Multi WAN + Multi PPPoE IPs

pilotryan2992

Hey yall,

So currrentely i have Bell Canada's FTTH 1.5Gbps internet service. My physical setup is prety simple. I have WAN0 and LAN0 . Typical NAT setup with a few ports forwarded. My WAN0 is actually overlayed with a PPPoE dialer. Why on gods green earth would Canada's biggest Telco/ISP use PPPoE over a 1.5gbps FTTH connection? F* k if i know. Wan0 is a 10gig connection to the Bell HH4000 "Modem". I've turned off IPv4 addressing on WAN0 and made the PPPoE Dialer's default gatewauy the interface where all the NAT magic is happening to prevent a double NAT headache btw. WAN0 ether shows no IP or a 169 address if you view the interface status.

I want to introduce 3 new scenareiosinto the mix here. How would i go about doing this?

1. Multiple IPs from PPPoE Dialer. i can have a few PPPoE sessions at once so thats an option but not as ideal as say a virtual IP on the PPPoE interface which simplty requests a second (or 3rd) DHCP public ip . These additional IPs would be strictly used for NAT port forwarding. i have one use case which requires 1:1 and the rest are many to 1. How do i go about creating these additional IP address with a PPPoE dialer? i would like to avoid using multiple PPPoE dialler interfaces but if thats the only/easiest way then so be it.

2. Secondary WAN provider. I have a 2nd 1gbps/50mbps cable Internet connection with Rogers. I can get one or maybe 2 public DHCP addresses from this interface. the physical setup is pretty simple. Its a second WAN ethernet interface plugged into the rogers cable modem which is in bridge mode so the interface will pull atleast 1 public IP . The strange part is ive had trouble getting a second IP if i create a virtual interface that in theroy should work just like as if a second device were plugged into the rogers modem. if i plug another wirelss routrer into the rogers modem it will get a public ip right away . if i try to get a second ip on the same pfsense physical nic thur a sub interface it doesnt seem to work. but lets just focus on gettinwTg 1 ip. i want that IP to be used for specific NAT fowarding for DNS and SMTP specifically. WAN failover is a desired outcome secondary to providing additional public wan ips which i can use for NAT port forwarding . I have mulitiple port 80 HTTP and port 443 HTTPS web servers which can only be acheived thru additonal IPs as mentioend avove in #1 and by adding a second WAN provider .

3. Im also curious if anyone knows utilizing MLPPP on the Bell connection will realize any potential performance gains? i can already get 1.6/1.1gbps (rounded up but pretty close without rounding) over a single 10 gig ethernet adapter plugged into the bell modems 10 gig port. Im asking this because i saw some one posting about doing this and claiming a slight increase in performance but they had a 500mbps FTTH connection compared to mine which is 1.5/1.0.

Hopefully that all made sense. Thanks in advance for your help/input/comments.

Stay safe ya'll! Cheers. Ryan

netblues

1. You need to create multiple pppoe's on the same ethernet interface. And then you need to assign interfaces to them and it will work. You also need to assign a monitor ip on the subsequent gateways created, so as monitoring can work. Use a pingable ip inside your provider. It has to be different for each gateway
2. One ip via dhcp should work. Getting additional ip's would require additional mac addresses. You will need either multiple physical interfaces or some vlan trickery.
3. Mlpp needs to be setup isp side too.
   Since ppp process is single threaded and if it can't saturate the link, then running a second one, on a different core might give some benefit.
   But you can't do that without isp involvement
   Using faster hardware is the better option.
   You can always run multiple pppoes (but not mlppp) on the same interface. But that will give you multiple ip's IF the isp allows multiple logins from the same port.
   Then you could do loadbalancing, but you won't saturate the link in a single connection.

pilotryan2992

@netblues thanks for the reply.

Regarding #1. So let’s say I have lan, wan and opt1 interfaces. Opt1 is the unused onboard e1000 nic. Meanwhile Lan & wan interfaces are ports 0 & 1 associated with a single mellonux connectx-3 sfp 10gig nic. (Or a Broadcom bcm5700 dual port sfp+ 10gbps nic. I have both kinds to use. ) How do I go about getting say 3 wan ips using pppoe? Do I simply goto the ppp accounts page, create 2 additional pppoe logins in addition to the already existing primary pppoe login? Then what? How do I get the 2 additional, pppoe sessions to be associated with the wan interface so I can create nat/fw rules ? Additionally, what does a 1:1 nat setup look like in the configuration Settings vs a many to one ?

2. Ok so In my physical configuration mentioned above where this wind, land, OPT1 Physical interfaces… would I assign the rogers cable modem to the OPT1 interface? And what next? How do I handle and nat translation/FW rules here? I don’t want my lan clients to have access to rogers internet unless they are one of the servers that I will create a nat/fw entry. In most cases I’ll be using many to 1 nat translation but in one case I wave.

#3 i check your remarks. No further questions on that now.

