Need help connecting to a modem/router with NO bridge mode
-
I have a two part question. Here is some background to set it up.
My ISP (Frontier ughhh) provides me with the Actiontec V1000W modem/router. This is a vDSL modem which is different from an aDSL modem. According to Frontier technical support it cannot be placed into bridge mode for technical reasons I will not get into here. However, I can manually disable the DHCP server see here: http://screencast.com/t/EKCm4AiiT and also disable NAT here: http://screencast.com/t/d7M4zwQJsN (side question: What's with the warning about turning NAT off??).
Obviously the goal here is to make the V1000W do as little as possible (basically pass the public IP address to the pfsense) and allow the pfsense to run the whole show. Therefore…
Question #1. Should I disable BOTH DHCP & NAT or just DHCP? Why? Are there other settings I should change also that will help me put the V1000W into a sort of "manual bridge mode"?
My second issue has to do with the proper order of events when bringing my new pfsense PC-router online. I am worried about doing something out of order. I've got the PC ready to roll and it's in the middle of the installation process waiting for me to connect the WAN interface. Should I connect it to the V1000W before or after I disable DHCP (and possibly NAT)? Or do I get the V1000W set up in my "manual bridge mode" and THEN connect my pfsense to it?
-
can you get to the WAN VLAN page? If so you could probably get that thing into bridged mode.
![2014-03-01 20_03_57-www.actiontec.com_products_manuals_V1000H User Manual NCS.jpg](/public/imported_attachments/1/2014-03-01 20_03_57-www.actiontec.com_products_manuals_V1000H User Manual NCS.jpg)
![2014-03-01 20_03_57-www.actiontec.com_products_manuals_V1000H User Manual NCS.jpg_thumb](/public/imported_attachments/1/2014-03-01 20_03_57-www.actiontec.com_products_manuals_V1000H User Manual NCS.jpg_thumb) -
If you can't get your ISP device into bridged mode, then you need to leave NAT on, on the ISP device. That is because the ISP device will be the only device that knows the public IP allocated by your ISP. Thus it must do NAT at that point - the NAT that pfSense will do from pfSense to pfSense WAN is just going to translate LAN IPs to the pfSense WAN private IP that it will use to talk to the ISP device.
If you just have 1 cable between ISP device and pfSense WAN, then you don't really care if ISP device has DHCP on or off. You can set pfSense WAN to a static IP in the ISP device LAN-side subnet, with gateway the ISP device private IP and go. And give pfSense LAN a different subnet.
Note: If you want to offer any public services (like incoming OpenVPN for Road Warrior…) then you will have to be able to add port forward/s on ISP Device to send those ports inside to pfSense WAN. -
A second best option, if you can't put the modem in bridge mode, is to use 1:1 NAT. This is often accessed via the DMZ configuration of the modem. Effectively you want to setup the pfSense device in the modems 'DMZ' such that all traffic arriving at the modem, on all ports, is forwarded to pfSense. That way you don't have to worry about port forwarding later if you setup services on pfSense.
Steve
-
Networking is amazing! I'm just putting that out there, because I feel like I know alot, but it's an illusion when confronted with the knowledge of guys like you who REALLY know alot. There is sooo much to know and understand about networking that it kinda blows my mind. OK, now that I got that off my chest…
To bryan.paradis, I can definitely reach the page you indicated. How would I configure it? Bridge mode doesn't exactly jump off the page at me.
To phil.davis Thanks for clarifying the NAT question. If I turn off DHCP on the isp device, then I will not need to give pfsense WAN a static IP, right? Because I can't assign static IP's in the isp device.
To stephenw10, Your idea is intriguing to me because it sounds simple (though I'm sure I'm just being naive). Can you expand upon your last sentence a bit? I don't really know what you mean. Here is the DMZ config page on my isp device: http://screencast.com/t/yATS1htUs97 Can you give me some direction?
I attempted to put the isp device in RFC 1493 transparent bridge mode today, but couldn't get things to work. The pfsense WAN appeared to obtain a public IP address, but I could not get internet connectivity. So then I reset the isp device and tried turning off nat and DHCP to no avail. It felt like a step backward from the previous config, because the pfsense WAN did not even obtain an IP address.
Thanks for all the help guys!
