Modem passthrough PPPoE Fixed IP handover error

Patch

I suspect pfsense is not updating my negotiated fixed IP correctly.
I don't know why but maybe related to DHCP client unable to get lease from cable provider [solved].

Summary
I have an

ISP Technicolor DMS3-CTC-25-191 in bridge mode
ISP PPP over Ethernet
pfsense 2.5.2-RELEASE (amd64) (Running on Proxmox 7.02 with all igb i211 NIC passthrough)
pfsense: Interface -> WAN -> IPv4 Configuration Type -> PPPoE. PPPoE Configuation Username & Password entered.
Wan interface appears to work
pfsense: Status -> System logs -> System -> General -> [wan] IPADDR 10.20.25.158 -> [wan] IPADDR 59.123.123.123 (My redacted Fixed IP address)

However pfsense: Status -> System logs -> System -> General -> subsequently intermittently shows

>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)

And pfsense: Status -> System logs -> Firewall -> More than once per second

Interface	Rule	Source	Destination	Protocol
WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123		10.20.25.158		ICMP

pfsense -> Interfaces -> WAN -> Reserved Networks -> Enabling or disabling results in no observable effect

I would like to reduce the log Spam and ideally fix the underlying issue. I'm not sure what I have done wrong though.

For those who can read System General logs, this may help (I have deleted entries from me login in to pfsense and updating the firewall rules)