I do have another new question now. So far I’ve been talking plug-in cable modem in fibre “modem” ports from the CPE to the PC/PF sense router. Which is how it is computer at the moment. But I want to virtualize my PFsense router and utilize VLANs & vmware vcenter 7 distributed networking. How do I go about replacing me point-to-point cable between a modem and Avann port on the router with a dell power connect fibre optic switch? I would imagine I will create VLAN say 99 for Rogers and 3535 for bell, then set the port the bell modem and pfsenses bell wan interface are plugged into to vlan 3535 and same for rogers but using vlan 99? Because I’ve sort of done this before where I plugged Rogers into a port set it to 99 VLAN then I said a port the ESX would be plugged into to villain 99 as well and I also set 1/ third one to 99 is a sort of test interface/workstation on the villain and I cannot get connectivity to the Rogers cable modem. DHCP not traverse over the villain in the face even though they were all on the same feeling. Is this normal behavior? Is there anything special I have to configure to allow a cable modem to be on VLAN? I never tested it with Bell.

Thanks so much, again! Cheers. Ryan.

netblues

@pilotryan2992 said in Multi WAN + Multi PPPoE IPs:
Do I simply goto the ppp accounts page, create 2 additional pppoe logins in addition to the already existing primary pppoe login? Then what? How do I get the 2 additional, pppoe sessions to be associated with the wan interface so I can create nat/fw rules ? Additionally, what does a 1:1 nat setup look like in the configuration Settings vs a many to one ?

Then you assign interfaces to pppoe's
So you end up with lets say 3 wan interfaces, each one with its own rules.
(both port forward and outbpound nat)
As for who gets to use what interface, you need to policy route at your lan interface and specify the requested gateway.

netblues

@pilotryan2992 said in Multi WAN + Multi PPPoE IPs:

Ok so In my physical configuration mentioned above where this wind, land, OPT1 Physical interfaces… would I assign the rogers cable modem to the OPT1 interface? And what next? How do I handle and nat translation/FW rules here? I don’t want my lan clients to have access to rogers internet unless they are one of the servers that I will create a nat/fw entry. In most cases I’ll be using many to 1 nat translation but in one case I wave.

The opt1 interface should be configured as dhcp.
It will get public ip and is a typical interface
You will assign inbound rules (if needed) on the opt1 interface.
Again, adding policy routing fw rules at your lan interface(s)will send the traffic as needed

netblues

@pilotryan2992 said in Multi WAN + Multi PPPoE IPs:

I do have another new question now. So far I’ve been talking plug-in cable modem in fibre “modem” ports from the CPE to the PC/PF sense router. Which is how it is computer at the moment. But I want to virtualize my PFsense router and utilize VLANs & vmware vcenter 7 distributed networking

You have two options here.
You can use vlans at the vcenter level, which means that each vlan will be mapped to a virtual interface, and pf will see "that" many interfaces.
esxi would be handling all the needed tagging.
The second option is to do the same at the pf level and use the interface as "trunk". The trunk could either terminate at the vpshere vswitch, or to an external vlan capable switch.
Thats the general idea.

As for the modem, depending on the requirements, especially if it is in so called bridge mode, you might need to tag your traffic with specific vlan id as ti reaches the modem in order for dhcp/ppp frames to reach the other end.

pilotryan2992

@netblues

OK so OPT1 is rogers DHCP. Gotcha about the rules. But i am still confused about the multiple IP / multiple PPPoE session. Is there any guide/documentation on how to do this ? i tried searching for various renditions of " pfsense multiple public IP Multiple PPPoE" and couldnt find an answer which pertained to dynamic IP addreses. My internet is pure PPPoE/DHCP. I use DynDNS and scripts to update my DynDNS provider. The link is prety solid and ive had the same ip for months now but if i were to disconnect it could change at any time. Unlike Roger's which has what i call pseudo Static reservations. The IP address will remain the same with the same MAC Address. Ive had the same dynamic IP for years. Its great. Bell, stunpid PPPoE makes it change about as often as i reconnect but gotten a bit better and sometimes i keep the same IP.

I wish someone figured out a way to force the PPPoE server to give them the same IP addresss. Like how on an ethernet adapter you can hard code a static IP if you know the right parameters to input you can just type them in . But for some reason PPPoE insists on being weird and not letting us statically code an IP. Frustrating AF!

netblues

@pilotryan2992 said in Multi WAN + Multi PPPoE IPs:

I wish someone figured out a way to force the PPPoE server to give them the same IP addresss. Like how on an ethernet adapter you can hard code a static IP if you know the right parameters to input you can just type them in . But for some reason PPPoE insists on being weird and not letting us statically code an IP. Frustrating AF!

No way.
There is absolutely no way you can do this.
Ip's are assigned typically by provisioning radius service
Only your isp can do this for you.

netblues

@pilotryan2992 said in Multi WAN + Multi PPPoE IPs:

But i am still confused about the multiple IP / multiple PPPoE session. Is there any guide/documentation on how to do this ?

Interfaces, assignements, ppps, add
Select the same physical ethernet for all

After that, assign new interfaces to ppp's

and you end up with multiple wan ppp's interfaces with different ip's
(if your provider allows multiple logins that is)