WAN general config set to DHCP, but always pulls same ipv4 address from Modem. ARP Table shows "Permanent" in Status column and I can't release it.

andykauffman23

LSS: I have Xfinity/Comcast and I am supposed to get 600Mbps but I still only getting first (initial purchase) order of 400Mbps.
When I plug laptop directly into (my Motorola Modem) and restart it, I get a different public ip and the faster speeds, but plugging my router back in I get a "static ip" (that I did not setup, my setup is DHCP for WAN) and only the lower speeds. I can't change WAN MAC for spoofing due to it saying in Interfaces / WAN "The MAC address of a VLAN interface must be set on its parent interface," I'm sure I might have done something wrong somewhere but I only have basic setup and one VLAN for IOT devices.

When I look at Diagnostics / ARP Table it shows Interface WAN > IP Address (98.xxx.xxx.xxx) > MAC (MAC address of router) > Hostname (which has a combo of my IP and then words separated by periods and the last two are comcast.net) > Status Permanent > Link Type vlan I tried to "delete" under actions, to force it to let it go/reset somehow and it would not let me.

I have burned up over 20 hours in 3 days googling and playing with my NETGATE Router (SG-1100) and have spoken with Xfinity a ton (all on phone not yet with field tech). I have scoured the internet and these forums and of course the pfsense docs online and can't find the right solution to my issue, I feel this is common because of what results I did find, but either I am overthinking it or just not smart enough to put them all together to solve this, please help before all my hair turns gray.

Thanks in advance.

johnpoz

@andykauffman23 said in WAN general config set to DHCP, but always pulls same ipv4 address from Modem. ARP Table shows "Permanent" in Status column and I can't release it.:

but plugging my router back in I get a "static ip" (that I did not setup

I doubt its "static" if your set to dhcp.. But sure you would almost always get the same IP via dhcp if your mac is the same as previous lease.. You would have to turn off your device and wait til that lease has expired and IP handed out to different dhcp client. Prob not what your wanting to do ;)

If your looking in the arp table and seeing perm, that is because you do not have to "arp" for your own IP mac.. So yes its listed as perm..

example here is my my dhcp from my isp in my arp table

(64.53.x.x) at 00:08:a2:0c:e6:25 on igb1 permanent [ethernet]

But to change your mac, yes you would need to do that on the physical interface, if its considered a vlan, what physical interface does your wan sit on? sg1100 might be all switch ports so yeah your "wan" might be considered a vlan interface because of the switch ports..

"Network Ports: Marvell 88E6141 networking switch which drives (3) GbE Ethernet (WAN/LAN/OPT) ports"

There might not be a way to change the mac from the gui on such a device? You might have to do it from cmd line.. And then not sure if that would survive a reboot?

Better worded questions might be how to change mac on sg1100.. But have you actually rebooted your cable modem after you have upgraded this new speed.. Quite often that is required when your on a new speed tier..

edit: here you go found a thread with your exact question.. Derelicts answer I think is what your looking for.

https://forum.netgate.com/topic/148558/sg-1100-wan-mac-spoofing-guide

I thought this sort of question sounded familiar.. I had chimed in on that thread as well about doing it from cmd line - but derelict provides a way to do it from the gui that would stick between reboots.

stephenw10

Yeah you can assign the parent interface and enable it as type 'none' then set the MAC there.

How are you testing this though? You may be hitting the throughput limit on the 1100 anyway.

Steve

andykauffman23

@johnpoz First off, thanks for the quick response. Indeed, the first thing I did was unplug the modem for 10-20 seconds and that did not work. I did read that article yesterday and did that exact same thing and then could not get it to work correctly. Again I'm sure I missed a step or two. For example what does he mean when he says, "spoof the MAC address, but do not number it." I tired a MAC similar to my Routers original and changed the last 2 numbers and no joy. And then unplugged router to reset and then it started back up and after unplugging Modem and restarting it found "via DHCP" the same ipv4 addy for the WAN as always (of course).
Side Note: There have been times that the router only finds the "default" ip addy of the Modem but after I stop and restart the service under Status / Gateways it will find the locked IPV4 address.

johnpoz

@andykauffman23 he means do not put an IP on that interface

"Leave IPv4 and IPv6 set to None."

But @stephenw10 could be correct - he would be way more familiar with actual performance of the sg1100 than me.. Its possible 400 something could be the performance limits of the sg1100..

Now on the spec sheet it does list

Firewall
(10k ACLs)
    IPERF3 Traffic: 656 Mbps
    IMIX Traffic: 190 Mbps

So while you would think 600 should be doable - in reality you might be somewhere between that 190 number and the 656 number..

From your test of connecting another device and seeing your 600 tier speed. It could also point to just speed limits of the sg1100 :(

andykauffman23

@stephenw10 thanks for the response. When you say assign and enable it to "none," I presume you are referring to the IPV4 and IPV6 Configuration Type(s) and set MAC??

