# Source IPv4 Address when using a loopback



## smallSHEEP (May 28, 2013)

Hi,

I'm currently in the process of setting up the network connections of some VMs running FreeBSD 9.1. They have an ethernet interface with a static IP (e.g 192.168.1.1) and default gateway (e.g. 192.168.1.254) set. I have also created a loopback adapter with a static IP (e.g. 1.2.3.4) and 255.255.255.255 subnet mask.

Inbound connections for the 1.2.3.4 address work fine but outbound connections are always sourced from the 192.168.*.* IP and therefore fail. Is there any way of forcing outbound connections to use 1.2.3.4/loopback as the source address/interface?

I have managed to get it working with some services, BIND for example supports the query-source flag but not all services give me this option so was wondering if there was anything I can set in ifconfig or PF?

Any help would be most appreciated!


----------



## ShelLuser (May 29, 2013)

Normally you'd set up an entry in the routing table to tell the system which route, or device, to use when it needs to reach the outside world. In theory this shouldn't be different.


----------



## kpa (May 29, 2013)

As far as I know the loopback adapter will not take part in the selection of the source address unless the destination address is a local address. By local address I mean an address bound to a network interface on the local system. For example:


```
firewall ~ # netstat -nr -f inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            xx.yy.96.1        UGS         0  3141553    vr0
10.71.14.0/24      link#1             U           0  3123401    rl0
10.71.14.1         link#1             UHS         0        1    lo0
xx.yy.96.0/19     link#4             U           0      163    vr0
xx.yy.105.73      link#4             UHS         0        0    lo0
127.0.0.1          link#7             UH          0     1358    lo0
```

If you look at the Netif column you'll see what I explained above, the lo0 interface is used for selecting the source address only when the destination address is an address bound to a local adapter.

If you need to expose the additional addresses to outside then why not just bind the addresses to the main interface as aliases?


----------



## throAU (May 29, 2013)

smallSHEEP said:
			
		

> Hi,
> 
> I'm currently in the process of setting up the network connections of some VMs running FreeBSD 9.1. They have an ethernet interface with a static IP (e.g 192.168.1.1) and default gateway (e.g. 192.168.1.254) set. I have also created a loopback adapter with a static IP (e.g. 1.2.3.4) and 255.255.255.255 subnet mask.
> 
> ...



What are you actually attempting to achieve (i.e., why are you attempting to do this)?

The default source address will be the one on the network your packets are sent from.  I.e., the IP of the interface that is on the "exit" network from your (virtual) machine.

If your VMs are on a NAT network, the source will be the IP address of the VM, before it is NATed by your host.

A loopback adapter is not bound to any actual "network" interface (i.e., interface connecting to a network outside of the OS) and should never normally be seen as a source address... unless your app allows you to manually configure the source IP (i.e. forge the packet's source address) as it goes out onto the "wire".



			
				kpa said:
			
		

> If you need to expose the additional addresses to outside then why not just bind the addresses to the main interface as aliases?




^^ That...

Loopback IPs are intended for local machine usage only.  If you want an IP visible on the network, bind it to a network interface?


----------



## smallSHEEP (May 29, 2013)

Thanks for your help so far, I'll try and clarify the setup. Due to requiring fail-over between datacentres the FreeBSD servers have a public facing ethernet connection on a small /30 subnet with a default gateway as the 10.0.0.1 IP on the router. Currently the actual public IP is using a /32 on a loopback (lo1) (although I believe a secondary alias IP on eth0 would work too) and the router will redirect packets to this IP allowing connections inbound from the public side.


```
----------
   | router |
   |        |
   ----------
       | 10.0.0.1/30
       |
       | Eth0 10.0.0.2/30 (Public)
   ---------
   |FreeBSD| Lo1  1.2.3.4/32
   |       |
   |  9.1  |                      (Default Gateway: 10.0.0.1)
   ---------
       | Eth1 192.168.1.1/24 (Management)
       |
```

This all works great for inbound traffic, the problem is with connections initiated by the server which will route out via the default gateway (using 10.0.0.2 as the source address). I need to force traffic leaving eth0 to use a source of 1.2.3.4. On Debian I have achieved this using: `ip route add default via 10.0.0.2 dev eth0:0 src 1.2.3.4`. On Windows I can use: `netsh int ipv4 add address "Public Network" 10.0.0.2 255.255.255.252 skipassource=true`.

I'm not as familiar with *Free*BSD and was not sure if there was a similar function available, either by making an IP address non-sourceable or setting the source address as part of the routing table?


----------



## kpa (May 29, 2013)

Use of loopback will prevent you from doing what you want for the reasons stated above, loopback adapter is only for local traffic in FreeBSD (I'm not sure how you got the host responding to incoming traffic on a loopback interface from outside the host, it should not be possible afaik without NAT of some sort). Use an alias on the eth0 interface.


----------



## smallSHEEP (Aug 16, 2013)

I managed to solve the problem in the end by using an alias on vmx3f0 and setting up IPFW (IP Firewall) e.g:

adding the following to /etc/rc.conf:


```
ifconfig_vmx3f0="inet 10.0.0.2 netmask 255.255.255.248"
ifconfig_vmx3f0_alias0="1.2.3.4 netmask 255.255.255.255"

gateway_enable="NO"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="vmx3f0"
natd_flags="-f /etc/natd.conf"
```

I also added the following to: /boot/loader.conf

```
ipfw_load="YES"
ipdivert_load="YES"
```

Then created a file called /etc/natd.conf and added the following text:


```
redirect_address 10.0.0.2 1.2.3.4
```

This seems to work a treat and now all traffic leaving the vmx3f0 interface uses the source IP address of the alias interface (1.2.3.4) instead.


----------

