Verizon CR200a in ip passthrough?
-
I'm trialing Verizon Home Internet to see if it can replace my current terrible DSL. They gave me the new WNC-CR200a gateway device, which is nice, since it has all sorts of advance features, including an easy IP-passthrough mode. I've enabled that, and it appears to be working, since the light on the front has gone from white to green.
So now, I'm a little stumped as to how to get that configured in pfsense. I currently have everything set up to accept my PPPoE DSL signal, and I absolutely need to back that up, since it was a bit of a nightmare to get working.
Can anyone guide me through the next steps on injecting this cellular internet into my network, so I can see if it will work for my needs?Speaking of, I'll be needing port forwarding and DDNS. I'm currently doing that through the normal NAT tools (for the forwards) and using my unraid server for to handle the DDNS. I'm guessing that I may need to approach it a little differently if I'm using this CGNAT cellular service, right? Any tips or advice on that front would be appreciated as well!
-
If it's actually passing it I'd expect to be able to connect a NIC to it, set that to dhcp and pull a lease.
That could be a different NIC if you have one available giving you a dual WAN setup temporarily.
Port forwards generally do not work when sing CGNAT. You may be able to set something up at the provider but that will probably incur a cost.
The alternative there is to setup a VPN to something that does have a public IP, like a cloud instance. Then forward traffic from there across the VPN.Steve
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
I'd expect to be able to connect a NIC to it, set that to dhcp and pull a lease.
That could be a different NIC if you have one available giving you a dual WAN setup temporarily.
I'd love to be able to do exactly this. My pfsense box has multiple NICs, and I'm only using one of them at the moment. Any guidance on how to actually set up the 2nd one? I'm a bit clueless on that side of the house, unfortunately. :/
I'm terrified of breaking my current setup, since it was such a pain to get working. lol -
First make sure you have a backup of the existing config file. You can always just restore it.
Then make sure your system default gateway is set to the DSL gateway and not automatic in Sys > Routing > Gateways. Otherwise the system may choose to switch to the new WAN before it's actually passing traffic.
Then just assign one of the spare NICs as a new interface. Enable the interface, rename it something useful like WAN2 and set the IPv4 address type to DHCP.
Then connect to the Verizon modem and check the Status > Interfaces page to see if it pulled a lease.
-
@stephenw10 So I think maybe I did something wrong...?
I connected as you described, I think. The new interface is pulling an IP, but it's a local-type IP. IS that what I'm expecting to see?
If so, how can I now test if it's working from my desktop? Do I temporarily disable the original WAN interface, and see if I still have internet, or is there a better way? I ran a speed test, and not much has changed, although the speeds of my old and new ISPs are similar, so it would be hard to tell from just that.
-
Hmm, well it seems highly coincidental that the IP address it pulled is in the same subnet as your LAN.
Check Status > DHCP Leases. Make sure it didn't pull an IP address from itself. If it did then double check the wiring, you have a layer 2 link between LAN and Verizon.
If it didn't then you have a subnet conflict you will need to resolve.
If Verizon passes you a CGNAT address I'd expect it to be in the 100.x.x.x subnet.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Check Status > DHCP Leases. Make sure it didn't pull an IP address from itself. If it did then double check the wiring, you have a layer 2 link between LAN and Verizon.
If it didn't then you have a subnet conflict you will need to resolve.
Well, it did something, because after making that change I couldn't browse to any sites at all, including this one, but some of my other internet and network-dependent traffic was still working. It was very odd. It almost felt like a DNS issue, but I couldn't find anywhere to see or change that.
I tried disabling the new WAN and going back to the original one, but nothing worked. I ended up having to restore my pfsense backup to get it running again.
I wish I knew enough to follow your suggestion above. I looked at the DHCP leases, but I didn't really know what I was seeing. It did seem very odd that it was assigning a local IP to the new WAN, so I suspect that was wrong.
I have the new verizon modem plugged into a switch out in my shop, which then runs underground back to my main switch, and then into my pfsense box. Could that be causing the mix-up? Is that what you meant by a level 2 link? If so, I'm not sure how I could get around that, since there's no other physical way for me to connect the Verizon modem to my pfsense box. -
Is that main switch also connected to the LAN NIC? Because that would then put everything in the same segment which is not valid.
If those are managed switches you can add a VLAN to carry the traffic from the modem and isolate it.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Is that main switch also connected to the LAN NIC? Because that would then put everything in the same segment which is not valid.
If those are managed switches you can add a VLAN to carry the traffic from the modem and isolate it.
It is indeed. That would be the issue, then. The primary switch is managed, but the little switch out in my shop is not. Is it still possible to split things out into a VLAN, or do both need to be managed?
