[SOLVED] Configuring pfSense behind Actiontec Router
-
I have setup similar to yours. On your Actiontec, you only need to ensure the pfsense WAN port has a static IP reservation and this IP address is configured as the DMZ host IP address. It sounds like you've done that using 192.168.1.12. No static routes are needed, so you can remove the rule you created.
Ensure your pfsense LAN interface is configured with a separate network, I'd recommend 10.0.0.0/24 as an example to easily differentiate what's inside and outside of your firewall. Your pfsense WAN interface will show as DHCP, but your Actiontec will always renew the lease with the same address since it's reserved.
Make sure the DCHP server is running on your pfsense LAN interface to hand out addresses to clients. Note that the "LAN" ports on your Actiontec will pick up a 192.168.1.0/24 address since they're external to your pfsense firewall, so you'll need a switch or wireless interface (as you mentioned) on your pfsense LAN to connect multiple clients.
-
Thank you for the response.
I deleted the static routing rule in the Actiontec firewall. I left the IP addresses as is and made sure DHCP was running on the LAN interface and that the address assigned from the Actiontec router to the pfSense WAN was static. When I connected to the pfsense LAN via Ethernet and ran ipconfig /all I noticed that the IP address assigned to my laptop was 169.254.217.138/16. This seems odd to me as the address range I entered when I configured the IP LAN was 192.168.2.50 to 192.168.2.100 and I thought only addresses in this range would be assigned to devices connected to the LAN. I was unable to connect to the webConfigurator by entering 192.168.2.1.
I swapped out the Ethernet cable and tried another port and it corrected the issue of not getting an IP address as I mentioned previously. From the pfSense console I could ping 192.168.1.1 and 192.168.1.12 but when I tried 74.125.224.72 (Google) I received "No route to host."
I appreciate your taking the time to respond. Thank you again.
-
The 169.254.0.0/16 address are used by Microsoft and other vendors when DHCP isn't available or has failed. Sometimes the client device has to be rebooted or the network interface has to be reset after the DHCP server comes online. Moving from one port to another seems to have worked for you.
Can you ping 192.168.2.1 (the pfsense router LAN IP address) from a client connected directly to the LAN port of your pfsense router (e.g. IP address of 192.168.2.50)?
-
Thank you for clarifying the issue about the strange IP address. Sorry I forgot to mention that I had tried to ping from the client attached to the pfsense LAN the following IP addresses: 192.168.1.1, 192.168.2.1, and 192.168.1.12. They all returned 100% packet loss.
-
Until you can successfully ping the pfsense router LAN interface, pinging addresses beyond the router is going to fail as well, so I suggest focusing on reaching 192.168.2.1 for now.
I'm assuming you're using a client with a Windows OS, is this correct? What is the IP address and gateway given to the client via DHCP? Are the interfaces on the pfsense router and the client fast ethernet or gigabit? If they're both fast ethernet, you'll need a roll-over cable. If one or both are gigabit, then a straight-thru cable should be okay (this is one of the enhancements of the gigabit ethernet spec).
-
Yes, my laptop is Win7. I know the interface on my laptop is fast Ethernet and I'm pretty sure the quad port card in the router is fast Ethernet also. I never thought about the roll-over cable as I had been able to access the webConfigurator using just a normal Ethernet cable. I'm assuming that a "roll-over" cable is the same as a "crossover" cable and I'll pick one up tomorrow and try it.
I connected my laptop to the pfsense LAN again just to make sure and once the icon in the system tray showed the yellow exclamation point I ran ipconfig /all and got Autoconfiguration IPv4 Address: 169.254.0.0, Subnet: 255.255.0.0 and no default gateway.
-
Yes, unless you're connecting through a switch or hub, then there's good chance you'll need a roll-over/cross-over cable (yes, they're the same thing). If you're back to the 169.254 address space, then something's definitely not working correctly.
You may want to try assigning a static IP address to your laptop, for example 192.168.2.5 (mask 255.255.255.0), and see if that enables you to ping the LAN interface of pfsense router. If not, then it could be hardware problem, either with the cable or one of the interfaces. Is the quad-port card in the router an expansion card? Perhaps try re-seating it?
