@vajonam
thank you for this really detailed documentation!

Maybe you can help Netgate to build -p1? 😉

@oktech Vielleicht musst du PPPoE auf dem VLAN machen?

Good Evening,

I figured out the transmission issue. It had to do with the negotiation between the MetroNode and the Chelsio NIC. I contacted my ISP and they turned off auto negotiation on the MetroNode and it started transmitting. It seems to be something in the driver for the T540-CR that I am using inside of ESXI. Therefore, everything seems to be working now.

Thanks for the replies!

So you plan to have two connections between the modem and the existing router and you want to put the SG-2100 in one of them?

I thing we might need a diagram here.

Steve

SOLVED:

I wish I knew why for those that follow after. I changed a few things at once so I'm not sure if one of or combination of them was responsible or the fix.

I turned off TCP/IP on the WAN NIC. I rebooted the modem and router at the same time with cables connected.

I tested my IPv6 access :

I introduced a firewall rule on my HENET interface :

32f30acb-b7d8-476a-bfd3-d69a3821dc1a-image.png

I have a DNS record that point's to my WAN IPv4, not my WAN IPv6, so I had to use my IPv6 WAN IP to connect to the GUI.
I had a cert warning from my browser, of course.

But the access worked well :

63a2eab4-54c2-4efa-9ef7-04825ab0f777-image.png

"Well" means for me : knowing that my IPv6 is using a tunnel to tunnel.ne.net (Huricane IPv6 ISP) the speed was somewhat limited, about 10 Mbytes /sec.
I could browse the entire pfSense GUI very well, no hick-ups ....

edit : I'll leave the IPv6 access open for a while.
PM me, and I can even send you an 'access' so you can test drive yourself.
That is, if you promise not to change something, as this is a "live' environment ;)

The best way to do an HA deployment is it invest in the gear necessary to build it correctly. Bridging like that is generally incompatible with pfSense HA.

https://docs.netgate.com/pfsense/en/latest/highavailability/layer-2-redundancy.html

Ah, so more likely then it's not a conflict but that your ISP is handing you a technically invalid gateway that's outside the WAN subnet, which is only a single address. Fun.

There is an option to allow that for providers who decide to ignore the standards. In System > Routing > Gateways edit the dhcp gateway and set 'Use non-local gateway' in the advanced section.

Steve

That is a layer 2 issue. Either that NIC is not passed through to pfSense correctly or the ONT is rejecting the MAC address. Rebooting would normally reset that bit not always.

Try some other device using the public IP directly. If that also fails and the Netgear is the only thing that works you will need to spoof the MAC address or call the ISP and have them reset it.

Steve

@cfbcfb said in Wan not coming up, fresh install.:

Connected to the router via wifi and my phone, got a "this network wants you to sign in" and when I clicked that, it brought up the comcast login

That's your OS / brower playing the captive portal detection mode !
That means your WAN is using a RFC1918 IP, and when you start your bowser it hits the GUI web server of the modem, because it's router part is redirecting the browser requests to it's internal Web GUI, where you have to login.

What about playing with these option on the WAN interface :

37b478df-9583-49cc-9cf0-9fd448fc633f-image.png

See manual - Advanced Configuration.

Hi Rico

Danke für die Rückmeldung. Ich konnte es mittlerweilse lösen, hab die Schnittstelle zwar angelegt, aber nicht aktiviert.

Danke

Gruss

I would guess it's something in the Hyper-V setup.

As I suggested before, try connecting the WAN to some other local DHCP server. Does it pull a lease from that?

If not it's something at layer 2 preventing it. The NIC not passed through correctly for example. Though you might consider that layer 1 I guess. 😉

Steve

I suggest you post exactly what the ISP provided to you regarding how they provisioned IPv6 to you.

Olha, olhando o problema superficialmente, com as informações que você passou, já levando em consideração que você verificou cabos e etc, digo que sim o problema pode ser na placa de rede.

Não é normal ter problema de conectividade entre o pfsense e o modem, é um cabo, não é pra perder ping nem muito menos perder o MAC da tabela.

I realized that I do not need to add 192.168.0.x since my WAN interface is 192.168.0.1 and /32 was incorrect too. I have removed that. I can see the route in the table but still the ping to google.com or 8.8.8.8 or 192.168.0.1 from a VM(192.168.1.100) connected to pfsense is very random. how can I troubleshoot that?

edit: do I have to reboot each time I save anything? that seems to do the trick

Or maybe he thought he was helping things by hard setting the speed and duplex where not supported? Auto-neg is my friend...

With IPAliases you can usually use either /32 or the correct subnet size. The important thing is you have at least one IP defined on the interface with the correct subnet in order to add the correct routing.

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html#ip-alias

Steve

I will give that a try over the next day and see how I make out.

Thanks!

This seems connected to this issue
https://forum.netgate.com/topic/114786/pppoe-disconnects-requiring-reboot/2

Got it all up and running thanks! Eddie

@juelmk said in No inbound traffic coming into my WAN:

When I set my WAN interface to get dhcp address from the modem it get 0.0.0.0

Well then how would it work?

You sure your own the pfsense wan interface plugged into your router? You sure the cable is good?

When pfsense does get an IP you need to make sure that your wan and lan of pfsense do not overlap - ie they can not be the same network 192.168.0/24 for example

Nat reflection is ALWAYS the worse option to choose.. I don't understand why anyone would ever want to nat reflect..

if host.domain.tld is on the same network next to you - then why would you not just resolve host.domain.tld to that IP.. Why would you ever want to go to the public IP to be reflected back in??

As to forwarding port X to port Y.. That is always a work around in itself to all to go to the same service with the limitation of napt and only 1 public IP, etc.

If you want to go to host.domain.tld:port then go there where host.domain.tld resolves to the local IP and not the public ip..