FIOS - WAN DHCP Setup for G1100 (FiOS Quantum Router) with pfSense (no bridging)
-
Hmm that's a very interesting setup. So both the Quantum router and pfSense have the same spoofed MAC address? And both are requesting DHCP leases from the ONT? What happens if they both send a request at the same time? I am trying to wrap my head around the flow of signals here. I am thinking there would be some mangling of packets going on by the time the data traveling upstream reaches the ONT if both devices happen to be "talking" at the same time.
Yes, my pfSense box is cloning my G1100 MAC address and DHCP request.
Yes, they are both sending DHCP Request Packets to my FiOS ONT. Since the requests are exactly the same, the FiOS ONT thinks that the G1100 router is just requesting for an IP twice.
Both devices are able to access the Internet without issues and do not have issues renewing the same WAN IP from the ONT.
Take a look at the VLAN setup and network flows in this diagram: http://www.dslreports.com/forum/r27210694-FiOS-Dual-Router-Separated-Computer-TV-Service-Networks
I have blocked the required caller ID and remote DVR port forwards on my pfSense router, since my G1100 quantum gateway accepts those packets. There are no LAN devices, besides my DVR boxes, my set top boxes, and my cable card setup on my G1100. However, I know this does not matter - this setup would work with LAN devices on both routers as long as they do not use the same incoming ports simultaneously.
Ultimately, this setup works because both firewalls block the packets they do not expect on the WAN. If they rejected the packets, this setup would not work because FiOS would get a deny packet from one of the routers when the traffic was for the other router.
-
Maybe this is an easier, more common, way of explaining why this setup works.
My setup is equivalent to having two VLANs routed over the 1 WAN IP. However, in the above setup, I am using two physical routers instead of a single router to route the two virtual networks.
-
FYI - FiOS has changed some of the settings in my OP - I believe they were related to the Gigabit offering (which I now subscribe too 8) 8) 8) ). I am finalizing the correct settings now and will update this thread when they are confirmed.
–- update
Just did a packet sniff on the quantum router.... The device now sends a different, unique hostname based on the mac address and a different MAC address. It also sends a different list of required and optional parameters.
I will update this post once I reliably have a way to have both devices working.
-
G1100 FiOS Quantum Router DHCP WAN Client Impersonation - Updated 5-May-2017:
With the release of FiOS Gigabit Speeds, it seems like Verizon changed the content of the DHCP WAN packet. My MAC address inside the packet and the hostname is DIFFERENT than the physical MAC of the Ethernet WAN port in the G1100 GUI. This means all users must run a TCPDUMP on the WAN interface from the G1100 to confirm this hidden information (Hostname and true MAC address). In summary, whatever MAC address you find in the packet sniff, should be the MAC address used in the packet impersonation on your pfSense router.
Sniffing the Packet:
First connect your G1100 WAN port to your pfSense router. I used my WAN interface, but you can use any available interface.
Open an SSH or CLI session and run the following TCPDUMP command - make sure to change igb0 to the name of your interface.tcpdump -i igb0 -vvv -s 0 '((port 67 or port 68) and (udp[8:1] = 0x1))'You will then start seeing packets that look like this:
00:40:38.866254 IP (tos 0x0, ttl 128, id 57388, offset 0, flags [none], proto UDP (17), length 335) pool-123-123-123-123.<region>.fios.verizon.net.bootpc > lo0-100.NYCMNY-VFTTP-380.verizon-gni.net.bootps: [udp sum ok] BOOTP/DHCP, Request from aa:bb:cc:dd:ee:aa (oui Unknown), length 307, xid 0xadf6f1c7, Flags [none] (0x0000) Client-IP pool-123-123-123-123.<region>.fios.verizon.net Client-Ethernet-Address aa:bb:cc:dd:ee:aa (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Client-ID Option 61, length 7: ether aa:bb:cc:dd:ee:aa Requested-IP Option 50, length 4: pool-123-123-123-123.<region>.fios.verizon.net Hostname Option 12, length 22: "securenat-aabbccddeeaa" Vendor-Class Option 60, length 8: "MSFT 5.0" Parameter-Request Option 55, length 12: Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option END Option 255, length 0</region></region></region>You need to extract two pieces of information from the packet sniff:
-
The MAC address (e.g. aa:bb:cc:dd:ee:aa)
-
The Hostname (e.g. securenat-aabbccddeeaa)
Notice how the hostname contains your mac address without colons.
