Help setting up Nat for AT&T Business DSL with 5 static ip addresses

arstacey

It was mostly an AT&T issue.  Pfsense would not take both a pppoe AND a static ip for the WAN connection.  I tried every combination I could think of.  I went to Interfaces->Assign and configured the pppoe under the ppp tab, then set the static in WAN and it would not work.  I did pppoe on the wan and created an opt1 bonded to the same adapter and gabe opt1 the static, still nothing.  In all, I messed with it for 3 weeks and what I have now is the only way I could get it to go AND I had to do a fresh install to boot.  Good luck with yours!

illizit

I had the same issue was able to resolve it by performing the following:

-Set the AT&T Modem to Bridge Mode

-Set the WAN Interface to PPPoE and configure the credentials

-Once the interface is connected you will receive a dynamic IP from AT&T (this is normal, the 5 static IP's are routed on their end through the PPPoE Session)

-Create a Virtual IP with one of the available Static IP's (first usable IP in the range provided to you) Type: IP Alias

-Create a 1:1 NAT Rule with the following settings:
   Interface: WAN
   External subnet IP: The IP Address you added as a Virtual IP
   Internal IP: Type: Single Host or alias, Address: the internal IP of the server/device you are creating this mapping for
   Destination: Type: any

-Create a Rule to allow the ports required, in this example I will allow port 25 (SMTP)
  Action: Pass
  Interface: WAN
  Destination: Type: Single Host or Alias, Address: (should be same Internal IP as the 1:1 NAT Rule)
  Destination Port range: from: SMTP, to: SMTP

Save the changes and apply the configuration, everything should work! I am using Pfsense 2.0 RC3 in case it matters.

Ville

I was able to put AT&T's Netopia 3347-02 into bridge mode and successfully relay the PPPoE connection point to pfSense 2.0 by following details in a post on Netopia's support site (Configuring Bridge Mode in the Netopia Internet Router). Besides switching Netopia to Bridge mode (Expert Mode > Configure > Advanced > Ethernet Bridge > Enable System Bridge) I also turned off Netopia's WAN Interface (Expert Mode > Configure > WAN > PPP over Ethernet vcc1 > Enable interface (uncheck)) and switched off its Gateway Option (Expert Mode > Configure > WAN > IP Gateway > Enable Gateway Option (uncheck)). I also disabled Netopia's DHCP server which was enabled by default.

With the above done, Netopia rebooted, and – last but not least – typed in the correct username (it's "xxxxx@att.net", not "xxxxx@att.com"  ::)) pfSense 2.0 finally connected without any problems!

podilarius

@arstacey:

Firewall->Rules

Source: not unchecked, type - single host, address - [My First Static IP], port range - HTTP

For what it is worth, your firewall rule is wrong here. The source is not your first static, but rather any (meaning any host on the internet). Also, the port is going to need to be any or 1024:65536. You will not know the port coming from the remote system. You could have set that up perfectly, but this rule would never allow any traffic other than from the NIC itself on port 80. You might have already moved past that, but it is worth noting that for any who come to read this in the future.

mmidgett

Im having this exact problem and have spent about 2 hours of down time at night trying to work out the details. Can some one point out what might be wrong?

PPOE is working and I am getting the dynamic IP from At&t. On my local lan I can browse the internet so I know that's good.

Virtual IP's
I setup my 5 vitual ip's as IP ALIAS and then went to NAT and 1:1 I then made the virtuals point to the internals

Rules just to get it working I opened them up to allow any from the wan to the 5 internals

I know I have to have done something wrong. I setup a test network using a VirtualBox pfsense 2.0 and I put my windows machine on its local lan. I then connected up to the wan port to my local network and gave it a static ip. I added a virtual ip to point to my local ip of the windows box. Then from the wan side I use RDP to connect to the desktop so I know that I can setup 1:1 nat when using a real static IP on the wan.

At&t delivers us a dynamic IP from another network range. I guess were in a VLAN as my static IP's are not the same range.

I know from when I talked to their business setup 2 years ago she said I actually had 8ip but only 5 usable
.232 Don't remember what this is used for
.233 was the gateway
.234 first usable
.238 last usable
.239 broad cast address

Maybe this will help.

Metu69salemi

@mmidgett:

.232 Don't remember what this is used for

network name?

mmidgett

Should I setup the .233 IP as a CARP instead of a IP Alias?

podilarius

Only if you are going to ever cluster … if not, then pick ProxyARP. i have not used IP Alias, but it might work well you for.

mmidgett

ProxARP can't be used for the firewall it self. What I am thinking here is att expects for my lan traffic to pass through .233 as this is the gateway address when I do not have the modem in bridge mode.

IP Alias and CARP can be used by the firewall. But I can't assign it to the wan as it gets a dynamic IP.

Can I assign the xxx.yyy.zzz.233 to the opt interface as a static and just do my 5 public ips

I was really wanting to use 1:1 nat has I was going to have some service load balancing with multiple servers connected to a private san for HA failover. I will be moving to a colocation center in a 6 to 8 weeks and wanted to get the whole thing working using my business DSL line.

I know I can make it all work if i don't put the modem into bridge mode and just use one of my statics on the wan side of the firewall. I wasn't wanting to give up one IP

mmidgett

Just found this over in the Routing / Multi Wan This might be of some help but seems like I have done this before.

http://forum.pfsense.org/index.php/topic,43107.0.html