Nov 9 18:08:22 	ppp 	16659	Multi-link PPP daemon for FreeBSD
Nov 9 18:08:22 	ppp 	16659	process 16659 started, version 5.9
Nov 9 18:08:22 	ppp 	16659	web: web is not running
Nov 9 18:08:22 	ppp 	16659	[wan] Bundle: Interface ng0 created
Nov 9 18:08:22 	ppp 	16659	[wan_link0] Link: OPEN event
Nov 9 18:08:22 	kernel 		ng0: changing name to 'pppoe0'
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: Open event
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: state change Initial --> Starting
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: LayerStart
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PPPoE: Set PPP-Max-Payload to '1500'
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PPPoE: Connecting to ''
Nov 9 18:08:22 	ppp 	16659	PPPoE: rec'd ACNAME "adl-fkk-lls-bras34"
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PPPoE: rec'd PPP-Max-Payload '1500'
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PPPoE: connection successful
Nov 9 18:08:22 	ppp 	16659	[wan_link0] Link: UP event
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: Up event
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: state change Starting --> Req-Sent
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: SendConfigReq #1
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PROTOCOMP
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MRU 1500
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MAGICNUM 0x2d97cacf
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: rec'd Configure Request #1 (Req-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan_link0] AUTHPROTO CHAP MD5
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MAGICNUM 0x1dac0332
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: SendConfigAck #1
Nov 9 18:08:22 	ppp 	16659	[wan_link0] AUTHPROTO CHAP MD5
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MAGICNUM 0x1dac0332
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: state change Req-Sent --> Ack-Sent
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan_link0] PROTOCOMP
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MRU 1500
Nov 9 18:08:22 	ppp 	16659	[wan_link0] MAGICNUM 0x2d97cacf
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: state change Ack-Sent --> Opened
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: auth: peer wants CHAP, I want nothing
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: LayerUp
Nov 9 18:08:22 	ppp 	16659	[wan_link0] CHAP: rec'd CHALLENGE #1 len: 39
Nov 9 18:08:22 	ppp 	16659	[wan_link0] Name: ""adl-fkk-lls-bras34""
Nov 9 18:08:22 	ppp 	16659	[wan_link0] CHAP: Using authname "My_ISP_Login_User_Name"
Nov 9 18:08:22 	ppp 	16659	[wan_link0] CHAP: sending RESPONSE #1 len: 51
Nov 9 18:08:22 	ppp 	16659	[wan_link0] CHAP: rec'd SUCCESS #1 len: 4
Nov 9 18:08:22 	ppp 	16659	[wan_link0] LCP: authorization successful
Nov 9 18:08:22 	ppp 	16659	[wan_link0] Link: Matched action 'bundle "wan" ""'
Nov 9 18:08:22 	ppp 	16659	[wan_link0] Link: Join bundle "wan"
Nov 9 18:08:22 	ppp 	16659	[wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: Open event
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: state change Initial --> Starting
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: LayerStart
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: Up event
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: state change Starting --> Req-Sent
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: SendConfigReq #1
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 0.0.0.0
Nov 9 18:08:22 	ppp 	16659	[wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: rec'd Configure Request #1 (Req-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 10.20.25.158
Nov 9 18:08:22 	ppp 	16659	[wan] 10.20.25.158 is OK
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: SendConfigAck #1
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 10.20.25.158
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: state change Req-Sent --> Ack-Sent
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: rec'd Configure Reject #1 (Ack-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: SendConfigReq #2
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 0.0.0.0
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: rec'd Configure Nak #2 (Ack-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 59.123.123.123
Nov 9 18:08:22 	ppp 	16659	[wan] 59.123.123.123 is OK
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: SendConfigReq #3
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 59.123.123.123
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)
Nov 9 18:08:22 	ppp 	16659	[wan] IPADDR 59.123.123.123
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: state change Ack-Sent --> Opened
Nov 9 18:08:22 	ppp 	16659	[wan] IPCP: LayerUp
Nov 9 18:08:22 	ppp 	16659	[wan] 59.123.123.123 -> 10.20.25.158
Nov 9 18:08:22 	check_reload_status 	376	rc.newwanip starting pppoe0
Nov 9 18:08:22 	ppp 	16659	[wan] IFACE: Up event
Nov 9 18:08:22 	ppp 	16659	[wan] IFACE: Rename interface ng0 to pppoe0
Nov 9 18:08:23 	php-fpm 	347	/rc.newwanip: rc.newwanip: Info: starting on pppoe0.
Nov 9 18:08:23 	php-fpm 	347	/rc.newwanip: rc.newwanip: on (IP address: 59.123.123.123) (interface: WAN[wan]) (real interface: pppoe0).
Nov 9 18:08:25 	php-fpm 	80078	/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 9 18:08:25 	php-fpm 	347	/rc.newwanip: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 9 18:08:25 	php-fpm 	80078	/interfaces.php: Default gateway setting Interface WAN_PPPOE Gateway as default.
Nov 9 18:08:25 	php-fpm 	347	/rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default.
Nov 9 18:08:25 	php-fpm 	80078	/interfaces.php: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 9 18:08:25 	check_reload_status 	376	Restarting ipsec tunnels
Nov 9 18:08:25 	php-fpm 	347	/rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 9 18:08:25 	rc.gateway_alarm 	50984	>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Nov 9 18:08:25 	check_reload_status 	376	updating dyndns WAN_PPPOE
Nov 9 18:08:25 	check_reload_status 	376	Restarting ipsec tunnels
Nov 9 18:08:25 	check_reload_status 	376	Restarting OpenVPN tunnels/interfaces
Nov 9 18:08:25 	check_reload_status 	376	Reloading filter
Nov 9 18:08:26 	php-fpm 	346	/rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 9 18:08:26 	php-fpm 	346	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 9 18:08:28 	php-fpm 	347	/rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1636443508] unbound[21162:0] error: bind: address already in use [1636443508] unbound[21162:0] fatal error: could not open ports'
Nov 9 18:08:30 	check_reload_status 	376	updating dyndns wan
Nov 9 18:08:32 	check_reload_status 	376	Reloading filter
Nov 9 18:08:32 	php-fpm 	80078	/interfaces.php: Creating rrd update script
Nov 9 18:08:32 	php-fpm 	347	/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Nov 9 18:08:32 	php-fpm 	347	/rc.newwanip: Creating rrd update script
Nov 9 18:08:34 	rc.gateway_alarm 	34750	>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Nov 9 18:08:34 	check_reload_status 	376	updating dyndns WAN_PPPOE
Nov 9 18:08:34 	check_reload_status 	376	Restarting ipsec tunnels
Nov 9 18:08:34 	check_reload_status 	376	Restarting OpenVPN tunnels/interfaces
Nov 9 18:08:34 	check_reload_status 	376	Reloading filter
Nov 9 18:08:34 	php-fpm 	347	/rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 59.123.123.123 -> 59.123.123.123 - Restarting packages.
Nov 9 18:08:34 	check_reload_status 	376	Starting packages
Nov 9 18:08:35 	php-fpm 	346	/rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 9 18:08:35 	php-fpm 	346	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 9 18:08:35 	php-fpm 	80078	/rc.start_packages: Restarting/Starting all packages.
Nov 9 19:13:14 	check_reload_status 	376	Syncing firewall
			
Nov 11 14:33:53 	php-fpm 	3547	/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 11 14:33:53 	php-fpm 	3547	/interfaces.php: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 11 14:33:53 	check_reload_status 	376	Restarting ipsec tunnels
Nov 11 14:33:57 	check_reload_status 	376	updating dyndns opt4
Nov 11 14:33:59 	check_reload_status 	376	Reloading filter
Nov 11 14:33:59 	php-fpm 	3547	/interfaces.php: Creating rrd update script
Nov 11 14:34:01 	rc.gateway_alarm 	83475	>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Nov 11 14:34:01 	check_reload_status 	376	updating dyndns WAN_PPPOE
Nov 11 14:34:01 	check_reload_status 	376	Restarting ipsec tunnels
Nov 11 14:34:01 	check_reload_status 	376	Restarting OpenVPN tunnels/interfaces
Nov 11 14:34:01 	check_reload_status 	376	Reloading filter
Nov 11 14:34:02 	php-fpm 	3547	/rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 11 14:34:02 	php-fpm 	3547	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 11 14:35:07 	check_reload_status 	376	Syncing firewall
Nov 11 14:35:12 	php-fpm 	53354	/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 11 14:35:12 	php-fpm 	53354	/interfaces.php: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 11 14:35:12 	check_reload_status 	376	Restarting ipsec tunnels
Nov 11 14:35:17 	check_reload_status 	376	updating dyndns opt3
Nov 11 14:35:19 	check_reload_status 	376	Reloading filter
Nov 11 14:35:19 	php-fpm 	53354	/interfaces.php: Creating rrd update script
Nov 11 14:35:21 	rc.gateway_alarm 	10756	>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
Nov 11 14:35:21 	check_reload_status 	376	updating dyndns WAN_PPPOE
Nov 11 14:35:21 	check_reload_status 	376	Restarting ipsec tunnels
Nov 11 14:35:21 	check_reload_status 	376	Restarting OpenVPN tunnels/interfaces
Nov 11 14:35:21 	check_reload_status 	376	Reloading filter
Nov 11 14:35:22 	php-fpm 	53354	/rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE'
Nov 11 14:35:22 	php-fpm 	53354	/rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. ''
Nov 11 15:48:37 	check_reload_status 	376	Syncing firewall