Now that we have the packet, it is time to start configuring pfSense!!!
Login to the pfSense Web GUI. Click on Interfaces -> WAN.
IPv4 Configuration Type: DHCP
MAC controls: aa:bb:cc:dd:ee:aa (replace with your G1100 WAN Ethernet MAC address from the sniffed packet)
MTU: 1500
MSS:
Speed and Duplex: 1000baseT full-duplex
DHCP Client Configuration
Options: Advanced Configuration is checked
Hostname:
securenat-aabbccddeeaa ```(replace with your G1100 WAN Ethernet hostname from the sniffed packet) **Protocol Timing:**Timeout: 60
Retry: 30
Select Timeout: 0
Reboot: <blank>Backoff cutoff: <blank>Initial Interval: 1
Presets: Saved Cfg</blank></blank>You may need to change the timeout and retry parameters based on your individual setup. I find that a retry of 15 seconds or less is too quick for FiOS. **Lease Requirements and Requests:** **Send Options:**``` dhcp-class-identifier "MSFT 5.0", dhcp-client-identifier 01:{mac_addr_asciiL:}, domain-name "verizon.net"Request options:
subnet-mask, domain-name, routers, domain-name-servers, netbios-name-servers, netbios-node-type, netbios-scope, router-discovery, static-routes, classless-routes, option-249, vendor-encapsulated-optionsRequire options:
subnet-mask, routers -
-
I'm experiencing issues like this, I hope you can help.
I have no actiontek router. I only have the ONT > pfsense box. I tried running tcpdump on the ONT and no go. It crashed my webui. I wasn't sure if I should runt hat against the ONT though and not being at the console I didn't want to try via putty if i don't have access to the physical box.
If I have noa ctiontek what should I be doing to configure my dhcp?
-
I'm experiencing issues like this, I hope you can help.
I have no actiontek router. I only have the ONT > pfsense box. I tried running tcpdump on the ONT and no go. It crashed my webui. I wasn't sure if I should runt hat against the ONT though and not being at the console I didn't want to try via putty if i don't have access to the physical box.
If I have noa ctiontek what should I be doing to configure my dhcp?
yes, I experienced the same issue as well. FiOS is now very particular on what the DHCP request must look like in order to provide a WAN IP, and to have it continue working.
I currently run the same DHCP setup as per my last post: https://forum.pfsense.org/index.php?topic=114389.msg716205#msg716205
Since you dont have a G1100 or Actiontec router, go to the Status -> Interface page. Copy your WAN interface MAC address and follow my instructions above (using that MAC).
You should then be able to get an IP address (you may have to wait 2 hours for your DHCP to reset from Verizon).
-
It works fine first boot, gets it's address. I'm on it now. The issue occurs when it tries to renew. So every 2-4 hours my inet goes out and i have to reboot the pfsense box from the console. Also the webui for pfsense becomes incredibly slow.
However when it re-obtains it, it blows up. I captured the packet, it looks like this:
12:52:35.233577 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 173.49.250.153.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:e0:4c:16:48:70 (oui Unknown), length 300, xid 0x6b674088, Flags [none] (0x0000) Client-Ethernet-Address 00:e0:4c:16:48:70 (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Requested-IP Option 50, length 4: 173.49.250.153 Client-ID Option 61, length 7: ether 00:e0:4c:16:48:70 Hostname Option 12, length 7: "pfsense" Parameter-Request Option 55, length 9: Subnet-Mask, BR, Time-Zone, Classless-Static-Route Default-Gateway, Domain-Name, Domain-Name-Server, Hostname Option 119 END Option 255, length 0 PAD Option 0, length 0, occurs 21 -
So I did this portion. For the options I copied and pasted the string directly. When I applied the changes, everything stopped and I lost internet/network access. Any idea what I did wrong?
Login to the pfSense Web GUI. Click on Interfaces -> WAN.
