Using pfSense as the gateway for Bell Fibe bonded DSL
-
Hello everyone,
I'm trying to set up pfSense as the main gateway for my home network, including Bell Fibe TV services. The motivations for this are:
- use a more capable firewall than what's provided in the supplied HH3000
- avoid double-NAT
- rein-in the kids' Youtube watching since the HH3000 offers no such controls
My setup is:
- pfSense installed on a PC with two NICs, em0 (WAN) and re0 (LAN)
- Bonded DSL (2x25Mbit) to HH3000
- pfSense box WAN to a LAN port on the HH3000
- pfSense box LAN to a port on a Dell PowerConnect 5324 switch
- all devices, including Bell Fibe TV set-top-boxes plugged into the Dell switch
- Advanced DMZ enabled on the HH3000 for the pfSense box
I started by configuring the WAN interface for PPPoE:
- Internet: working
- TV: not working, STBs don't connect at all, in fact they won't even let you in to their UI; all you see is the Bell blue Fibe screen.
Configured the pfSense port on the Dell Switch as a Trunk for VLAN 36 (IPTV) and the STB ports on the Dell Switch as Access for that VLAN:
- Internet: working
- TV: not working, same as before
Configured a VLAN in pfSense, just 35 to start, to work over PPPoE:
- Created the VLAN with the WAN interface as Parent Interface
- Changed the Link Interface of the PPPoE PPP to the VLAN interface, this switches the Network Port of the WAN interface to the PPPoE over VLAN port (em0.35
this resulted in:
- Internet: not working, WAN interface is DOWN
- TV: not working, same as before
Switching the Network Port of the WAN interface to VLAN 35 on em0 resulted in:
- Internet: not working, WAN interface is UP but with no address
- TV: not working, same as before
So far, the only way I've been able to have working internet is for the WAN interface to be associated with the PPPoE network port.
Everything I've read has been about doing this with an FTTH connection. What needs to be done differently when dealing with the DSL connection?
Many thanks, in advance, for any help you can offer. I'd even be happy with a "stop now, it's just not possible" if it means avoiding wasted effort.
-
I just did the same thing on Rogers and have no problem at all. I put the modem in bridge mode and didn't have to do anything special with pfsense. It just works. However, I have no experience with TV on Bell, so perhaps you might ask in the Bell forums too. Anyone who uses a separate router, not just pfsense, would have the same issues. One other thing, Rogers uses IPv6 for IPTV. Does Bell do the same? If so, you have to enable and configure that. IIRC, Bell does not provide IPv6 over ADSL, though some resellers do over those same phone lines.
-
Bell doesn't offer a bridge mode on the HH3000, just what they call Advanced DMZ mode. This mode allows clients in the DMZ to set up their own PPPoE connection. I did this hoping that their IPTV service can function over any of the PPPoE connections. I'm not sure if Bell uses IPv6 over ADSL, but these are the routes being reported by pfSense in the Diagnostics section:
70.30.233.163 is the address of the WAN (em0) interface once the PPPoE connection has been established. I assume the 10.11.18.41 is the address of the virtual PPPoE interface.
I tried looking for a Bell forum here and came up empty so I cross-posted this to the Bell forum on DSL Reports.
-
I only see link local IPv6 addresses. Every IPv6 capable device will have those.
Regardless, this is more of a Bell modem issue, so you should be talking to someone who has worked with it. I don't know how many will be here. However, once you know the requirements, someone here may be able to help. This is just one more reason I'm glad I'm not on Bell. I have set up several HH2000s for business customers and found bridge mode harder to enable than it should be. With my cable modems on Rogers, setting up bridge mode is trivial, as there's a setting specifically for that.
-
From what I've been able to learn, Bell isn't the only provider taking this approach. Thomson has some documentation on how to achieve this over VDSL in their "Triple-Play Using IPoE for Voice, PPPoE for Data and Bridged Video on Multiple PVCs (with VLANs).pdf". DLink also documents this in their DIR-890L documentation. Others do the same. My suspicion (and hope) is that Bell's implementation is just a slight variation on these approaches.
-
I have VLAN 35 Internet working on direct fiber to Pfsense via media converter. However, on a Bell DSL link VLAN 35 does not seem to be present and cannot get a connection.
HH3000 cannot be put into bridge mode from what I gather, has anyone had any chance getting internet traffic through the DSL H3000? If so can you describe your config ?