As far as testing, I have used Speedtest.net and Iperf3.
When plugged directly into the Modem (with two different laptops mind you) I get the >600 speeds (which is what Xfinity is supposed to be pushing to me) using Speedtest.net.

And the limits of the 1100 are at 880 and 650+/- through Firewall as per their website https://shop.netgate.com/products/1100-pfsense

Thanks

johnpoz

@andykauffman23 is it possible you had set some sort of shaping or limiting numbers based on your old 400 tier speed?

andykauffman23

@johnpoz HMMMMMM... I see what you mean and didn't notice that @stephenw10 was NETGATE and ADMIN till after I just responded to him... HA!

I hear what you are saying about the "somewhere" in between those speeds part, but the fact that when I plug into the Modem directly (via laptop) and I receive a 73.xxx.xx.xx or 76.xxx.xxx.xx ip addy and get higher speeds (600+) and then when I plug into the router and only get the one ip addy of 98.xxx.xxx.xxx and speeds of less than 400 makes me wonder. Hence the reason I ponder if I could get the SG-1100/Pfsense to "accept" a new ip from the modem would I therefore get higher speeds? And of course the HOW TO do it properly.

andykauffman23

@johnpoz nothing under traffic shapers or limiters has been touched and there shows nothing in there while looking at Firewall/Traffic Shaper/By Interface and Firewall/Traffic Shaper/Limiters

andykauffman23

@johnpoz said in WAN general config set to DHCP, but always pulls same ipv4 address from Modem. ARP Table shows "Permanent" in Status column and I can't release it.:

@andykauffman23 he means do not put an IP on that interface
"Leave IPv4 and IPv6 set to None."

So to make sure I troubleshoot correctly, under the existing "MAIN" WAN interface change the config type(s) to none? (as screenshot below shows and hasn't been saved/applied yet) And then try what (if anything) for the MAC Address? Please and thanks for the guidance.

stephenw10

Yep, exactly like that.

Try using the MAC address of your laptop since you know that gets 600Mbps.

Steve

andykauffman23

@stephenw10 Ok.... Here goes nothing!!!

andykauffman23

@stephenw10 Wait it won't let me change it there because of the (screenshot)

Although that is the "original" WAN Interface (setup,etc...)

So presuming I create another 'Available network port' under Interfaces/Interface Assignments which is already tied (of course) to the MAC address of the router (screenshot)
After creating it to say 'None' in the configs add laptop MAC and enable it, do I just go under the 'original' WAN interface and "un-able" it and then restart both the router and the modem or.......
Just want to make sure I do this correctly, last time I couldn't connect to my router to change stuff back for 15-20 minutes and the kids and wife were 'hating it' HA!

stephenw10

Doh! Sorry, misread that.

Yeah you need to assign mvneta0 directly to a new interface and set that as type none. Then you can spoof the MAC there.

Be aware it will change the MAC for all VLANs so you might see the 'new network' warnings from Windows as it sees a new DHCP server.

Also, thinking more about this you should use a MAC slightly different to you laptop if you need to use that laptop behind the 1100 as it will otherwise conflict there.

Steve

andykauffman23

@stephenw10 @johnpoz
I wish I could truly explain what happened, but I'll try to anyways...
So did as told and reset/restarted Modem and Router, etc.
As it came back up I realized that I (we) hadn't addressed the Gateway situation. No gateway, no ip from Modem nada...
I created a new gateway and set it to the "new" interface I created 'WAN_Spoof" and 'disabled' the original. Tried to start the service several times and no joy. At this point the kids and wife are crying, "Hurry Up!" So I said, "screw it, I'm going back to original and will deal with it later."
I un-did everything and applied changes and then rebooted router and then to my surprise I received a new 73.xxx.xxx.xx IP in the Gateway (haven't tried the direct connection to the Modem via laptop yet but will later when kids in bed). Unfortunately I am not getting the speeds I was when directly plugged into Modem (see above), but at least the Router pulled a new (DHCP) address out the sky :)
So at this point, I would presume I need to bug the heck out of the ISP (Xfinity) and ask them to do WHAT? Please and thanks in advance for the help on this question to them.
And of course thanks for troubleshooting with me today and if there is anything else anyone else can come up with I would greatly appreciate it and be willing to try it out and report back.
Thanks again.

johnpoz

@andykauffman23 yeah if you got a new IP you know its not speed tier tied to your old IP.

Problem is - tech will come out, connect his laptop and if he gets 600.. Its your device, period end of story.. And you have already shown that if you connect direct to modem you see 600..

So the problem seems is sg1100 just can not do 600 via how your testing?? Maybe its faulty, maybe there is some config thing you could do to boost it to 600ish..

