[SOLVED] Configuring pfSense behind Actiontec Router
-
Yes, my laptop is Win7. I know the interface on my laptop is fast Ethernet and I'm pretty sure the quad port card in the router is fast Ethernet also. I never thought about the roll-over cable as I had been able to access the webConfigurator using just a normal Ethernet cable. I'm assuming that a "roll-over" cable is the same as a "crossover" cable and I'll pick one up tomorrow and try it.
I connected my laptop to the pfsense LAN again just to make sure and once the icon in the system tray showed the yellow exclamation point I ran ipconfig /all and got Autoconfiguration IPv4 Address: 169.254.0.0, Subnet: 255.255.0.0 and no default gateway.
-
Yes, unless you're connecting through a switch or hub, then there's good chance you'll need a roll-over/cross-over cable (yes, they're the same thing). If you're back to the 169.254 address space, then something's definitely not working correctly.
You may want to try assigning a static IP address to your laptop, for example 192.168.2.5 (mask 255.255.255.0), and see if that enables you to ping the LAN interface of pfsense router. If not, then it could be hardware problem, either with the cable or one of the interfaces. Is the quad-port card in the router an expansion card? Perhaps try re-seating it?
-
Progress. I bought a crossover cable and tried it with the quad-port card in the router and experienced the same problems as before. I then swapped out the quad-port card with a single-port NIC from another machine I knew worked and I'll be but I had zero problems accessing webConfigurator and both the LAN & WAN interfaces show status as up.
I ran ipconfig from the command line on my laptop and had IP address 192.168.2.50, Subnet 255.255.255.0, Gateway 192.168.2.1, and DNS 192.168.2.1. I could successfully ping both the LAN (192.168.2.1) and WAN (192.168.1.12) from the laptop but when I tried to ping 192.168.1.1 (Actiontec) router I received "Request Timed Out."
Now that I can get an IP address assigned to a client and access webConfigurator, how do I get out of the pfSense router and onto the internet? I remember reading something like pfSense blocks connections on the WAN interface by default. I may be wrong on that but if not is that the case?
Thank you again for all you help. There was essentially zero probability of me figuring this out in any reasonable amount of time on my own.
-
Success. I searched the forum and found a post on the same issue and the recommendation was to delete the LAN Gateway which I did. I rebooted pfSense and can now connect to the internet.
Many kudos to trunix for the help.
Onto the VPN setup.
-
There is a much more difficult way to get it to work so that pfsense is the main connection instead of setting up pfsense as a DMZ host IP on the actiontek. You have to reconfigure the bridging on the actiontek. I have been using a similar setup for about 8 years to the article below. This is much more complicated and requires you to re-enable the Broadband Connection Ethernet port if it looses power. The advantage is that connections do not go through the actiontek NATing so you are not double NATing and then restricted by the Actiontek NATing limits.
http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge
You basically reconfigure the Actiontek so that the LAN becomes the WAN and setup a static private IP to manage it (Ethernet bridged to Broadband Connection Coax) and then setup the Ethernet WAN port to function as the LAN for the actiontek and the coax DVRs (Coax bridged to the Broadband Connection Ethernet) which you plug into the LAN of your pfsense so that the DVRs can get a DHCP lease and connectivity. The Broadband Connection Ethernet is usually disabled and requires manually enabling it after every power up. As long as you put a UPS on it you rarely need to re-enable it. If the router looses power or reboots you have to connect a PC up to the LAN of the actiontek which is really the WAN now to login to the static IP you gave it to re-enable the Broadband Connection Ethernet port.
-
Or could configure pfSense to spoof the Actiontec MAC and impersonate the DHCP client request. Configure both routers to service only specific ports for the services served by each and drop all others. And connect them to the WAN in parallel.
I did this for a while with Verizon FiOS. But my current ISP setup provides 2 DHCP addresses. So one for their TV equipment and services and one for my pfSense network for the computers.
http://www.dslreports.com/faq/16949
-
The easiest solution for this kind of scenario is to simply put the Actiontec router behind pfSense. Simply configure the Actiontec's WAN port to aquire and address automatically (if it isn't set up that way already) and connect the WAN port to the general network. This way the Actiontec will have the internet access it needs to get the channel information and there will be no double NAT'ing with pfSense since it will have a direct connection to the internet. The worst that will happen is that if you have a dynamic address from FiOS, it will take a while for them to accept your new MAC or you may have to call them to have them release it.
-
Thank you for the suggestions
@adam65535, I read about that configuration on dlsreports.com but felt it was a little too complicated for me and I was concerned that it wouldn't survive a reboot. I didn't want to get irate phone calls from my wife if the power flickered and she couldn't get online.
@NOYB, is MAC spoofing as simple s copying the Actiontec's MAC address into the appropriate field in pfSense? It seemed too easy hence my uneasyness.
@Swordforthelord, putting the Actiontec after pfSense would have been my first choice except that my ONT is connected via coax and I would have to call VZ to have them roll a truck to run ethernet and activate it. I've heard mixed things about VZ's willingness to activate that port for people who run their own ethernet.
-
Spoofing the MAC is that easy. But to run them in parallel pfSense DCHP client must also be configured to impersonate the Actiontec DHCP request. This is the more difficult part of the setup. But should become much easier with the addition of DHCP advanced options in release 2.2.
Think I've made some posts in one of these forums a few years ago with details of impersonating the Verizon FiOS Actiontec MI424-WR.
-
NYOB's post about impersonating the actiontec: https://forum.pfsense.org/index.php?topic=39963.0