Issues with getting WAN interface to work
-
Hello there,
I've been playing with pfSense since the release of 2.3 and we're liking it so much that we've decided to replace our small business network with a pfSense setup. I've decided to take on that project, but I'm running into problems. I'll try to describe my situation as accurately as possible. Let me know if there's anything missing that you'd like to know.
We currently have a DrayTek Vigor 2925 router that's hooked up on the WAN port to our fiber internet FTU (picture: https://nl.wikipedia.org/wiki/Fiber_termination_unit#/media/File:Fiber_termination_unit.jpg ). Behind that is our switch and another router for WiFi. Currently, this setup is working properly.
We want to replace the DrayTek router with a new pfSense box, so that we have one central place to manage our network and firewall config. I've built a machine for this which has two NICs: An Intel I219-V Gigabit adapter (interface: em0) and an Intel I211-AT Gigabit adapter (interface igb0).
I've installed pfSense 2.3.3-RELEASE and am starting off with a clean install. My provider has informed me that using our own device is possible as long as we use VLAN tag 128 and they do a MAC release. I therefore set up a VLAN with tag 128 on the igb0 interface (connected to the fiber FTU). It comes up as igb0_vlan128 which I set as the WAN interface. I hook up my laptop to the em0 interface and set it as the LAN interface. After saving the settings, I change the IP settings on the WAN side to use DHCP which corresponds to the settings in the DrayTek router. I leave LAN settings as default (192.168.1.1/24).
I access the web interface on the connected laptop and I complete the installation wizard. During the steps, I copy the MAC-address of the DrayTek router's WAN port to the MAC spoofing setting on the WAN interface, assuming this may remove the need for a MAC release by the ISP.
After installation, I do a reboot and I notice that it seems to take a lot of time on the "Configuring VLAN" and "Configuring WAN" steps during booting, but perhaps this is normal.
I access the web interface again and I notice that it doesn't get an IP address on the WAN side (instead shows 0.0.0.0), and the speed is listed as "100 MBit Full-Duplex" while everything should be Gbit as far as I'm aware. If I look at the DHCP System Log, I notice that it sends DHCPDISCOVER packets to 255.255.255.255 port 67 as usual, but there is no response and the dhclient ends with a FAIL.
What I've tried so far with no luck:
-
Changing the cable between the FTU and the pfSense box, mutliple times with different cables
-
Calling our ISP and asking them to release the MAC and verify if they see anything coming in. They don't.
-
Turning off the firewall in the advanced settings as well as unchecking the boxes near the Blocking settings at the bottom of the WAN interface configuration page.
-
Installing pfSense on a different machine, with same settings. Same problem.
-
Powering down the fiber FTU, and waiting quite a while before putting power back in.
In addition, I've tried switching the cables around on the machine (so that instead, em0_vlan128 is the WAN interface and igb0 is LAN side). This produces some curious results. I can still access the web interface and everything on the LAN side is working fine. On the em0_vlan128 I get a red circle with a cross in it on the dashboard and on the interface status page it says "no carrier". I notice that if I connect the cable during pfSense installation, on the igb0 interface it detects the state "state UP", but if I hook it up to the em0 interface nothing happens. No lights are on on the physycal port either (igb0 does show lights when connected). If I leave the cable in the em0 and power cycle the fiber FTU, it goes "state UP" but then immediately "state DOWN" (after a second or two). This all happens exactly the same on the different machine I've installed pfSense on. One port seems to work (at least in terms of its state), and the other doesn't.
When I put the pfSense box behind the DrayTek router, everything works flawlessly. But bear in mind that in that case it's not using the VLAN settings since that's done by the DrayTek router.
Anyone have a clue as to what my problem is? I think I've used alternatives for each of the potential problems (faulty NIC/cable/etc.) but I can't get it to work in either case. The frustrating bit is that when I put the cable back in the DrayTek, everything is online again instantly.
Thanks in advance.
[EDIT] Apparently, the 100 MBit indication is correct, since the DrayTek also shows this with an orange color on the port in its web panel.
-
-
After installation, I do a reboot and I notice that it seems to take a lot of time on the "Configuring VLAN" and "Configuring WAN" steps during booting, but perhaps this is normal.
pfSense takes a while to configure interfaces when it is trying to do something and can't, then hits a timeout. This sounds to me very much like a configuration problem. The correct configuration depends on who your provider is and how their backhaul works. Rather than speaking to technical support who tend to be clueless at the best of times, look up how to configure a 3rd party router with $'service-name'. There may be some authentication/session protocol you are missing.
-
Allright, I've done some more troubleshooting yesterday, and I decided to let the NIC issue rest, since the I211 (igb0) seems to have a proper connection and the I219 is working fine on the LAN side. I'm guessing the I219 simply can't be used for the WAN side or something.
I'm still not getting an WAN IP address though. The dhclient keeps sending DHCPDISCOVER's and it eventually ends with a FAIL. I've done a packet inspection on the DHCP port and the options it has are slightly different than what my DrayTek sends when I put it on the LAN side of the pfSense box. I've correctly spoofed its MAC which I know is locked at the ISP side, so that shouldn't be the problem. I've tried to mimic all the other option fields to make the DHCP request identical to what the DrayTek sends, but I'm having trouble with the hostname option field.
DrayTek sends this:
19:38:22.863598 XX:XX:XX:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 127, id 0, offset 0, flags [none], proto UDP (17), length 576) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from XX:XX:XX:XX:XX:XX, length 548, xid 0x7b501da0, Flags [none] (0x0000) Client-Ethernet-Address XX:XX:XX:XX:XX:XX Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Client-ID Option 61, length 7: ether XX:XX:XX:XX:XX:XX Requested-IP Option 50, length 4: XXX.XXX.XXX.XXX MSZ Option 57, length 2: 576 Vendor-Class Option 60, length 9: "Vigor2925" Parameter-Request Option 55, length 5: Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name Option 212
And pfSense sends this:
19:41:30.692195 XX:XX:XX:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from XX:XX:XX:XX:XX:XX, length 300, xid 0x236406cf, Flags [none] (0x0000) Client-Ethernet-Address XX:XX:XX:XX:XX:XX Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Client-ID Option 61, length 7: ether XX:XX:XX:XX:XX:XX Hostname Option 12, length 7: "pfSense" Parameter-Request Option 55, length 9: Subnet-Mask, BR, Time-Zone, Classless-Static-Route Default-Gateway, Domain-Name, Domain-Name-Server, Hostname Option 119
My DrayTek doesn't send a hostname (Option 12) whereas the pfSense box sends Hostname Option 12, length 7: "pfSense". Could this be it? If so, is there a way to remove the hostname option from the dhclient's requests, without affecting the general hostname setting of the pfSense box?