IPv4 Configuration Type: DHCP
MAC controls: 00:e0:4c:16:48:70
MTU: 1500
MSS:
Speed and Duplex: 1000baseT full-duplexDHCP Client Configuration
Options: Advanced Configuration is checked
Hostname:
pfsenseProtocol Timing:
Timeout: 60 Retry: 30 Select Timeout: 0 Reboot: <blank>Backoff cutoff: <blank>Initial Interval: 1 Presets: Saved Cfg</blank></blank>Lease Requirements and Requests:
Send Options:```
dhcp-class-identifier "MSFT 5.0", dhcp-client-identifier 01:{mac_addr_asciiL:}, domain-name "verizon.net"**Request options:**subnet-mask, domain-name, routers, domain-name-servers, netbios-name-servers, netbios-node-type, netbios-scope, router-discovery, static-routes, classless-routes,
option-249, vendor-encapsulated-options**Require options:**subnet-mask, routers
-
So I did this portion. For the options I copied and pasted the string directly. When I applied the changes, everything stopped and I lost internet/network access. Any idea what I did wrong?
Login to the pfSense Web GUI. Click on Interfaces -> WAN.
IPv4 Configuration Type: DHCP
MAC controls: 00:e0:4c:16:48:70
MTU: 1500
MSS:
Speed and Duplex: 1000baseT full-duplexDHCP Client Configuration
Options: Advanced Configuration is checked
Hostname:
pfsenseProtocol Timing:
Timeout: 60 Retry: 30 Select Timeout: 0 Reboot: <blank>Backoff cutoff: <blank>Initial Interval: 1 Presets: Saved Cfg</blank></blank>Lease Requirements and Requests:
Send Options:```
dhcp-class-identifier "MSFT 5.0", dhcp-client-identifier 01:{mac_addr_asciiL:}, domain-name "verizon.net"**Request options:**subnet-mask, domain-name, routers, domain-name-servers, netbios-name-servers, netbios-node-type, netbios-scope, router-discovery, static-routes, classless-routes,
option-249, vendor-encapsulated-options**Require options:**subnet-mask, routers
FiOS provides IP addresses for a 2 hour period. If the DHCP packet changes, including the mac address or any of the other parameters, you will not be able to get a new IP - the old IP is still reserved by the old WAN DHCP handshake. You can call Verizon Tech Support to help you release and renew your DHCP packet, or you can wait for 2 hours with no WAN devices plugged in and try again.
@nasomi:It works fine first boot, gets it's address. I'm on it now. The issue occurs when it tries to renew. So every 2-4 hours my inet goes out and i have to reboot the pfsense box from the console. Also the webui for pfsense becomes incredibly slow.
The issues you are describing here seem like a hardware problem rather than an issue with receiving an initial or renewing your DHCP packet.
What are the specifications of your pfSense box? What is the motherboard/cpu/ram/hard drive? What are the exact model numbers of your ethernet ports? What switch(s) are you using in your setup?
When you loose internet after 2-4 hours, does disabling the interface, waiting 1 minute, then re-enabling the interface fix the problem? Or do you have to reboot to get internet back?
Are you running pfBlockerNG? Are you running Snort? Are you running suricata? Are you running ntopng?
What is your WAN speed from Verizon? Does this issue happen under high utilization: CPU or Bandwidth?
Do you see any console messages via serial or VGA on your machine when this happens? What about dmesg?
the answers to all of these questions are important to debug your specific issue.
-
FiOS provides IP addresses for a 2 hour period. If the DHCP packet changes, including the mac address or any of the other parameters, you will not be able to get a new IP - the old IP is still reserved by the old WAN DHCP handshake. You can call Verizon Tech Support to help you release and renew your DHCP packet, or you can wait for 2 hours with no WAN devices plugged in and try again.
@nasomi:It works fine first boot, gets it's address. I'm on it now. The issue occurs when it tries to renew. So every 2-4 hours my inet goes out and i have to reboot the pfsense box from the console. Also the webui for pfsense becomes incredibly slow.
The issues you are describing here seem like a hardware problem rather than an issue with receiving an initial or renewing your DHCP packet.
What are the specifications of your pfSense box? What is the motherboard/cpu/ram/hard drive? What are the exact model numbers of your ethernet ports? What switch(s) are you using in your setup?
Topic Summary
Posted by: Paint
« on: Today at 01:38:47 pm » Insert Quote
Quote from: nasomi on Today at 12:29:03 pmWhen you loose internet after 2-4 hours, does disabling the interface, waiting 1 minute, then re-enabling the interface fix the problem? Or do you have to reboot to get internet back?
