pfSense stopped recognising cable modem in bridged mode

jpns

OK, something really weird is going on here. I can't seem to hit the firewall through the WAN1 link even though it's up and working and pfSense is in the DMZ.

When I try to VPN in through WAN1, I see this:

Fri Nov 30 01:15:52 2018 TCP/UDP: Incoming packet rejected from [AF_INET]1.2.3.4:1194[2], expected peer address: [AF_INET]5.6.7.8:1194 (allow this incoming source address/port by removing --remote or adding --float)

Where 1.2.3.4 is the WAN2 public IP, and 5.6.7.8 is the WAN1 public IP. I have no idea that would happen.

stephenw10

Seems like your two WAN adapters have been switched for some reason.

Steve

jpns

@stephenw10 said in pfSense stopped recognising cable modem in bridged mode:

Seems like your two WAN adapters have been switched for some reason.

Steve

How and why would that happen? WAN2 still works perfectly. It's only WAN1 which has stopped working

JKnott

@jpns said in pfSense stopped recognising cable modem in bridged mode:

So it seems as though pfSense suddenly stopped recognising the modem in bridge mode.

A modem in bridge mode is supposed to be transparent, so there's nothing to recognize. What's supposed to happen is the firewall is supposed to get it's address, etc. from the ISP.

jpns

@jknott said in pfSense stopped recognising cable modem in bridged mode:

@jpns said in pfSense stopped recognising cable modem in bridged mode:

So it seems as though pfSense suddenly stopped recognising the modem in bridge mode.

A modem in bridge mode is supposed to be transparent, so there's nothing to recognize. What's supposed to happen is the firewall is supposed to get it's address, etc. from the ISP.

Yes, you're right. But that has stopped happening now, and I assume the dhclient errors in the syslog are something to do with it, but I can't understand what they mean.

I'm going to spin up a new VM with a fresh install of pfSense, and get it configured ready to drop in next time I'm on site. I suddenly remembered after I had left that I had a VM snapshot of the broken install from 2 weeks before the failure, which I'm going to try restoring first, but if that doesn't work I'll just delete it and bring the new one online. It would be really nice to figure out what the problem is, though.

tim.mcmanus

Both WANs come into pfSense on one cable via two vLANs? Were there any changes on the switch?

Were there any hardware changes/failures on the Dell host?

What kind of NICs are on the host?

I’ve had VMs go weird on me with USB adapters that have created situations like this. That’s why I am asking about the hardware.

What version of ESXi are you running?

jpns

@tim-mcmanus said in pfSense stopped recognising cable modem in bridged mode:

Both WANs come into pfSense on one cable via two vLANs? Were there any changes on the switch?

Were there any hardware changes/failures on the Dell host?

What kind of NICs are on the host?

I’ve had VMs go weird on me with USB adapters that have created situations like this. That’s why I am asking about the hardware.

What version of ESXi are you running?

Yes, the WANs come into the VM host on one cable via separate VLANs. The pfSense box only has two network cards, and I like to keep the LANs and the WANs on separate physical interfaces. WAN1 comes from the switch on VLAN20 and WAN2 comes from the switch on VLAN30 on the same cable. The VLANs are configured in VMware as the VLAN tags are stripped at the host unless you use virtual guest tagging which I was not aware of when I initially installed the box. It appears to pfSense as two separate physical interfaces. This configuration has always worked for me until now and there were no changes before it stopped working.

There were no changes on the switch and no hardware failures on the switch or server that I can tell. As soon as I switched the WAN1 modem to router mode, it worked. It just won't work with the modem in bridged mode.

I am using the onboard network cards in the host which I believe are Broadcom BCM5722's.

Running ESXi 6.5.

stephenw10

Run a packet capture on the WAN whilst trying to pull a lease. Do you see outgoing requests? Any replies at all?

The fact you were seeing incoming traffic from the WAN2 IP when connecting to WAN1 is suspect. Are you somehow outbound NATing traffic from the firewall itself? You should not have any outbound NAT rules with source 'any'.

Steve

chpalmer

You are rebooting the cable modem with each change of an interface MAC address.. right??

Depending on how many MAC addresses your ISP allows you have to reboot to release.

jpns

@chpalmer said in pfSense stopped recognising cable modem in bridged mode:

You are rebooting the cable modem with each change of an interface MAC address.. right??

Depending on how many MAC addresses your ISP allows you have to reboot to release.

Yes I am.

tim.mcmanus

Silly question: Do both cable modems go to the same ISP router as their first hop? Are they using the same ISP gateway?

jpns

@tim-mcmanus said in pfSense stopped recognising cable modem in bridged mode:

Silly question: Do both cable modems go to the same ISP router as their first hop? Are they using the same ISP gateway?

No they are completely separate ISPs. WAN1 is an Arris TG2492LG-VM cable modem/router which I originally had in bridge mode. WAN2 is a Huawei HG633 VDSL modem/router which unfortunately doesn't have a working bridge mode.

jpns

Just as an update to this. I span up a new VM with a fresh install of pfSense. Copied most of the settings across so it was ready to 'drop in'. I visited the site two weeks ago, shut down the broken pfSense, and booted the new one. Power cycled the cable modem and immediately everything worked. Two weeks in and the cable modem is still recognised and working correctly. So I assume the problem was caused by some sort of corruption in the config file.