Verizon CR200a in ip passthrough?
-
@stephenw10 Excellent. I can install the Cisco swich in the shop, no problem.
Any thoughts on setting up the VLAN in general? I've never done one. Which type would be the easiest/best for this application? I'd like to send the traffic from the modem (that specific physical port) over the VLAN, and let all the other ports remain on the local LAN, right? Did you see anything in that last screenshot that looked likely? Or are you aware of a good resource for tutorials on setting up VLANs? I know everything is on YouTube, I just wouldn't know exactly what to search for... -
You have two choices at the pfSense end. You can add a VLAN on the LAN NIC then assign that as WAN2 interface. Or you can just use a separate NIC for that since you have spares and connect it to the switch.
The switch would need to be configured differently in each case.In both cases the link between the switches needs to carry the tagged WAN2 traffic on, say, VLAN 100 and the untagged LAN traffic.
In general you would create VLAN 100 in the switch then add it as tagged on the port linking the two switches. Add it as untagged on the port connected to the modem.
Then either as tagged on the port to the pfSense LAN if you added the VLAN in pfSense. Or as untagged on the port to the pfSense WAN2 if not. -
@stephenw10 OK, that sounded like French, but I'll go back and read it a few more times and see if it begins to make sense when I compare it to my GUI options. ;)
Thanks so much for your help! -
@stephenw10 So this is super weird. I noticed that my network was acting slower than usual, so I checked the interface status, and saw that suddenly my new "verizon" gateway had no IP address. I went out to the shop and looked, and it had no status lights on the bottom of the unit at the LAN port, even thought the unit itself was on and reporting good signal.
I decided to move it back inside temporarily, until I could get the new switch that would allow me to set up the VLAN as we discussed above.
I moved it back onto my primary LAN, so that it's only connected through my main switch. It's now Cellular modem -> switch -> pfsense. Although now that I type that, I think maybe that's still no better than before.
Regardless, when I plug it all back in, I'm still getting no IP address at all on the modem. This is weird, since earlier, I was getting an IP, it was just a LAN-type IP. Any idea what might be going on here? I assume the modem is still functioning correctly, since it's basically brand new, but otherwise, what could be causing it to suddenly refuse to pull the IP, even the 'wrong' one?
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way?
-
You should not have that modem connected to a LAN side switch directly without a VLAN in place. Doing that means it 'competes' with pfSense to be the router on that network. Other LAN devices may get an IP from the modem or start using a public IP even.
Having that NIC in pfSense (igb3) connected to the LAN switch without a VLAN is invalid. It can only get a lease from itself which then creates a subnet conflict between the Verizon and LAN subnets. So it's better it doesn't get an IP at all.
The only valid setup there without VLANs is to connect igb3 to the Verizon modem directly without any switch in between. It should then get an IP from the modem or from verizon upstream.
-
@stephenw10 yep! I added this edit above before I saw your reply...
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way? -
The easiest way is to simply set the System default gateway to the Verizon gateway in System > Routing > Gateways.
You can also setup a failover group with the Verizon gateway as the primary gateway and then set that group as the System Default.
Note you cannot set a load-balance group there. If you want to try that you need to policy route traffic via that.
-
@stephenw10 This appears to be working, thanks! I'll leave it like this for now, until I can get my new switch, and set up that VLAN. I really appreciate your assistance, but can't promise I won't need you again. :)
-
@stephenw10 So this is weird.
I have it up and running using the settings you suggested, and for the most part all is well. However, initial connection to sites is a little slow, and certain elements won't load at all. For example, when I hit google and do a search for whatever, that mostly works fine, but once I actually choose a result and visit a page, it seems to pause for a moment, almost like it's having trouble resolving the DNS record or something. This happens on many, but not all sites.
The other, more pressing issue is with YouTube. I can browse the site with no problem, but no videos will play. At all. Nothing. Any video I select just spins forever and never plays. I've tried turning off my ad blocker(s) and it makes no difference. I'm using adguard DNS on my local PC (in the NIC settings), but even changing that back to google or cloudflare DNS doesn't help.