Are you running pfBlockerNG? Are you running Snort? Are you running suricata? Are you running ntopng?
What is your WAN speed from Verizon? Does this issue happen under high utilization: CPU or Bandwidth?
Do you see any console messages via serial or VGA on your machine when this happens? What about dmesg?
the answers to all of these questions are important to debug your specific issue.
The issue 100% of the time happens when the dhcp packet comes through. And it spams it, about a thousand times until I reboot at the console.
I am not at the console, so i'm relying on RDP + SSH and webui. I have internet, it's just insanely lagged out. I get about a 1 second window every 4-6 minutes where i can press 5 + enter + Y + enter ont he console, so i sit and stare at the rdp window and when it comes up, I hit it to reboot. When it comes back, all is well.
I'm running an intel atom D525 cpu/mobo with 2gb ram and 8gb ssd. It has two onboard realtek nic's.
I don't run pfblocker, snort, or anything else. Just some NAT and firewall rules that are special.
Load seems to have no impact at all. I was running hte packet capture last time it bugged out listening for eveyrthing on port 67/68. This is it from the moment the lag started until I was able to reboot it: https://hastebin.com/etopanidip.vbs
There is console errors. Sometimes one, sometimes the other, sometimes both.
arprequest: cannot find matching address arpresolve: cannot allocate llinfo for xxx.xxx.xxx.xxx on re1My WAN speed from verizon is gigabit. They just installed the new ONT on monday, and ever since then the issues start. At first i thought it was apinger, so i upgraded, then thought it was dpinger, so i disabled dpinger. The issue persists though even with dpinger disabled. That was what was showing in the logs. Now I have nothing relevent in the logs so I was googling around until I found your post.
Since it's happenign hte moment the dhcp packet goes, and the dhcp packet spams until reboot, I'm pretty sure it is either the same or very similar to your issue. The packet logger doesn't log anything at all until it starts logging the packets posted above.
-
Realtek NICs, and consumer grade em driver Intel nics, can have issues where they timeout (watchdog timeout) or have interrupt issues. When these issues arise, you typically see an error on the console/dmesg log and must restart the machine to resolve the issue. If disabling the WAN interface for 1 minute and then re-enabling it does not resolve the issue, it is most likely that your ethernet card is to blame, from my experience. While this hardware could have worked just fine for your old internet speeds, higher routing throughput scenarios make these types of hardware issues are more apparent. In addition, your Intel Atom processor is on the lighter side, especially to handle gigabit routing.
Now if I assume that this is not hardware related, please follow my instructions exactly as I posted in this post: https://forum.pfsense.org/index.php?topic=114389.msg716205#msg716205
Since you dont have an Actiontec or Quantum (G1100) router, please use the real MAC address for your WAN interface, or make one up that is unique.
Please remember you will need to either release the WAN DHCP or call Verizon to reset your DHCP lease before changing these settings.
Since it's happenign hte moment the dhcp packet goes, and the dhcp packet spams until reboot, I'm pretty sure it is either the same or very similar to your issue. The packet logger doesn't log anything at all until it starts logging the packets posted above.
Looking at your pastebin, I see that these are DHCP request packets coming from your pfSense router and being sent to FiOS. Therefore, pfSense is spamming DHCP requests to FiOS, not the other way around. FiOS DHCP addresses have a 2 hour lease time. What you are noticing is that when your DHCP lease is expired, your pfSense router is spamming FiOS with DHCP requests for a new address.
I see you definitely didnt follow my instructions exactly, which makes it extremely hard for me to debug. Furthermore, it is even harder to debug issues remotely when both you and I dont have physical access to your hardware.
12:45:36.195668 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328) 173.49.250.153.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:e0:4c:16:48:70 (oui Unknown), length 300, xid 0x4edef263, secs 5, Flags [none] (0x0000) Client-Ethernet-Address 00:e0:4c:16:48:70 (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Requested-IP Option 50, length 4: 173.49.250.153 Client-ID Option 61, length 7: ether 00:e0:4c:16:48:70 Hostname Option 12, length 7: "pfsense" Parameter-Request Option 55, length 9: Subnet-Mask, BR, Time-Zone, Classless-Static-Route Default-Gateway, Domain-Name, Domain-Name-Server, Hostname Option 119 END Option 255, length 0 PAD Option 0, length 0, occurs 21Just looking at the above DHCP request that your pfSense router is sending to FiOS, you did not change any of these settings below as per my post. You did not set your hostname to the correct value or follow any of the Send Options, Request options, or Require options. Selectively following my instructions will most definitely cause your pfSense router not to work with FiOS.
