Non-valid wan IP from cable modem
I posted the below in another forum also. I have no clue where to go from here. I am familiar with commercial grade firewalls but never owning one or working with one I don't know much. Please help?
I recently got tired of the consumer grade routers everyone uses and dug an old Dell XPS 630i out of the closet and installed PFsense on it.
During the install/config of PFsense I had just plugged the WAN side into my existing router and as such was using a double-nat on the PFsense box-not sure if this matters-but I am mentioning it just in case it does.
So. for the PFsense I had WAN interface=DHCP and it was grabbing a 192.168.x.x IP from my netgear 6300.
For the LAN side I had 192.168.70.1
I tested this for a week using one client-my laptop and everything was working just fine.
The Netgears Cable provided IP was/is: 24.xxx.xxx.xxx
So, I unplug all the cables and reconnect everything so the PFsense box is now connected to my Cable modem and the netgear router is connected to nothing…it's turned off with all cables unplugged from it (I plan on using it in AP mode when I get PFsense connected properly).
The WAN IP my PFsense received from the cable mode is not a 24.xxx.xxx.xxx IP but it is an IP in the following format 198.34.xxx.xxx. ANd it DID work for approx. 3 minutes--me and everyone else in the house was online and surfing through the PFsense box.
However, 3 minutes later no one can surf. NO matter WHAT I do I cannot get anyone to surf through the PFsense router and the PFsense router will NOT get a proper IP from the cable modem. In fact, after the previously mentioned 3 minute period if I put the 198.34.xxx.xxx IP into a web browser and attempt to load a webpage at that IP address the admin page for the PFsense box loads..I can even log into it..weird. I see in one browser the pfsense adfmin page located at 192.168.70.1 and in the other browser window I see the same config pages located at 198.34.xxx.xxx?
Someone please help? Why will the cable modem not give my PFsense box a valid IP? Everything works fine when PFsense is behind another router--I tested this. I also removed the PFsense box from the network and replaced the netgear onto the cable mode and it works fine to.
I mean it's DHCP ffs. I put my laptop directly to the cable mode it gets the same IP my router gets. I put my wife's laptop directly to the cable mode same thing-I put ANY laptop of desktop directly to the cable mode and whatever it is gets the same IP as the router gets. BUT, when I put another router directly onto the cable mode I get some weird messed up IP that won't give me any access at all?
I ws going to go out and buy a hardware firewall (https://store.pfsense.org/SG-2440/) but I thought geez I can build a firewall using parts I have around the house thats just as powerful as the one I was looking to pourchase so why not give it a go?
Thanks for ANY help at all, right now I am stuck.
Usually a cable modem needs a reboot or power-cycle to recognize a different device attached to it unless you fake the same MAC address.
In pfSense you can tell the pfSense system to refuse to accept the unwanted IP address from the cable modem and wait until it offers a valid one.
See: Interfaces / WAN and the Reject leases section: (I'm ignoring the useless address from the modem's 192.168.100.1 DHCP server that my Arris SB-6183 offers up)
Reject leases from 192.168.100.1 If there is a certain upstream DHCP server that should be ignored, place the IP address or subnet of the DHCP server to be ignored here. This is useful for rejecting leases from cable modems that offer private IPs when they lose upstream sync.
Yeah your going to need to power cycle your cable modem.. Unplug your netgear router, reboot your modem. Once its up and running and your lights show you are online and with sync. Then plug in your pfsense box and boot it up.
I thank you for your response. I actually just created another thread "My installation experience". I tried your suggestions already before I posted for help here, I should have explained further in this thread and I didn't, my bad, I did explain in more detail in the other thread….maybe I should be posting everything here or there and deleting one of these threads...my bad again. and apologies to the mods.
…However, 3 minutes later no one can surf...
I posted in your other thread as well, this sounds exactly like what was happening to me. Turned out to be simply the ethernet cable from pfSense to modem. Switched it out and was golden…
I too have built a home firewall/Router from PFsense for home use. My ISP (Internet Service Provider) is Comcast. There was some tweaking necessary for the IPV4/6 configuration of the VLANs, WAN/LAN interfaces, Routing Rules, DHCP Server, and the Gateway Monitoring to get it to work just right.