I've never set up a VLAN, is that complicated? My switch is a TPLink T1600G-28PS, if that tells you anything.
I see an option for MAC VLAN, which appears to be selectable by port. That looks promising... :)
-
Do you need access to the LAN at the smaller remote switch?
If you do that's an issue because since the small switch doesn't support VLANs the link between the switches will only ever be a single segment.
Unless maybe the modem supports VLANs in which case you could potentially send tagged and untagged traffic over the link. But that would get complex to setup!
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Do you need access to the LAN at the smaller remote switch?
I do, since my laser cutter needs to be accessible to/from that small switch. That was actually the whole reason I ran the hardline out to the shop instead of just doing a wifi extension. :/
If I had a managed switch in the shop also, would that solve the problem? How would that work? Do they 'talk', VLAN to VLAN or something? I honestly have no idea how that works, which I'm sure is painfully obvious. lol
EDIT: I have a Cisco 3560-CG Gigabit/POE+ switch that I could install out in the shop if that would help the situation. I know nothing about Cisco management, though. If it's not web-based, and rather straightforward, like the TP-Link, I may be out of my depth.
-
Yes if you have managed switches at both ends you can just create a VLAN have the modem traffic use that. It will be isolated from the LAN.
Yeah my experience with Cisco switches is...limited! But there are many people here on the forum who are every experienced with them.
-
@stephenw10 Excellent. I can install the Cisco swich in the shop, no problem.
Any thoughts on setting up the VLAN in general? I've never done one. Which type would be the easiest/best for this application? I'd like to send the traffic from the modem (that specific physical port) over the VLAN, and let all the other ports remain on the local LAN, right? Did you see anything in that last screenshot that looked likely? Or are you aware of a good resource for tutorials on setting up VLANs? I know everything is on YouTube, I just wouldn't know exactly what to search for... -
You have two choices at the pfSense end. You can add a VLAN on the LAN NIC then assign that as WAN2 interface. Or you can just use a separate NIC for that since you have spares and connect it to the switch.
The switch would need to be configured differently in each case.In both cases the link between the switches needs to carry the tagged WAN2 traffic on, say, VLAN 100 and the untagged LAN traffic.
In general you would create VLAN 100 in the switch then add it as tagged on the port linking the two switches. Add it as untagged on the port connected to the modem.
Then either as tagged on the port to the pfSense LAN if you added the VLAN in pfSense. Or as untagged on the port to the pfSense WAN2 if not. -
@stephenw10 OK, that sounded like French, but I'll go back and read it a few more times and see if it begins to make sense when I compare it to my GUI options. ;)
Thanks so much for your help! -
@stephenw10 So this is super weird. I noticed that my network was acting slower than usual, so I checked the interface status, and saw that suddenly my new "verizon" gateway had no IP address. I went out to the shop and looked, and it had no status lights on the bottom of the unit at the LAN port, even thought the unit itself was on and reporting good signal.
I decided to move it back inside temporarily, until I could get the new switch that would allow me to set up the VLAN as we discussed above.
I moved it back onto my primary LAN, so that it's only connected through my main switch. It's now Cellular modem -> switch -> pfsense. Although now that I type that, I think maybe that's still no better than before.
Regardless, when I plug it all back in, I'm still getting no IP address at all on the modem. This is weird, since earlier, I was getting an IP, it was just a LAN-type IP. Any idea what might be going on here? I assume the modem is still functioning correctly, since it's basically brand new, but otherwise, what could be causing it to suddenly refuse to pull the IP, even the 'wrong' one?
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way?
-
You should not have that modem connected to a LAN side switch directly without a VLAN in place. Doing that means it 'competes' with pfSense to be the router on that network. Other LAN devices may get an IP from the modem or start using a public IP even.
Having that NIC in pfSense (igb3) connected to the LAN switch without a VLAN is invalid. It can only get a lease from itself which then creates a subnet conflict between the Verizon and LAN subnets. So it's better it doesn't get an IP at all.
The only valid setup there without VLANs is to connect igb3 to the Verizon modem directly without any switch in between. It should then get an IP from the modem or from verizon upstream.
-
@stephenw10 yep! I added this edit above before I saw your reply...
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way? -
The easiest way is to simply set the System default gateway to the Verizon gateway in System > Routing > Gateways.
You can also setup a failover group with the Verizon gateway as the primary gateway and then set that group as the System Default.
Note you cannot set a load-balance group there. If you want to try that you need to policy route traffic via that.
-
@stephenw10 This appears to be working, thanks! I'll leave it like this for now, until I can get my new switch, and set up that VLAN. I really appreciate your assistance, but can't promise I won't need you again. :)