-
I know it looks like I didn't in the packet, but i promise you I did put in the send, request, and option settings for the packet like you said. I even went back in and verified by looking at them. Load the page, they're there. Refresh, still there. Packet cap, got something totally different. I don't know why.
After it crashed again last night I spun up a new vm and installed pfsense and configured that this morning, and it's been completely trouble-free for the past 10 hours. I know the atom d525 is a bit light on horsepower, but it got me 500mbit which is far from bad. I'm more and more thinking it was a hardware error, though, since I didn't touch the packet stuff on the vm and it's working without issue, albiet only at about 300mbit. I have a R210 II with E3 xeon in it showing up shortly that will become my new pfsense box.
I was racking my brain trying to figure out why the packet sent didn't match the packet specification in the dhcp page. I set everything exactly as you had it, i asked around and no one had any clue on irc. The part that bothered me was it would sometimes go 10min and sometimes 12hr without sending that dhcp packet. I had a logger looking for all traffic on 67/68 and it didn't log anything from 3pm yesterday until about 2am this morning. when it did, it got a few thousand packets with a 2am timestamp. I don't know if it was hardware or if my whole install somehow got fubed, but I'm going to wipe hte box and reinstall and see what happens.
-
I know it looks like I didn't in the packet, but i promise you I did put in the send, request, and option settings for the packet like you said. I even went back in and verified by looking at them. Load the page, they're there. Refresh, still there. Packet cap, got something totally different. I don't know why.
After it crashed again last night I spun up a new vm and installed pfsense and configured that this morning, and it's been completely trouble-free for the past 10 hours. I know the atom d525 is a bit light on horsepower, but it got me 500mbit which is far from bad. I'm more and more thinking it was a hardware error, though, since I didn't touch the packet stuff on the vm and it's working without issue, albiet only at about 300mbit. I have a R210 II with E3 xeon in it showing up shortly that will become my new pfsense box.
I was racking my brain trying to figure out why the packet sent didn't match the packet specification in the dhcp page. I set everything exactly as you had it, i asked around and no one had any clue on irc. The part that bothered me was it would sometimes go 10min and sometimes 12hr without sending that dhcp packet. I had a logger looking for all traffic on 67/68 and it didn't log anything from 3pm yesterday until about 2am this morning. when it did, it got a few thousand packets with a 2am timestamp. I don't know if it was hardware or if my whole install somehow got fubed, but I'm going to wipe hte box and reinstall and see what happens.
I had a similar issue (e.g. dhcp packet from FiOS would work for 2 minutes or up to 4 hours, before dropping my internet). However, my DHCP packet changes resolved the issue immediately.
I completely agree that your issue is most likely hardware related. If it works with the VM, then its either hardware or an error in your previous configuration. Glad it is working now though
-
I've been having the same issues as nasomi, where everything works fine, then when it comes time to renew the DHCP lease, my pfSense box doesn't do it and instead all internet access is lost until I go to Status -> Interfaces and release/renew my DHCP lease manually. I have followed your instructions exactly, but haven't had any luck. I have pfSense installed baremetal on my R210. I'll reinstall from scratch considering it looks like nasomi had success with that. Oddly enough, if I do a tcpdump on my G1100 as instructed, I don't have a securenat hostname, it's still just the FIOS_Quantum_Gateway hostname. Wondering if maybe I should try giving it the hostname securenat-aabbccddeeaa. I've done a factory reset on my G1100 several times and it never changes the hostname.
Also, as a test, I reset my WAN settings to their default values and I connected everything in the order of ONT -> G1100 -> pfSense WAN and I no longer have issues with the DHCP renewal. This makes me think it has got to be an issue with my pfSense configuration.