-
Found the following image on the web today while researching and trying to learn how to resolve my issue: http://screencast.com/t/MnlMdJsY
I think it does a really good job of demystifying the difference between true bridge mode and transparent bridge mode. Even though my isp device is ab Actiontec, I presume the definition is close to the same from brand to brand. It makes me wonder if I simply had my pfsense configured wrong when I had my isp device in 1493 transparent bridge mode (TBM). In that situation, if the isp device is responsible for the PPPoe duties, why would I need the pfsense WAN interface set to PPPoe with the username & password etc…?
I'm pursuing this because when I had the isp device in TBM the pfsense WAN successfully obtained a public IP address. It just feels like I was really close to getting it right, and I think it may only take some minor tweaks to that config to nail it.
Thoughts??
-
Yep I'd say you were really close. Did you have the pfSense WAN setup as PPPoE at that point or not?
You'll notice that in 'transparent mode' on that screenshot you need at least 2 public IP addresses which is not something most ISPs provide.I would aim for bridge mode if you can. When you got a public IP on the pfSense WAN how did you determine you couldn't access the internet?
To use the DMZ you would simply enter the pfSense IP address where it says 'select device'. You may have to enter its IP directly or it may be selectable from the dropdown box there, I have no idea having never used that router. If you have to select the IP manually you probably also want to add a static DHCP mapping to the router so that pfSense gets the same IP address every time.
As I say though a bridged mode where pfSense gets a public IP address on its WAN is much better.
Steve
-
Give us a screen shot of your WAN VLAN page with 1483 bridging turned on. May have to change more settings. With bridge mode on pfSense will have to create/auth the pppoe session.
- Turn on RFC 1483 bridging
- Setup pfSense to PPPoe with your user & password.
- Success?
-
Give us a screen shot of your WAN VLAN page with 1483 bridging turned on.
I will do that first thing tomorrow, as I've given up for the night and have returned everything to a standard working config. Though I will tell you now that I didn't enable it from that page. There was a different WAN page where I selected the option, and it did not offer any additional settings.
Unfortunately my isp device SUCKS eggs and is incapable of TRUE bridge mode. It also cannot assign static IP's of any kind, which is the primary reason I began this journey.
You'll notice that in 'transparent mode' on that screenshot you need at least 2 public IP addresses which is not something most ISPs provide.
That was very observant of you to notice that transparent bridge mode used 2 public IP addresses. Maybe that's why it didn't work?
When you got a public IP on the pfSense WAN how did you determine you couldn't access the internet?
I just simply could not connect. Ya know, the big yellow ! over the network thing in the bottom right tray. I opened a browser and tried to connect, ran the troubleshooter to let windows automatically reset the network adapter, and tried to ping Google (8.8.8.8) from a command line all to no avail.
-
To phil.davis Thanks for clarifying the NAT question. If I turn off DHCP on the isp device, then I will not need to give pfsense WAN a static IP, right? Because I can't assign static IP's in the isp device.
If you turn off DHCP on the ISP device, then you DO have to give pfSense WAN a static IP (on Interfaces->WAN on pfSense). You DO NOT have to make any setting on the ISP device - pfSense WAN and ISP device will have different static IPs in the same subnet and happily talk to each other over the cable.
But keep on with the bridge stuff, as Steven says:As I say though a bridged mode where pfSense gets a public IP address on its WAN is much better.
-
If you again set the modem in rfc1483 bridge mode and setup pfSense to do the PPPoE session (you may have to reboot the modem to clear any existing PPP sessions) then if pfSense gets a public IP you need to test for a connection from the pfSense box.
At the console try to ping 8.8.8.8. Then try to ping google.com. Note the actual response, the error given is almost always more informative than 'didn't work'. ;)
Steve
Edit: Grammar!
-
Had a busy night and didn't attempt to work on this at all, but thought I should quick ping you to let you know I am still working on it.
I will try a few things tomorrow and post back. Thank you for your help!
-
Sorry for the delay! Super busy week. I know it's not like anyone is waiting on pins and needles for me to post back, but I feel like it's the couteous thing to let people know I intend to get back to this thread in the next day or two.
-
Sorry for the delay! Super busy week. I know it's not like anyone is waiting on pins and needles for me to post back, but I feel like it's the couteous thing to let people know I intend to get back to this thread in the next day or two.
No problem! Let us know of result
-
Well I finally found time to take another crack at it and again came away empty handed.
Once again I set the isp device into transparent bridge mode (TBM) and after that I rebooted it just to be sure any current PPPoe sessions were ended. Then I booted my pfsense and it obtained a public ip address on the WAN. I connected the pfsense lan to a switch and my computer into the same switch, logged into the pfsense gui, and same as before could not access the internet.
