How to configure pfSense using a Hitron router?



  • OK, firstly, I'd like to introduce myself as this is my first post in these forums.

    I have recently "upgraded" from Virgin Media to Virgin Business in order to have a static IP as I run a few web sites and a mail server from home. Anyway, the Hitron router which is supplied as the "router for business" by VB is, well, a pain in the jacksy. The number of port forwards is limited to 20 and the DHCP reservations are even fewer at 10.

    In short, I have decided to convert an old system into my own manageable firewall/DHCP/router using pfSense as pfSense seems to have the best user feedback and reviews.

    What I am attempting to do, and I'm not sure if this is possible (I have read other suggestions about using two DHCP controllers) is that I would like the WiFi of the Hitron to be used but obtain IP addresses from the LAN DHCP such that I can turn off DHCP and port forwarding on the Hitron completely and just use it as my "gateway to the nether regions". Unfortunately, I can't switch on the "use device as a modem" functionality as the Hitron then uses the Dynamic IP rather than the Static IP.

    How would I go about forwarding only the WiFi part of the Hitron to pick up IP addresses from the LAN DHCP or is this simply not possible?

    The system I am intending to use has 2 NIC (both Gigabit) and a Wireless PCI (not PCIe) card which I want to remove unless it's absolutely necessary as it supports b & g but not n.

    I tried to sort it out last night after reading an old post (from 2010 I believe) saying to set the Hitron onto the same subnet as the LAN but in doing that, obviously this breaks my WAN up-link and had to end up doing a factory reset on the Hitron in order to be able to connect again. _.

    I'm not asking for full directions or anything specific, just, if it's possible, which would be the best way to configure the interfaces; dual DHCP (i.e: use the Hitron for Wireless and LAN for wired) or some kind of, for a better word, loop-back, from the Hitron to the LAN (can't think how to explain that very well).

    Luckily (well, if you can call it luck) I am currently off on long term sick so I have plenty of time to try and sort this by whatever means are suggested. Obviously, if someone does post a "solution" and I manage to get it working in one way or another, I will certainly give them the kudos and report back with my findings.

    Looking for some polite (and hopefully help) replies. And thanks in advance…_


  • Rebel Alliance Global Moderator

    So you want to put your wifi in front of pfsense so that network becomes your pfsense wan..

    Draw up how you want to put this.

    But here is the thing your wifi networks should be behind pfsense not in front of it..  Turn off the wifi on your existing router - get new AP for your wifi



  • In practice it is easy to simply ignore the WiFi that happens to be on your "front end modem device", and let the front-end device just be the conduit to pass packets back and forth between pfSense WAN and the ISP.

    However it is actually possible to achieve having the WiFi in front of pfSense work. It needs the "front end modem device" to be left in router-mode (rather than bridging mode) so that there is a local/private subnet for pfSense WAN with the front-end WiFi. Then do something like this that I posted a few years ago:
    https://forum.pfsense.org/index.php?topic=84504.msg463514#msg463514

    I actually did this at a site where power was a real problem and we wanted to save every watt by using capabilities that were already built in to the base "modem" plus pfSense box. But in the longer term it turned out to be a pest for support, because it was difficult for IT support staff to really understand all that was going on at this special site.


  • Rebel Alliance Global Moderator

    While that could work phil - I can see how that would be a local IT support nightmare.. Your doing routing on a stick with source natting to remove the issue of asymmetrical routing..

    Since the OP had to come here to ask - that is going to be way over their head most likely..  But yeah that is one way to skin the cat - but not very clean or simplistic solution.  While it might make sense is a very power starved location.

    It prob would be better for the OP to just get an AP for their wifi.



  • It prob would be better for the OP to just get an AP for their wifi.

    Yes, I agree.



  • Thanks for the heads up guys. Yes, as you may have guessed, I am new to this whole thing of pfSense and creating my own router/firewall. I am technically sound with my main job role (when in work) being a computer engineer / programmer but more from a PC standpoint rather than infrastructure.

    From what I'm reading I'm taking it that you don't advise using a dual DHCP; one pre and one post pfSense as the WiFi would not be protected by pfSense at all.

    I do have an old (Netgear VM Residential) router, which to be honest I preferred to the Hitron. I'm thinking about possibly using this post pfSense as an AP and using the Hitron as the front end / gateway only. It's all experimental to me at this stage but I understand why you suggest using a new AP.

    The main reason I haven't looked at the Netgear right now is that I'm not sure about its functionality when not connected to the Virgin cable infrastructure or even if it will function at all. I'll give it a go and will post back on whether that has been successful or not.

    In the meantime, if I have incorrectly understood what you are suggesting then please feel free to comment back, or if you think of anything else, I'd always be grateful.

    Thanks again in advance.