EDIT: It just occurred to me that the R210 has IPMI enabled by default and if there is no iDRAC Enterprise module installed, it uses eth0 to attempt to connect. I am thinking that what may have been the issue is that even though pfSense was working correctly, Verizon got confused when a different MAC address was reaching out to them for a DHCP lease in addition to the pfSense router. I disabled IPMI by rebooting the Dell R210 and pressing Ctrl+E when prompted to modify IPMI settings in the boot process, then disabling all functions within this menu. I connected my eth0 on my R210 to a LAN port on my G1100 before and after doing this. Before, there were 2 DHCP leases (one for pfSense, one for IPMI) and after there was just one (pfSense) so if this was causing the issue, it should be resolved now. Keep this in mind when you get your R210 II, nasomi. If this does solve my issues, I wonder if that's what was going on with your VM as well, nasomi. I'm wondering if your box was sending out multiple MACs asking for DHCP leases like mine was.
EDIT 2: Left it in it connected w/ IPMI disabled overnight and it still works this morning. I would say it's safe to call it fixed and blame IPMI asking for a DHCP lease.
-
Hello everybody, I was looking for something else and I ran across this forum, but I can recommend using the tutorial from https://nguvu.org/pfsense/verizon/pfsense-verizon/ although it is for using the modem/router in bridged mode but I can confirm it's been working for me during this past week ( I got it installed last Thursday 05-18-2017). I have all functions working. I hope it helps someone out there.
-
EDIT: It just occurred to me that the R210 has IPMI enabled by default and if there is no iDRAC Enterprise module installed, it uses eth0 to attempt to connect. I am thinking that what may have been the issue is that even though pfSense was working correctly, Verizon got confused when a different MAC address was reaching out to them for a DHCP lease in addition to the pfSense router. I disabled IPMI by rebooting the Dell R210 and pressing Ctrl+E when prompted to modify IPMI settings in the boot process, then disabling all functions within this menu. I connected my eth0 on my R210 to a LAN port on my G1100 before and after doing this. Before, there were 2 DHCP leases (one for pfSense, one for IPMI) and after there was just one (pfSense) so if this was causing the issue, it should be resolved now. Keep this in mind when you get your R210 II, nasomi. If this does solve my issues, I wonder if that's what was going on with your VM as well, nasomi. I'm wondering if your box was sending out multiple MACs asking for DHCP leases like mine was.
EDIT 2: Left it in it connected w/ IPMI disabled overnight and it still works this morning. I would say it's safe to call it fixed and blame IPMI asking for a DHCP lease.
Duuuude, right on! I got bit by the IPMI overlap as well. My Super Micro C2758 was using the same port for IPMI that I had configured for WAN. I never realized it and managed to get away with it for several months, but suddenly couldn't hold a WAN IP for more than an hour before getting booted off FIOS completely.
I kept getting these weird errors in my log that said a mac address was using the WAN IP. The mac address was the same as the WAN port, so I couldn't make any sense of it. As soon as I shut down and booted into the BIOS, sure enough, my WAN IP was assigned to the IPMI port. I disabled IPMI on the board and have been running perfectly ever since.
I would have never figured that out if you hadn't posted, so thank you!
Super Micro C2758 | Intel(R) Atom(TM) CPU C2758 @ 2.40GHz | 8 CPUs: 1 package(s) x 8 core(s)
-
Okay! I got this working finally! These instructions are based on the ActionTec DHCP WAN Impersonation guide, but updated to work for the G1100 FiOS Quantum Router.
