Need help with hardware setup please.
-
Just got off the phone with TekSavvy and they confirmed while the static IP is not required with the MLPPP it is basically free. MLPPP is $4 per month whether you get the dynamic IP or the static IP, so I took the static IP.
I just ordered a /30 subnet. He gave me two IP addresses. However, of the two, he said one was a broadcast IP address and the other was a usable IP address. I'm a little confused with that as I thought /30 meant you could have 2 IP addresses.
Anyway… I await your instructions on how to configure this.
-
Yeah for sure a static IP is best for servers. Then sometimes you get things like a DHCP based cable modem service and your IP won't change unless they rescope the DHCP server or you leave the modem off for a week or so. So MLPPP basically includes a static IP. Sounds like Bellsouth a few years ago. You could get a 3 Mbps tier or a 6 Mbps tier, the 6 included a static IP. You could add a static IP to the 3 tier but the cost was the same as just upgrading to 6. Guess what most everyone did lol.
What did you get from Teksavvy on the /30 block? A /30 is 4 addresses, starting at 0 you would have 0 as the "network" address, 1 and 2 as host addresses and 3 as the "broadcast" address. A /32 which would almost certainly not be used would give you only one host address (think loopback address). So in that case you would assign the x.x.x.1 address to the Tomato LAN side and the x.x.x.2 address to pfsense WAN side with pfsense's WAN gateway being x.x.x.1. You'll need to set Tomato back into Router mode to disable NAT and the firewall.
From what I'm seeing on that DSL Reports thread I linked you to, the Tomato WAN will get it's static IP as usual, you can use it for remotely configuring Tomato if you want, won't really need it for anything. Since pfsense will have a publicly routed IP it shouldn't have ANY problems with OpenVPN or anything. Also forcing a public IP on Tomato's LAN side should give it the hint that it doesn't need to go behind your back and do NAT or something when you've told it not to. I think the issue we were running into before was Tomato doing something funky because we had a private IP inbetween and technically it's not supposed to be in a route.
-
The rep at TekSavvy did say "first usable IP" but then only gave me one. I don't know if it is a security risk to post the IP at this time so I will just do this:
x.x.x.240 -> broadcast
x.x.x.241 -> first usable IP addressSo, if I understand correctly, the following should work?
Tomato WAN -> Will aquire the static IP like normal
Tomato LAN -> x.x.x.241 (first usable IP)
pfSense WAN - x.x.x.242I would then set the default gateway for the pfSense WAN to x.x.x.241 and change it back to Router mode.
Is this correct?
-
Usually /30 subnets go like this
x.x.x.240 network name, unusable
x.x.x.241 you can use it
x.x.x.242 gateway, this is isp's use
x.x.x.243 broadcast, unusableBut i might be wrong here also
-
With a properly functioning firewall it shouldn't be an issue to post your IP, of course DoS attempts on it can't be stopped by a firewall alone they require something like snort or the help of the ISP. So yeah just the last octet is fine. Yep first usable is what is the key there. Assign 241 to Tomato's LAN and 242 to pfsense's WAN, switch to Router mode on Tomato, reset pfsense's default gateway to 241 and you should be surfing.
-
Thanks so much for your help! Are you going to be around tomorrow evening? it is 12:40am right now where I am and I have to work tomorrow. Since my internet is working I can leave it as-is right now and pick up on it tomorrow night. However, if you are not going to be available tomorrow then I'll continue this evening.
-
Usually /30 subnets go like this
x.x.x.240 network name, unusable
x.x.x.241 you can use it
x.x.x.242 gateway, this is isp's use
x.x.x.243 broadcast, unusableBut i might be wrong here also
Correct in most cases. But since Teksavvy is apparently offering a separate routed subnet, this could be used for almost anything. It's odd to see routed subnets on a residential connection, but this is Teksavvy we are talking about, they thrive on doing things different like this, that's what I like about them. My experience with routed subnets has been on business grade DSL/Cable and a T1. In all those cases the actual WAN side would have a dynamic address that was basically unused. They would then give you the routed subnet, one address (usually specified out of the group like you said) would be the LAN side of the modem/router and the rest are for your use on whatever you wanted (firewall, server, etc).
If 241 on Tomato's LAN and 242 on pfsense's WAN doesn't work then swap them. What I read they don't assign anything to the LAN side, it's up to you to assign it and you should be able to assign it in whatever order you like (won't make any difference) but it's always worth a try if things don't work properly for some reason.
-
Yep, I'll be here. We're in the same time zone (I'm in Atlanta, GA) so the bed is calling me as well lol.