  • You will want to use the Netgear VM Residential router as just a basic WiFi access point (AP). For that you need to:

    1. Do not connect its WAN side to anything
    2. Connect its LAN side to your local LAN (e.g. to the switch on the LAN side of pfSense)
    3. Disable any DHCP on the Netgear VM Residential router
    4. Setup its WiFi SSID/password…

    The idea is that WiFi users will get an IP address from DHCP on pfSense LAN, and will use pfSense LAN as their gateway. The Netgear VM Residential "router" will just be bridging packets between WiFi and pfSense LAN.



  • @phil.davis:

    You will want to use the Netgear VM Residential router as just a basic WiFi access point (AP). For that you need to:

    1. Do not connect its WAN side to anything
    2. Connect its LAN side to your local LAN (e.g. to the switch on the LAN side of pfSense)
    3. Disable any DHCP on the Netgear VM Residential router
    4. Setup its WiFi SSID/password…

    The idea is that WiFi users will get an IP address from DHCP on pfSense LAN, and will use pfSense LAN as their gateway. The Netgear VM Residential "router" will just be bridging packets between WiFi and pfSense LAN.

    Hi Phil and thanks for the reply. My initial concern was that, because there was no physical network connection from Virgin, the unit would not boot and enable configuration of the unit, but it does; it just shows a blinking light to show there's no connection to the Virgin network. I have managed to configure it how I would like and I have setup the WiFi section as it would have been on the Hitron (using 2G and 5G). I have disabled the DHCP and made sure there are no ports being forwarded and will be using a single Cat-5 cable to connect in line to the pfSense PC. I may even use the other 3 ports as an addition switch if I go over capacity with the current one I have.

    I am now going to reinstall the server on my spare PC and start from scratch with the following IP settings.

    Hitron (Gateway):  192.168.0.1
    pfSense WAN: 192.168.0.2 (Gateway: 192.168.0.1)
    pfSense LAN: 192.168.1.1
    pfSense WiFi (Netgear): 192.168.1.2 (Front of building)
    pfSense WiFi #2: 192.168.1.3 (Rear of building) <- This is a sticking point as I would rather make this a repeater rather than a separate WiFi but not sure if I can do this as it's Wireless N but only 2G. In addition I have never really understood how repeaters work; is it a simple case of making sure they have the same SSID and passphrase or is it more in depth than that.
    LAN range: 192.168.1.150 to 192.168.1.200
    Static IP: [DHCP Reserved] (< 192.168.1.150) for servers, PCs, VoIP phones, printers

    I was thinking possibly of changing the LAN to use the 10.0.0.0 or 172.16.0.0 private addressing just to make sure there's some distinction between WAN and LAN but I'm not sure if that would really be necessary.

    Any further tips greatly received.



  • That will work. And I would change he LAN to be in one of those other parts of private IPv4 address space. Choose something like 10.42.42.0/24 (pick your own "random" numbers in place of "42").

    In future you might setup some VPN to/from somewhere or road warrior. If the other end of the VPN happens to be in some coffee shop or friend's home that uses 192.168.1.0/24 for its local LAN, then it will be a hassle. Moving your LAN range elsewhere reduces the chance of having a future conflict.



  • @phil.davis:

    That will work. And I would change he LAN to be in one of those other parts of private IPv4 address space. Choose something like 10.42.42.0/24 (pick your own "random" numbers in place of "42").

    In future you might setup some VPN to/from somewhere or road warrior. If the other end of the VPN happens to be in some coffee shop or friend's home that uses 192.168.1.0/24 for its local LAN, then it will be a hassle. Moving your LAN range elsewhere reduces the chance of having a future conflict.

    Never thought about it in that way before. I won't want to connect whilst out and about too often anyway so I wasn't really thinking of adding a VPN just yet. It is something I'm thinking of for the future though. For now I'm just going to get the server/router/WiFi setup and running correctly and then make a backup so when I do decide to add other features I have something to go back to when I mess up  ;)



  • OK, everything is up and running, well, almost!

    I have no clue why but I am unable to access any of my web hosts or mail servers externally.

    I have created the required rules (I think) as shown in the attachments. I would have included them in the message but I can't as I can't access my sites externally (hence the reason for this post).

    I can go anywhere and browse anything, I just cant get anything to come in. What have I missed?

    As always, thanks in advance…






  • Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?

    If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?

    Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.



  • You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
    http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP.


  • Rebel Alliance Global Moderator

    Even if you forward on your hilton to the pfsense wan since your double natting.  That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.



  • @w0w:

    You just wanted to get rid of Hitron router functions, but instead of doing it you have built the double NAT, using private addresses. This was NOT a good idea. You need to get public IP on your pfSense WAN address.
    http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en DO that and put you pfsense WAN interface to DHCP.