UPDATE: With the release of FiOS Gigabit speeds, there have been some changes to the DHCP WAN request. Please see the updated instructions here: https://forum.pfsense.org/index.php?topic=114389.msg716205#msg716205
The G1100 FiOS Quantum Router uses option 61, instead of option 125 like the old Actiontec routers. The field contains the RAW hex of your MAC address. IE. If your MAC (cloned) address is aa:bb:cc:dd:ee:aa, then option 61 (or dhcp-client-identifier) should be set to dhcp-client-identifier 01:aa:bb:cc:dd:ee:aa
If you are still using the Actiontec router, please see NOYB's instructions: https://forum.pfsense.org/index.php?topic=94298.msg523647#msg523647
G1100 FiOS Quantum Router DHCP WAN Client Impersonation:
IPv4 Configuration Type: DHCP
MAC controls: aa:bb:cc:dd:ee:aa (replace with your G1100 WAN Ethernet MAC address)
MTU:
MSS:
Speed and Duplex: 1000baseT full-duplex
DHCP Client Configuration
Options: Advanced Configuration is checked
Hostname:
FIOS_Quantum_GatewayProtocol Timing:
Timeout: 90 Retry: 30 Select Timeout: 0 Reboot: <blank>Backoff cutoff: <blank>Initial Interval: 2 Presets: Saved Cfg</blank></blank>Lease Requirements and Requests:
Replace aa:bb:cc:dd:ee:aa with your cloned MAC address
If you have issues where you lose your WAN connection every 2-4 hours, please do the following:
Keep the MAC controls address as your G1100 Cloned WAN Address: aa:bb:cc:dd:ee:aa
Change the last character of your cloned MAC in the option-61 variable below to something unique: aa:bb:cc:dd:ee:acSend Options:```
dhcp-class-identifier "FiOS-G1100:dslforum.org", dhcp-client-identifier 01:aa:bb:cc:dd:ee:aa, host-name "{hostname}", domain-name "verizon.net"**Request options:**broadcast-address, dhcp-lease-time, dhcp-rebinding-time, dhcp-renewal-time, domain-name, domain-name-servers, host-name, routers, static-routes, subnet-mask, vendor-encapsulated-options, default-ip-ttl, dhcp-class-identifier, dhcp-client-identifier, dhcp-parameter-request-list, dhcp-server-identifier, dhcp-requested-address, interface-mtu, log-servers, time-offset, time-servers, www-server
**Require options:**subnet-mask, routers, domain-name, dhcp-lease-time
Thank you Paint. :-)
I followed the instructions to the "T" and bing bang boom everything worked as it should. I mean WOW!!!! Nothing else even came close to obtaining an IP address on the Wan. I have never had any luck with this verizon gigabit network from any other source but… YOUR POST! It was amazing! everything worked again after upgrading to verizon gigabit service.
...And then, one hour and forty five minutes goes by the Wan gateway shows offline and the Wan IP address shows 0.0.0.0
Now I have no idea how to start over... And of course I"M A COMPLETE NOOB!
Please, please, please help me out... :-(
-
BUMP…...
Anyone here have any experience with something similar to my situation???
I am willing to gladly PAY for any help that gets me back online...
SERIOUSLY! Have paypal?
I need some help please $$$
-
@Cant.Make.Any:PFSENSE...:
BUMP…...
Anyone here have any experience with something similar to my situation???
I am willing to gladly PAY for any help that gets me back online...
SERIOUSLY! Have paypal?
I need some help please $$$
Can you please PM me a diagram of your network and your issue?
-
Paint and All:
Thanks all for your posts, it would be great if someone creates a document with what is required from soup to nuts for the newbie to avoid going all over the net for a total solution. From hardware to software setup. Everyone on this forum knows much more than I will ever do!!!
My services:
Gigabit service from Verizon (for full disclosure, I am a corporate employee)
For gigabit service, Verizon runs an Ethernet cable plus the coax from the ONT (modem) to the router
I have 2 STB and access to my DVR from anywhereMy harware setup:
ONT to Pfsense Box WAN Port: ONT gives IP to pfsense (thanks to Paint)
Pfsense LAN port to 24 port switch
Switch to Fios Router WAN port
FiOs router receives IP from Pfsense box (192.168.x.y)
FiOs router is also connected to the ONT via Coax
Switch to Access Point for wireless and all other devices wirelineIn summary, I have two LANs, one from pfsense and one from the FiOs router. I kept the FiOs router LAN to avoid problems with the video portion, like accessing the TV Guide, remote access to DVR, etc. If you look at your current setup, the FiOS router gives your STB boxes an IP address via the COAX connection.
I used the information provided by Paint to configure my WAN on pfsense (thanks!!). My setup worked, the ONT provided the Pfsense an IP address and all good. Internet speeds, look a bit slower but ok (from 750 to 700 on fast.com, could be any other thing). I followed the steps from Paint to sniff and got similar information to what he noted, but in my case, I was getting 2 alternating different MAC addresses, one the same as marked on the side of the FiOs Router. My host name was the same one, FiOS_Quantum_Gateway. So the sniff part in my case did not provide any new information. I read this means I probably did something wrong?
