl       86599 5  tcp4   127.0.0.1:10023       *:*
root     dovecot    83374 41 tcp4   *:993                 *:*
root     sshd       81063 5  tcp4   *:22                  *:*
postgres postgres   71470 7  tcp4   127.0.0.1:5432        *:*
postgres postgres   71470 8  tcp4   192.168.0.11:5432     *:*
postgres postgres   71470 9  tcp4   192.168.0.12:5432     *:*
postgres postgres   71470 13 tcp4   192.168.1.11:5432     *:*
postgres postgres   71470 14 tcp4   192.168.1.12:5432     *:*
ntpd     ntpd       68465 21 udp4   *:123                 *:*
ntpd     ntpd       68465 22 udp4   192.168.1.11:123      *:*
ntpd     ntpd       68465 23 udp4   192.168.1.12:123      *:*
ntpd     ntpd       68465 27 udp4   192.168.0.11:123      *:*
ntpd     ntpd       68465 28 udp4   192.168.0.12:123      *:*
ntpd     ntpd       68465 34 udp4   127.0.0.1:123         *:*
```
I can telnet locally to the first domain as its IP is the real IP. See below:

```
telnet 192.168.1.11 2525
Trying 192.168.1.11...
Connected to localhost.
Escape character is '^]'.
220 mail.abc.com ESMTP Postfix
```
I cannot telnet locally to the second domain as its IP is an aliased one:

```
telnet 192.168.1.12 2526
Trying 192.168.1.12...
```

Here's the output of ifconfig:

```
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=481249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
    ether 00:22:4d:aa:e0:9d
    inet 192.168.1.11 netmask 0xffffff00 broadcast 192.168.1.255
    inet 192.168.1.12 netmask 0xffffffff broadcast 192.168.1.12
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether ec:08:6b:02:e6:c1
    inet 192.168.0.11 netmask 0xffffff00 broadcast 192.168.0.255
    inet 192.168.0.12 netmask 0xffffffff broadcast 192.168.0.12
    media: Ethernet 1000baseT <full-duplex>
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
I can ping all the alaised IPs locally as well as from another machine on the same subnet.
rc.conf has the following:

```
ifconfig_em0="inet 192.168.1.11 netmask 255.255.255.0 media 1000baseTX mediaopt full-duplex"
ifconfig_em0_alias0="inet 192.168.1.12/32"
ifconfig_re0="inet 192.168.0.11 netmask 255.255.255.0 media 1000baseTX mediaopt full-duplex"
ifconfig_re0_alias0="inet 192.168.0.12/32"
```

master.cf of first domain

```
192.168.1.11:2525 inet n -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
192.168.0.11:5871 inet n -       n       -       -       smtpd -o syslog_name=postfix ....
```
master.cf of second domain

```
192.168.1.12:2526 inet n -       n       -       1       postscreen
smtpd      pass  -       -       n       -       -       smtpd
dnsblog    unix  -       -       n       -       0       dnsblog
tlsproxy   unix  -       -       n       -       0       tlsproxy
192.168.0.12:5872 inet n -       n       -       -       smtpd -o syslog_name=postfix ...
```

etc/hosts looks like this:

```
::1                     localhost
127.0.0.1               localhost
192.168.0.11            localhost
192.168.0.12            localhost
192.168.1.11            localhost
192.168.1.12            localhost

::1                     localhost.abc.com
::1                     localhost.xyz.com
::1                     localhost
127.0.0.1               localhost.abc.com
127.0.0.1               localhost.xyz.com

192.168.0.11            localhost.abc.com
192.168.0.12            localhost.xyz.com

192.168.1.11            mail.abc.com
192.168.1.11            mail
192.168.1.11            mail.abc.com.

192.168.1.12            mail.xyz.com
192.168.1.12            mail.xyz.com.
```
Do you see anything wrong here as to why postfix instances wouldn't bind to the aliased ip?


----------



## SirDice (Feb 8, 2022)

Remove these:

```
192.168.0.11            localhost
192.168.0.12            localhost
192.168.1.11            localhost
192.168.1.12            localhost
```
Localhost is ONLY 127.0.0.1 or ::1. Do NOT assign any other address to it.


```
192.168.1.11            mail.abc.com
192.168.1.11            mail
192.168.1.11            mail.abc.com.
```
Can be one line.

```
192.168.1.11            mail mail.abc.com
```


----------



## nitin (Feb 8, 2022)

Ok great. So looks like apart from that rest are fine so its possibly a mistake in my postfix config or a bug in postfix in that case.


----------



## sko (Feb 8, 2022)

this is a prime use case for jail(8)s, especially if this is a mail server which greatly benefits from the increased security by containing each service (postfix, dovecot, postgresql, etc...) in its own jail.


