Switching to pfSense from Sophos UTM
-
Hello, for years I have used Sophos UTM with a home user license. Recently it has become unstable and so I'm trying out pfSense. I have configured the pfSense firewall using a second broadband connection (TMO Internet) and everything seems to be working fine. When I change over to my Comcast business connection (using my own cable modem and a DHCP WAN configuration) I fail to get connected. I get an public IPv4 address, but the firewall reports the gateway as up with 100% packet loss. Since both connections are basic DHCP ethernet connections I would expect them to work interchangeably. What am I missing? I have the toggled the bogon and RFC1918 blocking rules to no effect. I have played with the MTU setting (setting it to 1400) even thought the UTM uses 1500 with no problem. I have toggled IPv6 on and off on the interface. I don't think the modem is locking to a MAC address as I can plug in with my laptop without restarting the modem and everything works. I have powered it off for 10 minutes between attempts . Can someone here suggest something to test next?
BIOS Vendor: American Megatrends Inc.
Version: 5.6.5
Release Date: Mon Sep 28 2015
Version 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLEThe system is on the latest version.
Version information updated at Mon Feb 6 3:53:23 PST 2023
CPU Type Intel(R) Celeron(R) CPU J1900 @ 1.99GHz
Current: 1992 MHz, Max: 1993 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No -
@foreverjake
The gateway monotoring depends on the IP entered as the monitor IP.Cable modems do need to be restarted when changing the directly connected device because they remember the mac address but you say you did that.
Did you try to ping the internet from pfSense when connected?
Need to see if it has internet before going through rules, etc.As a test, you can spoof the mac from the old router into pfSense WAN.
-
@jarhead I turned off the modem for 10 min before connecting the Firewall. When the firewall came up, I tried to ping the next hop on the WAN interface with 100% loss. I checked the arp table and it had an entry for the next hop.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@foreverjake In System/Routing you can edit the gateway and check "Disable Gateway Monitoring" to prevent it being detected as down.
-
@steveits I turned off monitoring to no effect. It still shows the interface UP but no packet count. I don't think the firewall can pass any traffic to the gateway. On the dashboard it reports "Unable to check for updates"
-
I have to be missing a basic setting. I have a Sophos UTM, a laptop and an old linksys WRT that I can put on this connection, without rebooting the cable modem and they all work. The pfSense box I built works perfectly behind my TMO internet WiFi router, but when I bring it to my Comcast Business connection it fails to pass traffic. It negotiates an IP via DHCP on both services.
-
@foreverjake Did you try to spoof the mac of the old router?
-
@foreverjake Out of the box it should just work. You could back up the config and reset to defaults...? Most of our clients have Comcast.
Can you Diagnostics/Ping the WAN gateway IP or 8.8.8.8 from pfSense itself?
Is it getting the same public IP as the old router? I have actually seen where Comcast had another customer router misconfigured and was using the public IP already. Though that might have been a static IP, it's been a while. Spoofing the MAC would probably get it the same IP.
-
I got it working. The system was locking to a MAC. Once I spoofed the old UTM firewall everything just started working. Monitoring is still failing, but I can live with that. What I don't understand is why it refused to allow the new MAC from the pfSense, when I was able to plug in a laptop and a Linksys WRT without needing to spoof the MAC.
Thanks to everyone here for the quick responses.