How to configure pfSense using a Hitron router?

adelphia · Mar 18, 2017, 12:34 AM

OK, everything is up and running, well, almost!

I have no clue why but I am unable to access any of my web hosts or mail servers externally.

I have created the required rules (I think) as shown in the attachments. I would have included them in the message but I can't as I can't access my sites externally (hence the reason for this post).

I can go anywhere and browse anything, I just cant get anything to come in. What have I missed?

As always, thanks in advance…

phil.davis · Mar 18, 2017, 1:51 AM

Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?

If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?

Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.

w0w · Mar 18, 2017, 4:20 AM

You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP.

johnpoz · Mar 18, 2017, 9:36 AM

Even if you forward on your hilton to the pfsense wan since your double natting. That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.

adelphia · Mar 18, 2017, 10:21 AM

@w0w:

You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP.

As I explained in my original post, this is not possible as the Hitron from VB, as it currently stands, will only allow a DYNAMIC and not STATIC IP to work when this mode is activated. However, I will try again but I will need to reconfigure my router system as the IP address changes (on the Hitron) from 192.168.0.1 to 192.168.100.1 which is not changeable.

As for the private addressing I did this on suggestion from phil.davis.

Are you saying it's the WAN that needs to have the DHCP? I thought this was supposed to be on the LAN which is how it's currently configured.

@phil.davis:

Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?

If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?

Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.

I even tried turning on DMZ on the Hitron to the WAN IP but this didn't resolve the issue either.

@johnpoz:

Even if you forward on your hilton to the pfsense wan since your double natting. That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.

So should this "block" be disabled? Sorry, I'm still new to all this and I don't really understand what the rfc1918 is all about. All I know after reading a few snippets about it is that is was implemented to get ready for IPv6 and to prevent IPv4 from running out. Source: http://whatis.techtarget.com/definition/RFC-1918

johnpoz · Mar 18, 2017, 10:43 AM

What???

Yeah you reading that wrong ;) yes with the use of NAT and rfc1918 space not everyone needs public for all their devices. And sure allows less ipv4 public IPs.. But that is not what rfc1918 space is..

rfc1918 are IPs, that do not route on the internet - they are meant for private use only..
10.x.x.x
172.16-31.x.x
192.168.x.x

Your wan is that 192.168.0.2

So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..

since your isp router is sending traffic to 192.168.0.2 that hit your public IP on 80/443, pfsense says hey wait - that is rfc1918.. I block that shit!!! So you need to turn off that rule!!! Normally pfsense would have a public IP on its wan, and then that rule is fine..

adelphia · Mar 18, 2017, 1:26 PM

So if I set my WAN IP as my PUBLIC IP but still use the 192.168.0.1 from the Hitron as the gateway this would prevent these issues? Am I understanding that correctly now?

Excuse my ignorance, but we all have to learn from somewhere.

I have tried the DMZ route but that fails too. Going to set WAN IP to PUBLIC IP now and see if that fixes things…

Well, that didn't work. Taking a break to watch the rugby and then I'll get back to it! Thanks for all the help everyone in trying to get my head to understand how this all works.

phil.davis · Mar 18, 2017, 2:11 PM

The best thing to do, if it is possible, is to configure the Hitron in "pass-through" "bridging" mode (I am not sure the exact term that Hitron would use - if it does it at all). If you can get it to just act as a "dumb modem" and pass all the external traffic directly through to pfSense WAN, then:
Set pfSense WAN interface to DHCP (it will be a DHCP client, and will ask for an IP address from its upstream, which will be your ISP) and it should receive the "static" IP that your ISP has given you; or
If the ISP has told you the static IP to use and does not give it by DHCP, then put that static IP as the pfSense WAN IP.
If the Hitron will not go into "pass-through" mode, then:
Make the Hitron forward the ports that you want to be public through to your pfSense WAN IP 192.168.0.2
Keep the pfSense WAN IP 192.168.0.2 with gateway 192.168.0.1
On the Interfaces->WAN page, do not tick the Block RFC1918 box (you want to receive traffic from the Hitron 192.168.0.1)

The diffculty with helping you is that we do not know exactly what control you have over what the Hitron can do, so we are giving lots of "if this then do that" advice.

adelphia · Mar 18, 2017, 2:46 PM

I think this whole issue I'm having is with the Hitron and the VB service itself.

When I set the Hitron into modem only mode (disable the router function) I can assign an IP using DHCP to the WAN address which in turn gives me a DYNAMIC address (86.x.x.x). However, when the Hitron is set as VB expect it to be in order to get the STATIC IP, I get the STATIC IP (62.x.x.x) but then I can't forward anything through to pfSense WAN, even using DMZ OR by disabling the default blocking rules.

I really think I'm going to have to revert to a DYNAMIC IP and, if I do, VB can come take this bit of garbage out from my house and I'll revert back to VM.

I won't give up trying to get this sorted and I do really appreciate everyone trying to help. If you need specific information from me, screenshots or whatever, I'll gladly provide them.

w0w · Mar 18, 2017, 2:50 PM

At least we need to know exact model of this Hitron-~~shmitron~~ router to confirm that it does or does not support bridge/dumb modem mode.
From what I found it looks like it can be enabled but I may be wrong. That FAQ url I've posted stated that you can't connect to hitron interface when this mode enabled and you must reset it to get back router functionality, this looks like dumb modem in my eyes.

will only allow a DYNAMIC and not STATIC IP to work when this mode is activated.