Anything jump out at you as being an obvious cause of either of these issues? -
Something that can present like that is if you have IPv6 but only partially. A hosts device will almost always prefer IPv6 if it has a routable address and try to use it. If that's blocked or in some other way broken it has to timeout before falling back to IPv4.
-
@stephenw10 Do you mean on the modem, router, or my PC? It seems that all other devices in the home can access sites (and YouTube) without issue, it's just my desktop that is having trouble, so I assume it's on the client side. I've checked my network settings, and I don't think IPv6 is enable anywhere that I can see. Is there a way to check, or to definitively disable it?
I saw something last night about some having issues with the Verizon modem using IPv6 SLAAC, but that wasn't with IP Passthrough. I'm wondering if, since I didn't turn of v6 before enabling passthrough, it's somehow "leaking" v6 info through the connection. Is that even a thing? If so, would perhaps taking the device out of passthrough, turning off IPv6 entirely, then putting it back in passthrough perhaps help? Obviously, I'm grasping at straws here. lol
-
I mean on the local PC where you are seeing the delays. Though usually that would be because pfSense is passing it an IPv6 address.
Check Diag > DNS Lookup in pfSense. Are all the configured DNS servers responding?
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Check Diag > DNS Lookup in pfSense. Are all the configured DNS servers responding?
So it asks for a hostname to look up. What do I input there? Is that my DNS servers that I have specified on my client side? For example, I have adguard dns on my desktop PC. Would I input those server IPs, or something different? I've never used that tool before.
-
Any FQDN to resolve, so
www.pfsense.org
for example. -
@stephenw10 Ok, cool. So I looked up a couple different sites, and all came back with no issues. All loaded fine, and no errors were returned. I even tried youtube, and other than having a long record, it looked okay as well.
However, it still won't load any videos. I can browse the site just fine. All thumbnails load, and if I select a video to play, it will load the initial "cover image", but then it just sits there and spins.
I just found out while typing this that if I wait long enough, it will sometimes play! A video I had forgot I started began playing, at 144p. lol Once it started, I could select any resolution, and it would load just fine. I can even hop forward in the timeline, and it will immediately play, so it's having no issues streaming, it seems the problem is with the initial connection, or 'finding' the video stream. I know I'm saying it wrong, but I think you get the point. I swear it feels like a DNS issue, like it's hunting for the video amongst a big box of junk and is having trouble finding the right one. lol
What else could I check? I've already cleared cache and cookies back to the beginning of time, and tried a different browser, no difference.
-
It could potentially be an MTU issue on the new WAN. Like full sized packets are being blocked. Try pinging with large packets.
It could be an ad blocking issue. I see Youtube have upped their game today where I am.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Try pinging with large packets.
I'd love to! Would you mind sharing the process? I really do appreciate all the walkthroughs and hand-holding. I'm gonna hang onto this thread. I'm learning a lot! :)
I thought about the ad blocking thing, but after turning all all my blockers, and even reverting my adguard dns to google (8.8.8.8), it's the same issue.
-
Sure so you can specify the size of a ping packet like so:
[24.03-RELEASE][admin@1100-3.stevew.lan]/root: ping -4 -s 1464 pfsense.org PING pfsense.org (208.123.73.68): 1464 data bytes 1472 bytes from 208.123.73.68: icmp_seq=0 ttl=47 time=116.687 ms 1472 bytes from 208.123.73.68: icmp_seq=1 ttl=47 time=116.637 ms 1472 bytes from 208.123.73.68: icmp_seq=2 ttl=47 time=116.924 ms
That's actually the largest packet I can send from that device; 1464. That's expected because I have a PPPoE WAN. It does imply something is not passing packet fragments or allowing fragmentation though.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
root: ping -4 -s 1464 pfsense.org
So when I run that string from an elevated cmd prompt, I get returned:
"Bad value for option -s, valid range is from 1 to 4."
Should I be running this from somewhere other than the typical Windows cmd?EDIT: I figured it out. There was another switch I needed to use in Windows.
Oh, freaky. I can't ping anything above 1400. That may be my issue! Lemme try that...EDIT2: Dang, nope. I forgot to account for the headers, which brought me back to my previous setting of 1428. YouTube still doesn't work. :(
-
Hmm, that still seems quite small. Can you access all sites as expected if you just connect a laptop to the modem directly?