----------



## Jose (Feb 8, 2022)

You have the same two IP addresses configured on two physical interfaces? Are they on separate networks?

EDIT: They are not the same as SirDice points out below.


----------



## SirDice (Feb 8, 2022)

Jose said:


> You have the same two IP addresses configured on two physical interfaces?


They're not the same? One interface has 192.168.0.0/24 addresses, the other 192.168.1.0/24. Same host address though, but they're both on different subnets.


----------



## Jose (Feb 8, 2022)

nitin said:


> I can telnet locally to the first domain as its IP is the real IP. See below:
> 
> ```
> telnet 192.168.1.11 2525
> ...


I don't see anything listening on 192.168.1.12:2526. Does `telnet 192.168.1.12 5432` work? What does `netstat -nr` report?


----------



## nitin (Feb 9, 2022)

Jose said:


> I don't see anything listening on 192.168.1.12:2526. Does `telnet 192.168.1.12 5432` work? What does `netstat -nr` report?


Jose, yes you are right. The aliased IPs are not getting bound by Postfix. netstat is not listing it. Postfix support will help me out today after looking at my configs.


----------



## nitin (Feb 9, 2022)

sko said:


> this is a prime use case for jail(8)s, especially if this is a mail server which greatly benefits from the increased security by containing each service (postfix, dovecot, postgresql, etc...) in its own jail.


Thanks sko I did go that route first before settling for Postmulti. In fact I have not detsroyed the jails yet, just disabled them for now  I got stumped at which reverse proxy to use for mail servers... haproxy apparently doesn't reverse proxy smtp, it can only load balance afaik. I didn't try nginx.

I have posted another query for that here


----------



## sko (Feb 9, 2022)

nitin said:


> Thanks sko I did go that route first before settling for Postmulti. In fact I have not detsroyed the jails yet, just disabled them for now  I got stumped at which reverse proxy to use for mail servers... haproxy apparently doesn't reverse proxy smtp, it can only load balance afaik. I didn't try nginx. Maybe I should post another question on recomendation for a reverse proxy in production for mail servers. I will do that.


I wonder why you would need multiple postfix instances on the same host. Postfix spawns worker processes as needed and does its own load adaption, so "load balancing" on a single host is rather pointless as a single postfix instance can easily scale up until it brings your host to its knees.
Multiple instances are usually used if very different configurations e.g. for local users, incoming and outbound mail and various degrees of filtering are needed and the master.cf overrides are getting out of hand. So using multiple instances keeps the configs clean and easier to understand, but technically a single postfix instance could still handle this scenario.

But to answer your question: PF can load balance just about everything. just use an address pool and distribute incoming connections across them. There is even an example in pf.conf(5):

```
# RDR ROUND ROBIN
     # Translate incoming web server connections to a group of web servers on
     # the internal network.
     rdr on $ext_if proto tcp from any to any port 80 \
           -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
```

just use the same principle on incoming connections on ports 25/465/587 and redirect them to your pool of postfix jails (which are usually connected to a loopback interface on the host). but again: postfix is quite capable of handling huge amounts of mail with several hundred smtp client processes, but usually such a scenario is never the norm except for when huge spam waves hit you. The postfix anvil(8) can help dealing with such scenarios and keep the host and postfix responsive e.g. by various means of rate-limiting. Better yet, don't let spammers even talk to your postfix, because all checks that postfix can do to detect spam are comparably expensive in terms of system resources compared to e.g. mail/spamd.
We reduced the amount of spam that reached our postfix and rspamd by way over 50% using spamd. It keeps them busy by using very little resources and is easily adaptable and extensible, e.g. to distribute/exchange spamdb entries between multiple hosts.


----------



## nitin (Feb 9, 2022)

sko said:


> because all checks that postfix can do to detect spam are comparably expensive in terms of system resources


So are you suggesting not to use postscreen? My problems started while using postscreen in master.cf for each of the domains. If I left it with just smtpd, there were no banner issues, but with postcreen enabled it always fell back to the primary domain. But as you say, I am perhaps wasting my time on a non-issue. SirDice also had advised the same to me.

I re-confirm that my reverse ptrs are fine. I have tested them via mxtoolbox.

I will check out PF, I am more familiar with IPFW. I will explore the jail route further now. 

Yes, I wanted to be able have cleaner and simpler mail configs and at the same time have each service jailed as you suggested earlier. It also helps to migrate each domain to their own servers later on.

Thank you so much sko You have given some really good ideas here


----------



## nitin (Feb 10, 2022)

Glad to inform that my SMTP banner issues has been resolved once I have had my postmulti working properly. I had missed one setting in main.cf that was pointed out by the very kind and helpful Postfix support team. Thanks once again SKull,  sko & SirDice. Consider this closed


----------