I then attempted to ping Google (8.8.8.8) through the pfsense terminal (option 7 from the menu) and it failed. It did not give me an error code, it simply said "no route to host".
I then tried pinging Google from the GUI under the diagnostics menu. Same result. BUT when I changed the "from" field to WAN rather than leaving it on the default setting, I was able to successfully ping 8.8.8.8 Is this significant??
Once again I feel like I am really really close, and yet so far away.
I though about taking some screen shots inside the pfsense GUI, but there are so many I wasn't sure what would be relevant. My point is, if there is some data I can collect that will help diagnose this situation, I will gladly do so, but I obviously need some direction.
I really appreciate any help anyone can offer.
-
It did not give me an error code, it simply said "no route to host".
'No route to host' is a very useful error message. It tells us that the pfSense box cannot even send the ping because it doesn't know how to reach 8.8.8.8.
I then tried pinging Google from the GUI under the diagnostics menu. Same result. BUT when I changed the "from" field to WAN rather than leaving it on the default setting, I was able to successfully ping 8.8.8.8 Is this significant??
Very. If it can ping when you choose WAN manually that tells us that the default selection is not WAN, which of course it should be.
Most likely cause is that there is a gateway set on the LAN interface which has caused it to become the default route.
Go to Interfaces: LAN: and remove any gateway set there.
Go to System: Routing: Gateways: and remove the LAN gateway from there too (if it's still there). make sure the WAN gateway is set as default.Another possibility is that there is no gateway set at all on any interface. That would probably be some PPP issue.
Steve
-
It did not give me an error code, it simply said "no route to host".
'No route to host' is a very useful error message. It tells us that the pfSense box cannot even send the ping because it doesn't know how to reach 8.8.8.8.
I then tried pinging Google from the GUI under the diagnostics menu. Same result. BUT when I changed the "from" field to WAN rather than leaving it on the default setting, I was able to successfully ping 8.8.8.8 Is this significant??
Very. If it can ping when you choose WAN manually that tells us that the default selection is not WAN, which of course it should be.
Most likely cause is that there is a gateway set on the LAN interface which has caused it to become the default route.
Go to Interfaces: LAN: and remove any gateway set there.
Go to System: Routing: Gateways: and remove the LAN gateway from there too (if it's still there). make sure the WAN gateway is set as default.Another possibility is that there is no gateway set at all on any interface. That would probably be some PPP issue.
Steve
Well I would say it is really significant if you can ping out the WAN. Connection would be working then but there is something up for sure inside pfSense. Good idea steve.
-
Success!! YES!!
Obviously I am thrilled to report that pfsense is now working! I took stephenw10's advice and found a gateway set up on the lan interface. When pfsense failed to work the first time I tried it, I tweaked some settings (that being one of them) just to see what would happen. Oops :P
So, if we walk this back to the beginning, I'm pretty sure it would have worked immediately IF I had rebooted my isp device to clear any existing PPPoe session. The first time I set it in bridge mode I did not reboot before connecting my pfsense rig.
I also want to spell this out for the search engines to pick up for any hapless Frontier users out there. The Frontier Actiontec V1000W CAN be set to Transparent Bridge Mode (TBM) even though Frontier customer support and even their technical support desk will LIE to you and say it can't be done. Yes it can!! Frontier is FLAT OUT LYING to their clients because they don't want to support TBM for residential clients. Oh sure, if you are willing to pay double the monthly fee to have a "business" account they will support it, but why should I have to do that when the functionality is available to me as a residential client. That's extortion!! Worse, it's yet another example of an isp being out of touch with the needs of the market. There is NO WAY I am the only residential client who NEEDS access to bridge mode in order to take greater control over my internal network. With the modern home having dozens of connected devices, users need more control than ever, NOT LESS! Whew, thanks for letting me get that off my chest.
A huge thank you to all those who chimed in on this thread! I am really grateful, because I know I could not have gotten it done on my own. It's really great to know there is an active community of users for this really powerful and useful open source software. I am so pumped to go and play with my new ULTRA-POWERFUL router ;D
STATIC IP's FOR EVERYONE!!
-
Nice. :) Have fun!
Steve
-
If you ever go back to your Frontier supplied router in router mode, you may have problems. If your router says you are connected, but no clients can access internet sites, put this URL in a browser: http://192.168.1.1/frontier/redirect.htm (substitute your router's IP address if not 168.192.1.1). Click on the button on the page.