    As I explained in my original post, this is not possible as the Hitron from VB, as it currently stands, will only allow a DYNAMIC and not STATIC IP to work when this mode is activated. However, I will try again but I will need to reconfigure my router system as the IP address changes (on the Hitron) from 192.168.0.1 to 192.168.100.1 which is not changeable.

    As for the private addressing I did this on suggestion from phil.davis.

    Are you saying it's the WAN that needs to have the DHCP?  I thought this was supposed to be on the LAN which is how it's currently configured.

    @phil.davis:

    Is the Hitron device in some bridging mode so that pfense WAN gets the public IP address?

    If not, are the needed ports forwarded from the Hitrom public internet side through to the pfSense WAN IP?

    Something of the above needs to happen for packets arriving at the public IP to find their way into pfSense.

    I even tried turning on DMZ on the Hitron to the WAN IP but this didn't resolve the issue either.

    @johnpoz:

    Even if you forward on your hilton to the pfsense wan since your double natting.  That forward is going to be rfc1918, and you still have the block rfc1918 addresses enabled.

    So should this "block" be disabled? Sorry, I'm still new to all this and I don't really understand what the rfc1918 is all about. All I know after reading a few snippets about it is that is was implemented to get ready for IPv6 and to prevent IPv4 from running out. Source: http://whatis.techtarget.com/definition/RFC-1918


  • Rebel Alliance Global Moderator

    What???

    Yeah you reading that wrong ;)  yes with the use of NAT and rfc1918 space not everyone needs public for all their devices.  And sure allows less ipv4 public IPs.. But that is not what rfc1918 space is..

    rfc1918 are IPs, that do not route on the internet - they are meant for private use only.. 
    10.x.x.x
    172.16-31.x.x
    192.168.x.x

    Your wan is that 192.168.0.2

    So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..

    since your isp router is sending traffic to 192.168.0.2 that hit your public IP on 80/443, pfsense says hey wait - that is rfc1918.. I block that shit!!!  So you need to turn off that rule!!!  Normally pfsense would have a public IP on its wan, and then that rule is fine..




  • So if I set my WAN IP as my PUBLIC IP but still use the 192.168.0.1 from the Hitron as the gateway this would prevent these issues?  Am I understanding that correctly now?

    Excuse my ignorance, but we all have to learn from somewhere.

    I have tried the DMZ route but that fails too. Going to set WAN IP to PUBLIC IP now and see if that fixes things…

    Well, that didn't work. Taking a break to watch the rugby and then I'll get back to it! Thanks for all the help everyone in trying to get my head to understand how this all works.



    1. The best thing to do, if it is possible, is to configure the Hitron in "pass-through" "bridging" mode (I am not sure the exact term that Hitron would use - if it does it at all). If you can get it to just act as a "dumb modem" and pass all the external traffic directly through to pfSense WAN, then:
          Set pfSense WAN interface to DHCP (it will be a DHCP client, and will ask for an IP address from its upstream, which will be your ISP) and it should receive the "static" IP that your ISP has given you; or
          If the ISP has told you the static IP to use and does not give it by DHCP, then put that static IP as the pfSense WAN IP.

    2. If the Hitron will not go into "pass-through" mode, then:
          Make the Hitron forward the ports that you want to be public through to your pfSense WAN IP 192.168.0.2
          Keep the pfSense WAN IP 192.168.0.2 with gateway 192.168.0.1
          On the Interfaces->WAN page, do not tick the Block RFC1918 box (you want to receive traffic from the Hitron 192.168.0.1)

    The diffculty with helping you is that we do not know exactly what control you have over what the Hitron can do, so we are giving lots of "if this then do that" advice.



  • I think this whole issue I'm having is with the Hitron and the VB service itself.

    When I set the Hitron into modem only mode (disable the router function) I can assign an IP using DHCP to the WAN address which in turn gives me a DYNAMIC address (86.x.x.x). However, when the Hitron is set as VB expect it to be in order to get the STATIC IP, I get the STATIC IP (62.x.x.x) but then I can't forward anything through to pfSense WAN, even using DMZ OR by disabling the default blocking rules.

    I really think I'm going to have to revert to a DYNAMIC IP and, if I do, VB can come take this bit of garbage out from my house and I'll revert back to VM.

    I won't give up trying to get this sorted and I do really appreciate everyone trying to help. If you need specific information from me, screenshots or whatever, I'll gladly provide them.



  • At least we need to know exact model of this Hitron-shmitron router to confirm that it does or does not support bridge/dumb modem mode.
    From what I found it looks like it can be enabled but I may be wrong. That FAQ url I've posted stated that you can't connect to hitron interface when this mode enabled and you must reset it to get back router functionality, this looks like dumb modem in my eyes.

    will only allow a DYNAMIC and not STATIC IP to work when this mode is activated.