In bridge mode it act like bridge, just dumb interface that brings ISP network to your pfSense WAN, you should not receive or set any IP on hitron side. But we don't know is it real bridge mode or something else you have tried.
Sometimes static IP means that you don't touch anything on your own side but your modem/router just get static IP by DHCP static lease, you don't need to configure anything. If it's not that way on your ISP than you should try to disable Residential Gateway in Hitron and connect pfSense to that "one active port" as stated in rogers FAQ — if it applied to your model, then you should change pfSense WAN IP to that external static IP you've got from ISP manually.

w0w · Mar 18, 2017, 2:57 PM

Hmm… May be your ISP assigns static IP by MAC address of your ~~modem~~ Hitron and you need to do a spoof of MAC… I am not sure.

adelphia · Mar 18, 2017, 3:13 PM

@w0w:

Hmm… May be your ISP assigns static IP by MAC address of your ~~modem~~ Hitron and you need to do a spoof of MAC… I am not sure.

No, VB (Virgin Business in case you hadn't figured that yet) have a stupid section in the Hitron where you have to set up a tunnel to connect to the STATIC IP. Unlike other providers who assign a static IP direct to the router, VB assign a Dynamic and then you're required to log in to this tunnel in order to get the static.

Anyway, I think I have good news. Having tinkered with NAT and Firewall rules, I think I may have sorted it even with the BLOCK rules in place. All I changed was the "Filter Rule Association" on the "Firewall->NAT->Port Forward" page to "Pass" instead of "Create new associated filter rule" and it all appears to be working. I can access my sites and I can connect to my mail server and SSH.

I'm not sure if this will create any security issues or not (I'm hoping not) but at least it's working.

If this is likely to cause security loopholes or issues, please let me know and I will have to speak direct with VB in order to try and get this resolved.

Thanks again to everyone for your help. Not sure if there is any "kudos" or "rep" on this forum, but I'd certainly like to give some if it's possible.

w0w · Mar 18, 2017, 3:29 PM

http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2

Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.

Presbuteros · Mar 18, 2017, 4:27 PM

@johnpoz:

So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..

I have one client location where his ISP uses a Zyxel modem/router combo. I used the DMZ option johnpoz mentioned here and as soon as the pfSense router was placed into the DMZ all the port scanning and door knockers on ports 22, 23 and others started showing up on the pfSense firewall log that were not there before. I knew then that pfSense router was then exposed to the world and not behind the Zyxel's firewall anymore. This is certainly one way to pass that traffic (and see all the door knockers on your ports from CN, RS, IN, etc).

adelphia · Mar 19, 2017, 12:51 PM

@w0w:

http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2

Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.

Thanks for the heads up. I'll take a look at this tomorrow although believe it or not I searched high and low (or at least thought I did) on the VM site for info on this. Perhaps I was searching the VB rather than VM site.

GRRR - modified this post then added kudos (or Karma as it's called her) to a couple of people and lost my edit because I forgot to save! Anyway, as I was saying…

I reviewed a lot of the 13 pages of posts on the above site but most of it was about people ranting and raving about flaky speeds and not being able to use the fixed IP on anything but the Hitron itself. Needless to say I posted my $0.01 (or more like $2.00) worth on the forum to let them know of my recent experience.

stevehaley · May 16, 2017, 10:56 PM

There is a problem with the hitron router in modem mode and pfsense.
I have never managed to get it to sucessfully assign me an ip address via dhcp. As we need the modem/bridge mode because we can hit large no of states we eventually found a workarround. We spoofed the pfsense wan firewall address on a pc and attached that directly to the modem which then assigned us an ip address. After that it appears to be happy until the ip address expires Every 12-14months then we have to repeat the execise but it works and so far i have been unable to configure pfsense to the point where it will do it.

jahonix · May 16, 2017, 11:46 PM

Well, at least I can confirm that those Hitron devices are junk.
Three+ years ago I got one from my cable provider. Issues were too numerous to remember. Contract ended 24 month after it began and I happily returned this crap.
I would dismiss a future great deal if it would imply having to use one of those devices.

gjaltemba · May 17, 2017, 12:51 AM

Agreed. Hitron devices are junk. But with the right firmware, wifi disabled and bridge mode my Hitron have 9 months uptime on a Gbps connection.

jahonix · May 17, 2017, 2:28 AM

Mine was commissioned from ISP via TR-069, no bridge-mode and WiFi always on for "free fonero WLAN" or so. Crap^2
A firmware-update rendered the device useless for about 1 week or so.

stevehaley · May 19, 2017, 3:38 PM

I keep seeing references to posts that claim that it is possible to configure pfsense to establish the gre tunnel with the hitron in modem mode in order to login for the stAtic ip on virgin. Has anyone managed this?
I cant even get pfsense to get a dynamic address when the existing smarthub 2 is in modem mode and have to spoof the mac address.