PfSense 'modem' -> pfsense 'router(s)', would this work?
-
Hi all,
I have been using pfSense for a few years, I think it's fantastic and recommend it all the time (I am an IT trainer, and often mention pfSense or demo a few features to add value to some of our courses). I would like to experiment a little and see what else is possible with pfSense.
If anyone has any advice or experience on setting up the following, I would appreciate any suggestions. My plan is to set up several networks for testing various things but all going out through one ADSL connection. If this works out I would be happy to provide a writeup and share my experiences for the benefit of others trying something similar. I have a few spare PCs and NICs to play with, so the idea is this:
All pfSense boxes will run v2.0, full AMD64 version. I have several public IP addresses.
'Modem' pfsense:
ADSL PCI modem and single NIC.
To run squid, snort, HAVP, Traffic Shaper.'Router' pfsense(s)
Either 2 NIC or VLAN router on a stick configuration.
According to this thread an ADSL WAN->LAN system is possible
http://forum.pfsense.org/index.php/topic,32900.msg201460.htmlSnort and Squid require a fair bit of RAM, I hav 4GB in the 'modem' which can be upgraded if necessary.
I am assuming a few things here, so please correct me if I am wrong
The 'modem' would not be routing? I was imagining a bridged WAN-LAN setup with NAT disabled so the ADSL card would be passing traffic directly to the NIC, turning the 'modem' almost into a simple media converter, for the WAN NIC/interface on the 'router' pfsense to access the ISP directly?
If each 'router' was assigned a single public IP, everything from the perspective of the 'router' would be as if it had a direct ISP connection? Or would it be more appropriate to use CARP VIPs on the 'modem' and actually route to the 'router' WAN interfaces?
The packages mentioned for the 'modem' would work in a non-routed 'modem' system?
Any thoughts are appreciated. Even a quick post to say 'that will never work' would be of help. Thanks in advance.
-
I believe there are various things that will not be possible if you have pfSense configured as a transparent firewall (wan and lan bridged). For example:
@HAVP:
Transparent proxy mode
HAVP supports transparent proxy under the following conditions:
Squid option Transparent proxy is unchecked. To avoid conflicts, HAVP ignores its own transparent option if Squid also set as transparent.
pfSense not have bridged interfaces. 'Transparent on Bridge'Transparent firewall setup seems to be something a lot of people have trouble with, though I've never had cause to try it. I'm sure a write up for 2.0 would be appreciated.
Steve
-
Thanks for that, I've been having a read around but its that time of year when spare time is a distant memory.
I haven't been able to get the ADSL card to connect to the ISP so far. It syncs ok, I can see it has negotiated up/down speeds, but that's about it. Routing/PING needs looking at when brain can be relied upon.
I did set up a bridge in pfSense but as WAN-OPT1 rather than WAN-LAN as suggested in documentation.
I appreciate you taking the time to reply, merry Christmas to you and yours.
-
It's no problem at all.
As it happens I've come away for work and find myself staying some where with no TV (not even a radio) and no one I know living nearby. Fortunately I have a laptop and a 3g modem to while away the hours. :)Merry Christmas!
Steve
-
I've had some time to take a look at this again, but happy new year to all, and hope you had a good Christmas stephenw10.
Well I managed to get the modem part working. I will fill in some of the detail later but for now if anyone else is looking to try this..
The ADSL card has two modes, PCI or Ethernet. By changing the jumpers you can set whether to access the device either as a network device (much like pfSense or any ISP modem/router, point a browser from another PC to in this case, 192.168.0.1) or swap them over to be able to access the card as a PCI device internally. My setup involved switching back and forth between the two until I got it working.
There is very little documentation for this card, not even a manufacturer's homepage that I could see. So I called linitx.com and spoke to someone who's name I sadly didn't ask. He was extremely helpful and knowledgeable about pfSense specifically, so much credit to him for his input.
First if you set up the card via ethernet it should be a lot easier. Configure the ADSL related settings as provided by your ISP. I am with BE so I followed this: https://www.bethere.co.uk/web/beportal/techguides_other_modems_with_Be_broadband From here you should be able to tell when the card syncs with the ISP, and confirm your upload/download connection speeds. It may take a minute or two to sync, just like any other modem. Once done switch the jumpers to PCI mode, the IPs and routing will be handled by pfSense.
From the pfSense side, the card appears as a rl0 interface, and is configured just as if it was an ethernet NIC. BE uses ETHoA so I just set up the WAN as a static IP. If your ISP uses PPPoE again use the settings provided by your ISP and also specifically for your account like ADSL usernames and passwords.