And a sample of And pfsense: Status -> System logs -> Firewall -> filtered for the destination 10.20.25.158

Time	Interface	Rule	Source	Destination	Protocol
Nov 13 15:05:37 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:38 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:38 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:39 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:39 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:40 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:40 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:41 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:41 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP
Nov 13 15:05:42 	WAN 	Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 	59.123.123.123	10.20.25.158	ICMP

viragomann

@patch said in Modem passthrough PPPoE Fixed IP handover error:

And pfsense: Status -> System logs -> Firewall -> More than once per second
Interface Rule Source Destination Protocol
WAN Block local traffic leaving WAN (Netgate Recipe R...

This rule, presumably a floating, blocks the gateway monitoring, since it might block any outgoing packets to private IPs, but your gateway has a private one.

Best practice would be to set another, public IP for monitoring in System > Routing > Gateways.

Patch

@viragomann said in Modem passthrough PPPoE Fixed IP handover error:

This rule, presumably a floating, blocks the gateway monitoring, since it might block any outgoing packets to private IPs, but your gateway has a private one.

Thanks for identifying my mistake. You are indeed correct I created a floating rule on the WAN interface long ago and had forgotten about it when installing a pfsence appliance at another location,

At this site PPPoE is used instead of DHCP.
The local address is used during initial PPP negotiation with my ISP (probably to support customers on their carrier grade NAT) prior to changing to my fixed IP address. It appears pfsense continues to use the old local address but the floating rule is applied after PPP negotiation.

Thanks for the solution. Changing the rule from reject to pass showed it was used once then the log spam stopped.

Patch

Another question for the same interface, how do I make gateway monitoring work? Or is this not possible as it is blocked by my ISP?

pfsense -> Status -> Gateways ->

Name	Gateway	Monitor	RTT	RTTsd	Loss	Status	Description
WAN_PPPOE ( Default)	10.20.25.152	10.20.25.152	0ms	0ms	100% loss	Offline, Packetloss: 100%	Interface WAN_PPPOE Gateway

pfsense -> States -> search 10.20.25.152

Interface	Protocol	Source (Original Source) → Destination (Original Destination)	State	Packets	Bytes
WAN	icmp	59.123.123.123:11316 -> 10.20.25.152:11316	0:0	881 / 880	25 KiB / 48 KiB

pfsense -> Diagnosis -> Traceroute shows (independent of Use ICMP)

 1  10.20.25.152  6.066 ms  5.601 ms  5.225 ms
 2  203.219.182.5  6.303 ms  6.451 ms  6.187 ms

pfsense -> Diagnosis -> Ping 10.20.25.152 fails with 100% packet loss.

pfsense -> Status -> Interfaces shows
WAN Interface (wan, pppoe0)

Item	Value
Status	up
PPPoE	up
Uptime	02:34:04
IPv4 Address	59.123.123.123 (My redacted fixed IP)
Subnet mask IPv4	255.255.255.255
Gateway IPv4	10.20.25.152
IPv6 Link Local	fe80::2e0:4cff:fe68:25a1%igb0
MTU	1492
In/out packets	193195/210658 (142.05 MiB/56.75 MiB)
In/out packets (pass)	193195/210658 (142.05 MiB/56.75 MiB)
In/out packets (block)	1678/0 (154 KiB/0 B)
In/out errors	0/0
Collisions	0

Firewall rules
Floating

Action	States	Interfaces	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description
Pass & Log	0 /2 KiB	WAN	IPv4 *	*	*	PrivateIPv4	*	*	none		Don’t reject local traffic leaving WAN (to ISP gateway)

WAN

Action	States	Protocol	Source	Port	Destination	Port	Gateway	Queue Schedule	Description
Block	0 /0 B	*	Reserved Not assigned by IANA	*	*	*	*	*	Block bogon networks
Pass									Port forwards

viragomann

@patch
Take any IP in the internet, which you know is responding to ICMP requests. You can set it for monitoring in the gateway settings.