-
Thanks for sharing some knowledge, i don't have any info about this isp. We don't have that in here.
-
Yeah Teksavvy is a Canada company, Ontario and one other city IIRC (sad I can't remember it, maybe it's cause I'm tired lol)
I've got some reading for you that you might find interesting. Teksavvy users attempting to get MLPPP working on 2.0. http://www.dslreports.com/forum/r23826167-working-mlppp-in-pfsense-20 and http://forum.pfsense.org/index.php/topic,23094.0.html. Might be able to get rid of the Tomato in front and have pfsense directly connected to the modem.
-
Yeah Teksavvy is a Canada company, Ontario and one other city IIRC (sad I can't remember it, maybe it's cause I'm tired lol)
I've got some reading for you that you might find interesting. Teksavvy users attempting to get MLPPP working on 2.0. http://www.dslreports.com/forum/r23826167-working-mlppp-in-pfsense-20 and http://forum.pfsense.org/index.php/topic,23094.0.html. Might be able to get rid of the Tomato in front and have pfsense directly connected to the modem.
mlppp is already built into 2.0… There are several of us using it.
/interfaces_ppps.php
-
That's what I thought too and I mentioned it (at least I think I did) but nothing ever got brought up about it.
-
Its pretty much this easy…
-
How about SLPPP connections like he has? There wouldn't be a second interface to select to bond.
-
I believe you either make one up such as a VLAN or install a second interface that just goes unused…
Hopefully someone who knows for sure will chime in otherwise some experimentation may be in order...
-
JoelC707: Thank you for all your help. I got really busy this week and was not able to work on it. I started working on it again tonight.
chpalmer: Thank you for your help activating MLPPP within pfSense 2.0. You can't imagine the hours of research that I found. The best that I found was a guide to get it installed by following a guide. I saw the settings for MLPPP within pfSense, but I assumed that because it didn't say Single Link (like Tomato does) that it didn't work. On top of which, I couldn't get it to connect, but that must of been because I didn't select a second network interface. In addition, I read that getting MLPPP working on 2.0 resulted in very back Port 80 surfing/traffic. This was unacceptable as I needed it for work.
MLPPP seems to be working okay now from pfSense.
No I just need to figure out what my cousin did again to try and get it all working the way it was. ARGH!
Thanks for the help guys! It looks like I can cancel the /30 subnet from TekSavvy as I'm not in need of it.
-
Awesome glad you got it working, and even more so in a undoubtedly better setup. There's nothing like getting rid of unnecessary hardware inline like that. And yeah dump the /30, def not needed anymore.
-
I guess that only leaves one question. During this process you mentioned something about snort or something else. Is there something else that I should be running on the pfSense box?
Does pfSense use iptables?
-
No, it uses pf which is a BSD licensed version of iptables: http://en.wikipedia.org/wiki/PF_%28firewall%29.
Snort is an IDS/IPS package. It detects irregular traffic usually indicative of hacking attempts and blocks it. Sure with proper firewall rules in place they shouldn't get in anyway but this basically bans their IP(s) from even communicating with your system for a set period of time (ie, no more traffic to worry about). Snort can also be a resource hog, you need a gig or two at least to leave room for the rest of the system but it also depends on how many rules you have in place. I actually went looking yesterday for snort memory requirements and one person said his system with 23K rules was taking up just under 6 GB of RAM for snort alone.
There are other packages, best bet is to go to System > Packages then Available Packages and just see what's available. The other one I like most is HAVP which is basically a transparent, inline virus scanner. You don't need to configure proxy settings on the clients (of course you can set it up that way if you want). It will scan more than just file downloads too, pictures and media streams can have a virus too and it will scan those as well if you tell it to.
There's also thresholds as to how large of a file it will scan and set at max can sometimes cause issues, especially with a slow connection. The file has to be downloaded to your pfsense box, scanned then transparently sent to your desktop as if it came from the source. Sometimes it will look like the download is just sitting there and not even starting but in the background it's being downloaded and scanned, then it transfers at LAN speeds from your pfsense box. This can also affect media streams like Youtube, they will seem like they take forever to buffer but are infact just being scanned. Usually you would have a RAM disk to speed this up so a beefier machine and a faster connection will help offset it (it's a virus scan after all, it's not going to be fast).
-
And what would one do if the machine isn't that beefy and needs to be used for other things too?
I have BFD setup on a VPS that I have running CentOS. It sounds like it does the same thing. If there are x number of connections within x seconds then it will ban their IP for x number of minutes.