-
Progress. I bought a crossover cable and tried it with the quad-port card in the router and experienced the same problems as before. I then swapped out the quad-port card with a single-port NIC from another machine I knew worked and I'll be but I had zero problems accessing webConfigurator and both the LAN & WAN interfaces show status as up.
I ran ipconfig from the command line on my laptop and had IP address 192.168.2.50, Subnet 255.255.255.0, Gateway 192.168.2.1, and DNS 192.168.2.1. I could successfully ping both the LAN (192.168.2.1) and WAN (192.168.1.12) from the laptop but when I tried to ping 192.168.1.1 (Actiontec) router I received "Request Timed Out."
Now that I can get an IP address assigned to a client and access webConfigurator, how do I get out of the pfSense router and onto the internet? I remember reading something like pfSense blocks connections on the WAN interface by default. I may be wrong on that but if not is that the case?
Thank you again for all you help. There was essentially zero probability of me figuring this out in any reasonable amount of time on my own.
-
Success. I searched the forum and found a post on the same issue and the recommendation was to delete the LAN Gateway which I did. I rebooted pfSense and can now connect to the internet.
Many kudos to trunix for the help.
Onto the VPN setup.
-
There is a much more difficult way to get it to work so that pfsense is the main connection instead of setting up pfsense as a DMZ host IP on the actiontek. You have to reconfigure the bridging on the actiontek. I have been using a similar setup for about 8 years to the article below. This is much more complicated and requires you to re-enable the Broadband Connection Ethernet port if it looses power. The advantage is that connections do not go through the actiontek NATing so you are not double NATing and then restricted by the Actiontek NATing limits.
http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge
You basically reconfigure the Actiontek so that the LAN becomes the WAN and setup a static private IP to manage it (Ethernet bridged to Broadband Connection Coax) and then setup the Ethernet WAN port to function as the LAN for the actiontek and the coax DVRs (Coax bridged to the Broadband Connection Ethernet) which you plug into the LAN of your pfsense so that the DVRs can get a DHCP lease and connectivity. The Broadband Connection Ethernet is usually disabled and requires manually enabling it after every power up. As long as you put a UPS on it you rarely need to re-enable it. If the router looses power or reboots you have to connect a PC up to the LAN of the actiontek which is really the WAN now to login to the static IP you gave it to re-enable the Broadband Connection Ethernet port.
-
Or could configure pfSense to spoof the Actiontec MAC and impersonate the DHCP client request. Configure both routers to service only specific ports for the services served by each and drop all others. And connect them to the WAN in parallel.
I did this for a while with Verizon FiOS. But my current ISP setup provides 2 DHCP addresses. So one for their TV equipment and services and one for my pfSense network for the computers.
http://www.dslreports.com/faq/16949
-
The easiest solution for this kind of scenario is to simply put the Actiontec router behind pfSense. Simply configure the Actiontec's WAN port to aquire and address automatically (if it isn't set up that way already) and connect the WAN port to the general network. This way the Actiontec will have the internet access it needs to get the channel information and there will be no double NAT'ing with pfSense since it will have a direct connection to the internet. The worst that will happen is that if you have a dynamic address from FiOS, it will take a while for them to accept your new MAC or you may have to call them to have them release it.
-
Thank you for the suggestions
@adam65535, I read about that configuration on dlsreports.com but felt it was a little too complicated for me and I was concerned that it wouldn't survive a reboot. I didn't want to get irate phone calls from my wife if the power flickered and she couldn't get online.
@NOYB, is MAC spoofing as simple s copying the Actiontec's MAC address into the appropriate field in pfSense? It seemed too easy hence my uneasyness.
@Swordforthelord, putting the Actiontec after pfSense would have been my first choice except that my ONT is connected via coax and I would have to call VZ to have them roll a truck to run ethernet and activate it. I've heard mixed things about VZ's willingness to activate that port for people who run their own ethernet.
-
Spoofing the MAC is that easy. But to run them in parallel pfSense DCHP client must also be configured to impersonate the Actiontec DHCP request. This is the more difficult part of the setup. But should become much easier with the addition of DHCP advanced options in release 2.2.
Think I've made some posts in one of these forums a few years ago with details of impersonating the Verizon FiOS Actiontec MI424-WR.
-
NYOB's post about impersonating the actiontec: https://forum.pfsense.org/index.php?topic=39963.0