I had ipsec tunnels working but NO internet which I can't understand...
thanks -
@claferriere
The only way it works for me is to place the pfSense box into the DMZ on the HH300 and to have pfSense connect using a PPPoE connection configured with your Bell credentials (b1...). Other than that, I was never able to get any VLAN to work. I tried with both DHCP and PPPoE for the VLAN without any success. -
Have you tried running a pcap to see what vlans might be there? 35 seems entirely arbitrary.
Steve
-
Not being a networking expert, please consider my findings to be suspect, at best.
I ran a Packet Capture from pfSense for 100 packets and used WireShark to analyze the resulting capture file. As far as I can tell, there is no VLAN tag in any of the packets. This was performed on the WAN interface which was in the HH3000 DMZ and connected via PPPoE.
I'd love to have a peek at the traffic between the STBs and the HH3000, but every time I've tried connecting these to my switch (Dell 5324) instead of directly to the HH3000 they haven't been able to connect back to Bell's servers.
If I can understand how the STBs and the HH3000 work together, the assumptions behind the setup, then maybe I can mimic this but with pfSense in between, selectively filtering traffic.
Do you have any idea how to accomplish this?
-
Packet Capture, with the default settings, will not display VLAN tags. You have to change the Level of Detail from Normal. I used Full.
-
You may also have to assign the parent interface so you can pcap on that directly.
I would then open the resulting cap file in Wireshark where it's much easier to see what's in there.
The actual captured file is the same whatever the display detail level is set to in the pfSense gui.
Steve
-
I analyzed the pcap in WireShark and didn't find any VLAN-tagged packets. This pcap was performed on the WAN interface but not in promiscuous mode. I left all defaults on the pcap page as-is.
This WAN interface is configured as an IPv4 PPPoE. All traffic save that of the STBs goes through this interface.
In all 100 packets that were captured there was not one with a VLAN tag. There were also no IGMP packets.
@stephenw10, what do you mean by "assign the parent interface"?
-
Did you enable the VLAN ID column in Wireshark? It makes it easier to spot VLAN frames. Otherwise you have to read the frame details.
-
Assign and enable the interface the PPPoE is running on. Leave the IP settings as none.
Run the pcap there, in promiscuous mode. You should then see any VLAN tagged traffic coming into it.
Steve
-
@JKnott
Thanks for the tip! I was inspecting each packet individually.@stephenw10
The interface was assigned and configured with PPPoE as well as enabled for the prior pcap. I enabled promiscuous mode for this run but still don't see any VLAN traffic.Is there a way to pcap the traffic from one of the STBs if I run it through my switch instead of directly to the HH3000? I don't mind if it doesn't manage to connect, but it may be worthwhile to understand how it expects to connect back to the IPTV services.
-
Not the the WAN interface which will be configure as PPPoE. You need to assign the interface that is running on. So it might be igb0 etc.
Then you can pcap on that and see all the incoming traffic including the PPPoE traffic and any VLAN tags.
Steve
-
@stephenw10
Steve! You're a genius!I have VLANs 40 and 41 coming up now. I'm also seeing broadcast packets.
One of the ARRIS set-top boxes is broadcasting pretty regularly (every 0.5s). I haven't seen any broadcast traffic from the other STB, which is the PVR. My suspicion is that the STB which is broadcasting is looking for the PVR STB.
The HH3000 (Sagemcom) is broadcasting spanning-tree packets to VLANs 40, 41, and default (no VLAN).
Both ARRIS set-top boxes are sending multicast UDP packets to 239.255.255.250. These are the only UDP packets in the pcap. I tried running a traceroute to 239.255.255.250 from my workstation but it has no route to that address, indicating that there's some static routing going on that I'd need to replicate, I think.
-
@jerfer said in Using pfSense as the gateway for Bell Fibe bonded DSL:
239.255.255.250 from my workstation but it has no route to that address
That's a multicast address, so there should never be an interface with, let alone a route to that address. With mulitcast, it's up to the router and sometimes switch, to decide whether to pass multicast.
-
Yeah, that will be the set-top boxes trying to subscribe to multicast streams I imagine.
You might need some IGMP proxy config (or something in pimd) if you want to have them connect directly through pfSense.
Steve
-
Hey,
I have a guide that may help you, but it involves eliminating your HH3K. Take a look and let me know if it helps. I don't have Bell TV, but from what I am aware you need to establish a 2nd WAN vLan36 to your Bell Fibe. TV boxes will need to route to vLan36 in order for them to work. Sorry, don't have much more info than that on the TV side.
https://drive.google.com/file/d/1A661DBQYLh8LdSkuoABJXwqFSfCDMInC/view?usp=sharing
Karl
