Comcast Business Bridge Mode
-
I have Comcast Business and have had my pfSense Protectli router/firewall working flawlessly for about 2 years. However, about a month ago Comcast performed a network upgrade and a few days later my internet quit.
This problem seems very similar to a thread posted on Reddit, but no solution was ever given:
pfsense Comcast Business Internet DHCP Bridge Mode
If I reboot the pfSense router the WAN (public IP address) will get assigned via DHCP and the internet will work for about 5 minutes. Then traffic stops and the Gateway Monitor says 100% packet loss. Just like the article above, I disabled Gateway Monitoring. No help.
I've tried a factory reset. I've even bought a brand new Protectli Vault and reinstalled a fresh pfSense and still same result, so not a hardware problem.
Ironically, my old el-cheapo Netgear router is hooked up for now and is working fine. However, I want pfSense for the security and VPN.
Any ideas?
-
@jrussell05 It seems that you should ask Comcast why bridge mode not working...alternatively, if it's a cable modem, you could try increasing the time on WAN interface 900 seconds which is 15mins..check option the advance config, see image below. It appears DHCP isn't holding on for completion of the leasing assignment...just guessing.
-
What pfSense version are you running? It could be VLAN0 issue.
-
@stephenw10 I'm running 22.05 on one unit and 2.6.0 on the new unit.
-
The VLAN0 (priority tagged) dhcp replies issue is solved in 23.01. If you're able to upgrade to that from 22.05 it would be a good test.
Though usually that would cause dhcp to fail entirely not after a few minutes.Failing after a few minutes like that sounds like an ARP conflict or possibly an asymmetric route somehow.
Check the system logs for errors reporting something else using the WAN IP.
Steve
-
One of my locations is having the same issue. In my case, it's Comcast consumer internet in bridge mode. Firmware version 23.01 is running on a Netgate SG-3100. It's been working fine for the last 3 years, until Friday morning the exact same symptoms started. Just like that Reddit article, it's a Cisco DPC3941B modem.
This new behavior coincided with a new WAN IP being issued. My previous WAN IP had been unchanged for a year+.
Unfortunately for me, it's at a remote site. So I can only access it for 5 minutes, every 20 minutes. Next time I can get in, I'll try to poke around the logs.
-
@kstarrunner Sorry to hear you're having the same experience. I too am limited in my ability to diagnose the issue due to being remote. Comcast, despite being responsive, has been no help so far.
Very interested to hear about anything you may learn.
-
Dug through all the available logs. I could not find any mention of MAC address conflict. I disabled Gateway Monitoring, that didn't do anything. The only thing I found interesting was the following lines in the Gateways log:
Apr 8 11:42:19 dpinger 3039 send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr COMCAST_GW_IP bind_addr MY_IP identifier "WAN_DHCP "
Apr 8 11:42:22 dpinger 3039 WAN_DHCP COMCAST_GW_IP: Alarm latency 0us stddev 0us loss 100%
Apr 8 11:42:45 dpinger 3039 exiting on signal 15Those 3 lines keep repeating. Nothing else notable there.
-
Have you tried setting an external monitoring IP? Like 8.8.8.8.
It could be the Comcast gateway blocking the monitoring pings after 5mins.
-
@stephenw10 Just tried that, it made no difference.
-
Check the ARP table in pfSense when it's working and when it fails. Do you see the gateway IP listed correctly? Does the MAC address change?
-
The Comcast business gateway device is not in true "bridge mode". that is the first thing to keep in mind. It still routes and can be a real pain.
If you do not have or need static IP addresses I would either buy my own modem only device or get them to rent you one. They can be quite the pain to get them (phone support) to cooperate with you on that path but once they do your life will get much simpler..
But please do share here what you do to get these working if you do.. for others to search out.
-
Unfortunately, I'm limited by this being a remotely deployed firewall. After calling Comcast support, they dispatched a tech which replaced the Cisco modem, with an "xFi Gateway" (aka Arris TG3482G). Unfortunately, the tech did not enable bridge mode. Fortunately, the IPsec tunnel still works. While I can still remotely manage the firewall over IPsec, I was using bridge mode to avoid the overhead of NAT-T.
Next time I can make it onsite, I'll try to switch it back to bridge mode. Will report back when I do. Kind of curious if this is a Comcast or a Cisco problem/bug.
Also agreed that purchasing a modem-only device is the best route. Unfortunately, there are complexities outside of my control.
-
@kstarrunner Does the Arris have a login page? Typically Comcast business modems have a default user/pass you can look up that will get you into the system.
I believe the username for Business devices is "cusadmin" but the password might be that, "password" or the SN of the device. This doesn't work always but often does.
-
@rcoleman-netgate I'm not too worried about getting into the device. Usually there's a sticker on the bottom with the password; or the default password can be found online somewhere.
At this point, that location is back online, and the IPsec tunnel is working. While I "could" use the IPsec tunnel to access the modem, I'm not willing to risk it while remote. I'll switch it next time I'm onsite.