I also set up an OPT1 interface with a 'none' type, and bridged it to WAN. A second pfSense box is connected with it's own WAN NIC to the OPT1 NIC on the first pfSense. WAN on this second box was set up as a static IP using a 2nd public IP address. This did not 'just work' - I think I remember seeing ICMP packets being blocked in the firewall logs on the 'modem' pfSense coming from the public WAN IP address of the 'router' pfSense after a ping, so hopefully it's just down to setting some firewall rules. But at that point I decided it was supper time, so I will come back to that at another time. Meanwhile if anyone has any thoughts or observations I welcome any advice.
-
The ADSL card has two modes, PCI or Ethernet. By changing the jumpers you can set whether to access the device either as a network device (much like pfSense or any ISP modem/router, point a browser from another PC to in this case, 192.168.0.1) or swap them over to be able to access the card as a PCI device internally.
Hmmm, you mean when you have set as 'Ethernet' you have to connect to via a separate ethernet cable and NIC?
Is it not possible to set it to 'PCI', setup the NIC and then connect to the on board router?
Interesting device anyway.
Steve
-
Hi stephenw10, happy new year!
Take another look at the picture of the card, here http://linitx.com/viewproduct.php?prodid=12181
As I understand it the card can be used as a modem/router on it's own - I mean no PC necessary, it works without plugging it in to the PCI slot of a motherboard. I haven't tried this as it's not what I intended for it so I could be wrong but if you see the small white header just above the left hand side of the PCI connector, this is apparently for external power if NOT being used as a PCI card. It's a 5 pin header simply marked 'CN3' and in the document that comes with it it states 'Ethernet - 5/12V' or 'PCI - open' (what little comes with it is pretty sparse on detail).
Like I say don't take my word for that I may have misunderstood. But that would explain the option to set it up via ethernet from a 2nd PC via web browser by connecting to the onboard NIC. I've seen your other posts on similar cards that use CLI or telnet to manage the card, I went for the GUI/HTTP option so I can't tell you if this card supports other methods of access or management. If set to PCI mode, the onboard NIC is disabled (I stopped getting link lights on the switch it was still connected to) and only the ADSL RJ11 connector and PCI for access as a computer PCI peripheral are enabled.
I haven't spotted anything that would stop it doing what I want it to do, and at £44 it's a lot cheaper than many other cards I've seen.
-
I can't think why you'd ever want to run a PCI card that isn't in a PCI slot. Weird! Perhaps it's to allow the on-board router to be setup before it's send out to a customer?
Good to get a second positive review of it though.
Happy New Year!
Steve
-
Hi all
A thousand apologies, I had forgotten all about this. "Life happened" and things like job hunting took priority. Also my ISP kept insisting that the network upgrade that would change my static IPs would happen "very soon" and I was waiting for that to fiddle again, which still hasn't happened. Excuses aside, sorry it has taken five months to post back.
Here are the screenshots for the PCI ADSL modem interface. I did my best to capture as much useful information as I could but please note that the steps noted along with the screenshots refer to what I clicked on, not what is visible at the time, due to the way I captured it. I hope this helps and provides some answers. What I have configured works for me, a great deal of the settings here I imagine are only relevant if you use the "Ethernet" option mentioned previously. Once configured the jumpers on the card should be set to "PCI" mode for use with pfSense so anything you set on the card like NAT or firewalling may well conflict with or be ignored by pfSense.
As far as the pfSense side goes I will do my best to write up what I have done but the majority of it is about routing multiple public IPs. The actual modem side is relatively easy due to my ISP, all I do is set my WAN to "static". Other users may need to research PPPoE or other WAN configurations, for BE (UK ISP) users try this - https://www.bethere.co.uk/web/beportal/techguides_other_modems_with_Be_broadband
stephenw10, and any others still interested in this, this may all be a little late as many UK ISPs offer FTTx, which I understand requires a BT VDSL modem no matter who your ISP is. Mine has not yet upgraded, but if you have upgraded your connection to FTTx to the best of my knowledge NONE OF THIS IS ANY GOOD TO YOU. But to those still on standard ADSL please consider whether you wish to invest the ~£50 on the modem if you too may upgrade to FTTx.
–-Sorry, the file is 2MB, maximum size for attachments per file is 250KB. Until I come up with a better solution please PM me for the screenshots, I will email them if you send me your address.
-
Here we go. Hope this helps:
-
6-9
-
10-13
-
14-17
-
18-21
-
22-25
-
26-29
-
30-33
-
34-37
-
38-41
-
42-45