I will share my IPv4 settings as I am still working out the kinks on my IPv6 setup.
I am planning on designing some VLANs and ACL enforcement on my managed switch that I can use to wall off and QoS my home network, PBX VOIP network, Infrastructur VLAN, and Guest network. I haven’t gotten to the point of fleshing that out, so I will only cover what I have done as related to IPv4.
WAN: no vlans
WAN 2: no VLans
WAN Interface Configuration
location: Interfaces - WAN
General Configuration Section:
IPv4 Configuration type: DHCP
DHCP Client Configuration Section:
options - Advanced Configuration (checked)
Hostname: anything that is not private only information.
Reject Leases from: 192.168.100.1 (note that this should be the IP address of the modem you own)
Protocol Timing - Timout: 3600
Protocol Timing - retry: 15
Protocol Timing - Select Timeout: 0
Protocol Timing - Initial Interval: 1
Everything else leave default
LAN Interface Configuration
location: Interfaces - LAN
General Configuration Section:
IPv4 Configuration type: Static IPv4
Static IPv4 Configuration
IPv4: 192.168.1.1 (I think you chose 192.168.70.1)
IPv4 upstream Gateway: none
System - Routing – Gateways
You should have an IPv4 Gateway if you do not create one.
Address Family: IPv4
Default Gateway: Checked
Monitor IP: 220.127.116.11
(use an public IP address that will respond to ICMP (ping) requests. I use either openDNS or Google’s DNS Server IP addresses. if you leave it blank it will ping the Comcast gateway repeatedly. Two things can happen: sometimes you will get moved to a different subnet on their network, and your pfsense system will not update the monitor ip even though your WAN interface picked up a new IP address and gateway, or they will deny ICMP (ping traffic) and your Pfsense system will think the gateway is down.)
DHCP Server (IPv4)
Services – DHCP Server – LAN
Enable DHCP on LAN Interface: Checked
Subnet: 192.168.1.0 (I suspect yours will be 192.168.70.0)
Subnet Mask: 255.255.255.0
Available Range 192.168.1.1-192.168.1.254
Range From: 192.168.1.10
Range To: 192.168.1.115
Ok, just analysing the facts here, but there seem to be some problems with pfsense
[and maybe some on us with ISP connected with Cable modem]
Some on us seem to have problems getting WAN IP Address, resolving DNS, DHCP leases.
It's the third posts mentionning problems [not having WAN IP address, can't surf the internet, DHCP lease problems]
Still investigating through logs with Wireshark + Watchguard Monitoring [temporary installation] + pfSense logs
But i'm glad to see i'm not the only one having trouble [if i can say so, pain in the butt actually]
"Two things can happen: sometimes you will get moved to a different subnet on their network"
"or they will deny ICMP (ping traffic) and your Pfsense system will think the gateway is down.) "
I have been with comcast for shit will over 10 years.. I was with them through 3 different name changes in this area.. And neither of those have ever happened. I have had the same IP now going on years.. Lease renews, mac never changes so why would my IP change? I can recall maybe in the last 6 or 7 years it changing once. And that was due to them doing some upgrade when they really upped the speeds I do believe.
Not saying these things can not happen, but I don't think using some other IP other than your gateway is warranted because of those reasons. Googledns could decide to stop answering icmp next week as well.
I have never had any issues with getting an IP or renewing of ipv4.. Their ipv6 in my area has not been anything to write home about, it works - but the prefix can change on the wind changing direction and being chicago area that happens a lot ;) I just use a HE tunnel.. stable pretty close to same speeds and don't have to worry about any prefix changes I have my /48 and that doesn't change..
Have never seen need to block the 192.168.100, while I have seen pfsense get that from my modem when connection down.. The lease is short and fixes it self once connection comes back, or if connection comes back and I notice before can just renew. Have never seen need to reject that IP..
I would hanker a bet that many of these issues with getting an IP is just lack of resetting their cable modem on change of device connect to it. Not saying its everyone's issue - but prob some of the people having issues with getting an IP are in that boat.