    In bridge mode it act like bridge, just dumb interface that brings ISP network to your pfSense WAN, you should not receive or set any IP on hitron side. But we don't know is it real bridge mode or something else you have tried.
    Sometimes static IP means that you don't touch anything on your own side but your modem/router just get static IP by DHCP static lease, you don't need to configure anything. If it's not that way on your ISP than you should try to disable Residential Gateway in Hitron and connect pfSense to that "one active port" as stated in rogers FAQ — if it applied to your model, then you should change pfSense WAN IP to that external static IP you've got from ISP manually.



  • Hmm… May be your ISP assigns static IP by MAC address of your modem Hitron and you need to do a spoof of MAC… I am not sure.



  • @w0w:

    Hmm… May be your ISP assigns static IP by MAC address of your modem Hitron and you need to do a spoof of MAC… I am not sure.

    No, VB (Virgin Business in case you hadn't figured that yet) have a stupid section in the Hitron where you have to set up a tunnel to connect to the STATIC IP. Unlike other providers who assign a static IP direct to the router, VB assign a Dynamic and then you're required to log in to this tunnel in order to get the static.

    Anyway, I think I have good news. Having tinkered with NAT and Firewall rules, I think I may have sorted it even with the BLOCK rules in place.  All I changed was the "Filter Rule Association" on the "Firewall->NAT->Port Forward" page to "Pass" instead of "Create new associated filter rule" and it all appears to be working.  I can access my sites and I can connect to my mail server and SSH.

    I'm not sure if this will create any security issues or not (I'm hoping not) but at least it's working.

    If this is likely to cause security loopholes or issues, please let me know and I will have to speak direct with VB in order to try and get this resolved.

    Thanks again to everyone for your help. Not sure if there is any "kudos" or "rep" on this forum, but I'd certainly like to give some if it's possible.



  • http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2

    Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.



  • @johnpoz:

    So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..

    I have one client location where his ISP uses a Zyxel modem/router combo. I used the DMZ option johnpoz mentioned here and as soon as the pfSense router was placed into the DMZ all the port scanning and door knockers on ports 22, 23 and others started showing up on the pfSense firewall log that were not there before. I knew then that pfSense router was then exposed to the world and not behind the Zyxel's firewall anymore. This is certainly one way to pass that traffic (and see all the door knockers on your ports from CN, RS, IN, etc).



  • @w0w:

    http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2

    Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.

    Thanks for the heads up. I'll take a look at this tomorrow although believe it or not I searched high and low (or at least thought I did) on the VM site for info on this. Perhaps I was searching the VB rather than VM site.

    GRRR - modified this post then added kudos (or Karma as it's called her) to a couple of people and lost my edit because I forgot to save!  Anyway, as I was saying…

    I reviewed a lot of the 13 pages of posts on the above site but most of it was about people ranting and raving about flaky speeds and not being able to use the fixed IP on anything but the Hitron itself. Needless to say I posted my $0.01 (or more like $2.00) worth on the forum to let them know of my recent experience.



  • There is a problem with the hitron router in modem mode and pfsense.
    I have never managed to get it to sucessfully assign me an ip address via dhcp. As we need the modem/bridge mode because we can hit large no of states we eventually found a workarround. We spoofed the pfsense wan firewall address on a pc and attached that directly to the modem which then assigned us an ip address. After that it appears to be happy until the ip address expires Every 12-14months then we have to repeat the execise but it works and so far i have been unable to configure pfsense to the point where it will do it.



  • Well, at least I can confirm that those Hitron devices are junk.
    Three+ years ago I got one from my cable provider. Issues were too numerous to remember. Contract ended 24 month after it began and I happily returned this crap.
    I would dismiss a future great deal if it would imply having to use one of those devices.



  • Agreed. Hitron devices are junk. But with the right firmware, wifi disabled and bridge mode my Hitron have 9 months uptime on a Gbps connection.



  • Mine was commissioned from ISP via TR-069, no bridge-mode and WiFi always on for "free fonero WLAN" or so. Crap^2
    A firmware-update rendered the device useless for about 1 week or so.



  • I keep seeing references to posts that claim that it is possible to configure pfsense to establish the gre tunnel with the hitron in modem mode in order to login for the stAtic ip on virgin. Has anyone managed this?
    I cant even get pfsense to get a dynamic address when the existing smarthub 2 is in modem mode and have to spoof the mac address.



  • @stevehaley:

    I keep seeing references to posts that claim that it is possible to configure pfsense to establish the gre tunnel with the hitron in modem mode in order to login for the stAtic ip on virgin. Has anyone managed this?
    I cant even get pfsense to get a dynamic address when the existing smarthub 2 is in modem mode and have to spoof the mac address.

    The Hitron and Smarthub are two completely different devices, aren't they?