Might be time for upgrade from the 1100, the 2100 perhaps?

stephenw10

Ok, so you removed the MAC spoofing entirely but after speaking with Comcast the 1100 is now correctly pulling a random public IP as expected?

But you are still seeing reduced speeds?
What speeds are you actually seeing now? How are you testing?

4-500Mbps against speedtest.net is about what's expected from the 1100.

You can try connecting to the console and running at the command line: top -aSH.
That will show you the cpu usage so if you run it whilst you're testing you can see if you're hitting a limit there.

Steve

andykauffman23

@johnpoz The thing is I just bought this 3 months ago... :( sad face

@stephenw10 Still seeing reduced speeds (see one testing method in screenshot below)
Took this snapshot while running the speedtest.net (screenshot)

Also did as asked at the command line and I got this (screenshot)
I was watching a video from Lawrence Systems on YouTube "https://www.youtube.com/watch?v=_bM3XqK5JzE" and he was talking about the SG-1100 and reviewing it (2 Years ago mind you) and he got better speeds his setup was Laptop(LAN)>SG-1100 >Switch(Wan)>LinuxServer (for testing with iperf3) and he's getting avg. 700 (TCP) & 900+/- (UDP with about 24% packet loss)
But he said something in there and something kind of clicked in my head and I thought about my setup having the 3 ports WAN/LAN/OPT and then I added a VLAN. Would that in anyway disperse or spread out the "shared" data plane and therefore limit the data so that they can all maintain the 1Gig across the 3 ports not Labeled WAN (3 original + 1 VLAN). I know in my head that shouldn't be, I think, but just thought I would ask you all.

My next thought is, since I don't have a server but I do have a Raspberry Pi with iperf3 on it that I put it directly (or hooked up to a switch) to the WAN port, assign it an IP and then my laptop to directly to LAN (nothing in between) and run iperf3 across to each other. Of course when I have time and no one needs the internet. What do you think?

stephenw10

Mmm, that top output can't be correct. Did you actually run it at the command line? In the gui via Diag > Command Prompt will not give useful output. You have to use the serial console or SSH.

You will see something like:

last pid: 39370;  load averages:  2.02,  1.14,  0.76                       up 0+12:13:50  01:09:42
136 threads:   5 running, 113 sleeping, 18 waiting
CPU:  7.8% user,  0.0% nice, 38.4% system, 45.7% interrupt,  8.0% idle
Mem: 42M Active, 45M Inact, 138M Wired, 68M Buf, 736M Free

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
   12 root        -92    -     0B   304K CPU0     0   1:18  89.84% [intr{gic0,s42: mvneta0}]
29645 root          4    0    15M  5956K RUN      1   0:47  61.80% /usr/local/bin/iperf3 -s
   11 root        155 ki31     0B    32K RUN      1 712:51  12.02% [idle{idle: cpu1}]
   11 root        155 ki31     0B    32K RUN      0 714:59   4.57% [idle{idle: cpu0}]
  366 root         52    0   104M    36M accept   1   0:49   1.94% php-fpm: pool nginx (php-fpm){p
40872 root         20    0    13M  3528K CPU0     0   0:00   0.21% top -aSH
   12 root        -76    -     0B   304K WAIT     1   0:00   0.16% [intr{swi0: uart}]
   12 root        -60    -     0B   304K WAIT     1   0:53   0.15% [intr{swi4: clock (0)}]
10984 root         20    0    32M    21M nanslp   0   0:38   0.14% /usr/local/sbin/pcscd{pcscd}
88807 root         20    0    28M  8400K kqread   1   0:00   0.09% nginx: worker process (nginx)
    8 root        -16    -     0B    16K pftm     1   0:44   0.06% [pf purge]
    6 root        -16    -     0B    16K e6000s   1   0:19   0.04% [e6000sw tick kproc]
71943 root         20    0    18M  6020K select   0   0:06   0.04% /usr/local/sbin/ntpd -g -c /var
   21 root        -16    -     0B    48K psleep   1   0:04   0.03% [pagedaemon{dom0}]
44118 root         20    0    11M  2536K nanslp   0   0:11   0.02% /usr/local/bin/dpinger -S -r 0 
    9 root        -16    -     0B    16K -        1   0:03   0.02% [rand_harvestq]
24544 root         20    0    11M  2564K select   1   0:01   0.02% /usr/sbin/syslogd -s -c -c -l /

What you're looking for is the idle percentage on both cores. In that example I'm running iperf on the SG-1100 directly so it's not a good test.
The single mvneta(4) NIC in the 1100 means it can only use core for traffic. Here the other one is used by iperf3.

Having multiple interfaces with VLANs will only make any difference if they are also moving traffic at the same timer you are testing WAN to LAN.

Steve

andykauffman23

@stephenw10 I captured this while doing a speedtest.net. Is this what you were referring to correct?

Thanks