Can't reach updates with bridged mode modem
-
This isn't a solution, but perhaps another piece of the puzzle. I've discovered that all other things being equal, the pfsense auto update service does not work through a cable modem in "bridged mode". In other words, with two identically-configured firewalls, the one connected to a "bridged modem" will not perform auto update, the one connected to a router modem will work normally.
I discovered this last night during a changeover from a modem with fixed IP to a modem with DHCP that's (by necessity) configured to operate in bridge mode. Both modems are Comcast-provided, but obviously different devices. Like another poster, I can ping "updates.pfsense.org" from the WAN port, but the Auto Update tab reports as follows:
Downloading new version information…done
Unable to check for updates.
Could not contact pfSense update server https://updates.pfsense.org/_updaters/amd64The only changes made to the configuration of the firewalls were the obvious ones: WAN uses DHCP vs Fixed IP, and the gateway IP was provided by DHCP rather than a fixed IP.
-
This has no relation to the thread you posted it in, so I split it to its own thread.
I'm guessing the difference there is related to IPv6. You should get functional IPv6 with bridge mode on Comcast, if your WAN's set to DHCP6. Maybe you're ending up with what looks like it should be functional IPv6 but isn't. Try changing your preference to IPv4 on the affected system and see if that makes a difference.
https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preferenceor set WAN's IPv6 type to "none".
-
I have some more information to add. Hopefully this will help others avoid this nightmare I seem to have fallen into.
Background: I'm switching from Comcast "Business" (with fixed IPs) to Comcast residential service (DHCP only). The new "residential" modem (a Cisco Model DPC3941T) has been put into "Bridge Mode" for the usual reasons. As of now, I have both the Business and Residential services operating.
The issue seems to be partly with the cable modem. It's super-tenacious at holding onto "historical" information - the ARP cache seems to be carved into stone tablets inside the modem, as I've seen it refuse to issue new IP and Gateway info across multiple power-cycles. There may be other things going on, too. By that, I mean that the modem seems to be able to get pfsense to cough up certain information re its history, and then the modem apparently just hands that back to pfsense as its DHCP input.
Here's the blow-by-blow of one of many attempts to get the bridge to work with my pfsense fw:
1. pfsense-fw1 connected to "Business" router, and WAN changed from fixed IP to DHCP. Business router assigned an IP and gateway to the WAN.
2. halted & powered down pfsense-fw1, moved WAN interface from Business router to Residential bridge.
3. powered up Residential bridge, waited until "all ready" signal issued by bridge
4. powered up pfsense-fw1
5. the pfsense-fw1 gui showed that the IP and gateway assigned were the same as assigned when it was connected to the Business router! (of course this was BFU, and no traffic was routing)
6. shut down pfsense-fw1 and Residential bridge, re-started again (same order as above), and got the same result!
The only way I could get the Residential bridge to issue a routable combination of WAN IP & gateway was to get an old Alix box out of storage, re-set it, and then connect it to the bridge. Later, I dug a 2nd old Alix out of storage, restored the config file from the first Alix box, and spoofed the WAN MAC to be the same as the WAN MAC on the first Alix. This actually worked without having to power-cycle the bridge.
I spoke to Comcast tech support about these issues, and got the answer I expected: "It sounds like a problem with your equipment".
With respect to the IPv6 comment: I'll try that, but frankly don't expect it to make any difference as IPv6 is not enabled on the WAN or the LAN.
I'll post more as it becomes available.
-
Given the additional details, especially that you have IPv6 set to none, I don't think that's IPv6 related in any way. Sounds like modem-induced chaos. I think you're on the right track there, apparently your MAC is stuck somewhere related to your old service, so I wouldn't re-use that MAC on the new modem.
-
Yes, it seems to be the modem - what a piece of shit!
The MAC address is key… if I hadn't had a 'virgin' Alix box, I don't think I would have ever got this working. I've replicated its MAC to both fw1 and fw2, and they now both work fine; they can reach the 'update' site.
The perverse behavior of this modem would seem to completely rule out using the failover feature - if it was ever possible on a bridged modem.
I've still got one question: Is there any historical data on the pfsense box that the cable modem could access during DHCP? I ask because when fw1 (and subsequently fw2) was connected to the bridged cable modem, I observed that pfsense reported a gateway address that it used when it was connected to another gateway device (the router for the fixed-IP service). I totally don't understand how pfsense could report such nonsense.