My problem:
I can not access my DVR or STB remotely like I used to.Paint: I looked at your later posts, and now I understand you have a setup where both, the Pfsense router and Fios router are getting a WAN Ip address. I saw the graph with your hardware setup but I got lost on the VLAN configuration. I do not have a "smart switch". I guess throwing another $70 at Amazon is not going to kill me. I also saw someone posting about a brigded solution but the link does not work.
Is there an option to setup this and avoid the VLAN Switch? I guess I would need to open the ports on my Pfsense to allow remote DVR and other to work? What ports are these?
Another thing, I do notice that Pfsense also has the STB in their DCHP leases list. HOw is that possible? Is that part of the problem?Thanks
Jorge
G1100 FiOS Quantum Router DHCP WAN Client Impersonation - Updated 5-May-2017:
With the release of FiOS Gigabit Speeds, it seems like Verizon changed the content of the DHCP WAN packet. My MAC address inside the packet and the hostname is DIFFERENT than the physical MAC of the Ethernet WAN port in the G1100 GUI. This means all users must run a TCPDUMP on the WAN interface from the G1100 to confirm this hidden information (Hostname and true MAC address). In summary, whatever MAC address you find in the packet sniff, should be the MAC address used in the packet impersonation on your pfSense router.
Sniffing the Packet:
First connect your G1100 WAN port to your pfSense router. I used my WAN interface, but you can use any available interface.
Open an SSH or CLI session and run the following TCPDUMP command - make sure to change igb0 to the name of your interface.tcpdump -i igb0 -vvv -s 0 '((port 67 or port 68) and (udp[8:1] = 0x1))'You will then start seeing packets that look like this:
00:40:38.866254 IP (tos 0x0, ttl 128, id 57388, offset 0, flags [none], proto UDP (17), length 335) pool-123-123-123-123.<region>.fios.verizon.net.bootpc > lo0-100.NYCMNY-VFTTP-380.verizon-gni.net.bootps: [udp sum ok] BOOTP/DHCP, Request from aa:bb:cc:dd:ee:aa (oui Unknown), length 307, xid 0xadf6f1c7, Flags [none] (0x0000) Client-IP pool-123-123-123-123.<region>.fios.verizon.net Client-Ethernet-Address aa:bb:cc:dd:ee:aa (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Client-ID Option 61, length 7: ether aa:bb:cc:dd:ee:aa Requested-IP Option 50, length 4: pool-123-123-123-123.<region>.fios.verizon.net Hostname Option 12, length 22: "securenat-aabbccddeeaa" Vendor-Class Option 60, length 8: "MSFT 5.0" Parameter-Request Option 55, length 12: Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option END Option 255, length 0</region></region></region>You need to extract two pieces of information from the packet sniff:
-
The MAC address (e.g. aa:bb:cc:dd:ee:aa)
-
The Hostname (e.g. securenat-aabbccddeeaa)
Notice how the hostname contains your mac address without colons.
Now that we have the packet, it is time to start configuring pfSense!!!
Login to the pfSense Web GUI. Click on Interfaces -> WAN.
IPv4 Configuration Type: DHCP
MAC controls: aa:bb:cc:dd:ee:aa (replace with your G1100 WAN Ethernet MAC address from the sniffed packet)
MTU: 1500
MSS:
Speed and Duplex: 1000baseT full-duplex
DHCP Client Configuration
Options: Advanced Configuration is checked
Hostname:
securenat-aabbccddeeaa ```(replace with your G1100 WAN Ethernet hostname from the sniffed packet) **Protocol Timing:**Timeout: 60
Retry: 30
Select Timeout: 0
Reboot: <blank>Backoff cutoff: <blank>Initial Interval: 1
Presets: Saved Cfg</blank></blank>You may need to change the timeout and retry parameters based on your individual setup. I find that a retry of 15 seconds or less is too quick for FiOS. **Lease Requirements and Requests:** **Send Options:**``` dhcp-class-identifier "MSFT 5.0", dhcp-client-identifier 01:{mac_addr_asciiL:}, domain-name "verizon.net"Request options:
subnet-mask, domain-name, routers, domain-name-servers, netbios-name-servers, netbios-node-type, netbios-scope, router-discovery, static-routes, classless-routes, option-249, vendor-encapsulated-optionsRequire options:
subnet-mask, routers -
