How to configure pfSense using a Hitron router?
-
So if I set my WAN IP as my PUBLIC IP but still use the 192.168.0.1 from the Hitron as the gateway this would prevent these issues? Am I understanding that correctly now?
Excuse my ignorance, but we all have to learn from somewhere.
I have tried the DMZ route but that fails too. Going to set WAN IP to PUBLIC IP now and see if that fixes things…
Well, that didn't work. Taking a break to watch the rugby and then I'll get back to it! Thanks for all the help everyone in trying to get my head to understand how this all works.
-
-
The best thing to do, if it is possible, is to configure the Hitron in "pass-through" "bridging" mode (I am not sure the exact term that Hitron would use - if it does it at all). If you can get it to just act as a "dumb modem" and pass all the external traffic directly through to pfSense WAN, then:
Set pfSense WAN interface to DHCP (it will be a DHCP client, and will ask for an IP address from its upstream, which will be your ISP) and it should receive the "static" IP that your ISP has given you; or
If the ISP has told you the static IP to use and does not give it by DHCP, then put that static IP as the pfSense WAN IP. -
If the Hitron will not go into "pass-through" mode, then:
Make the Hitron forward the ports that you want to be public through to your pfSense WAN IP 192.168.0.2
Keep the pfSense WAN IP 192.168.0.2 with gateway 192.168.0.1
On the Interfaces->WAN page, do not tick the Block RFC1918 box (you want to receive traffic from the Hitron 192.168.0.1)
The diffculty with helping you is that we do not know exactly what control you have over what the Hitron can do, so we are giving lots of "if this then do that" advice.
-
-
I think this whole issue I'm having is with the Hitron and the VB service itself.
When I set the Hitron into modem only mode (disable the router function) I can assign an IP using DHCP to the WAN address which in turn gives me a DYNAMIC address (86.x.x.x). However, when the Hitron is set as VB expect it to be in order to get the STATIC IP, I get the STATIC IP (62.x.x.x) but then I can't forward anything through to pfSense WAN, even using DMZ OR by disabling the default blocking rules.
I really think I'm going to have to revert to a DYNAMIC IP and, if I do, VB can come take this bit of garbage out from my house and I'll revert back to VM.
I won't give up trying to get this sorted and I do really appreciate everyone trying to help. If you need specific information from me, screenshots or whatever, I'll gladly provide them.
-
At least we need to know exact model of this Hitron-
shmitronrouter to confirm that it does or does not support bridge/dumb modem mode.
From what I found it looks like it can be enabled but I may be wrong. That FAQ url I've posted stated that you can't connect to hitron interface when this mode enabled and you must reset it to get back router functionality, this looks like dumb modem in my eyes.will only allow a DYNAMIC and not STATIC IP to work when this mode is activated.
In bridge mode it act like bridge, just dumb interface that brings ISP network to your pfSense WAN, you should not receive or set any IP on hitron side. But we don't know is it real bridge mode or something else you have tried.
Sometimes static IP means that you don't touch anything on your own side but your modem/router just get static IP by DHCP static lease, you don't need to configure anything. If it's not that way on your ISP than you should try to disable Residential Gateway in Hitron and connect pfSense to that "one active port" as stated in rogers FAQ — if it applied to your model, then you should change pfSense WAN IP to that external static IP you've got from ISP manually. -
Hmm… May be your ISP assigns static IP by MAC address of your
modemHitron and you need to do a spoof of MAC… I am not sure. -
@w0w:
Hmm… May be your ISP assigns static IP by MAC address of your
modemHitron and you need to do a spoof of MAC… I am not sure.No, VB (Virgin Business in case you hadn't figured that yet) have a stupid section in the Hitron where you have to set up a tunnel to connect to the STATIC IP. Unlike other providers who assign a static IP direct to the router, VB assign a Dynamic and then you're required to log in to this tunnel in order to get the static.
Anyway, I think I have good news. Having tinkered with NAT and Firewall rules, I think I may have sorted it even with the BLOCK rules in place. All I changed was the "Filter Rule Association" on the "Firewall->NAT->Port Forward" page to "Pass" instead of "Create new associated filter rule" and it all appears to be working. I can access my sites and I can connect to my mail server and SSH.
I'm not sure if this will create any security issues or not (I'm hoping not) but at least it's working.
If this is likely to cause security loopholes or issues, please let me know and I will have to speak direct with VB in order to try and get this resolved.
Thanks again to everyone for your help. Not sure if there is any "kudos" or "rep" on this forum, but I'd certainly like to give some if it's possible.
-
http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2
Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.
-
So on your isp router.. you need to forward what you want to forward, 80 443 to 192.168.0.2, or put 192.168.0.2 (pfsense wan IP) into the DMZ of your isp router..
I have one client location where his ISP uses a Zyxel modem/router combo. I used the DMZ option johnpoz mentioned here and as soon as the pfSense router was placed into the DMZ all the port scanning and door knockers on ports 22, 23 and others started showing up on the pfSense firewall log that were not there before. I knew then that pfSense router was then exposed to the world and not behind the Zyxel's firewall anymore. This is certainly one way to pass that traffic (and see all the door knockers on your ports from CN, RS, IN, etc).
-
@w0w:
http://community.virginmedia.com/t5/Networking-and-wireless/Business-Hitron-Router/td-p/3045782/page/2
Looks like your static IP is received by GRE. I am pretty sure it can be configured on pfsense side. Since I am not so familar with GRE I can't comment would it be best to use it on pfSense side or leave it on hitron. May be somebody more competent can comment it.
Thanks for the heads up. I'll take a look at this tomorrow although believe it or not I searched high and low (or at least thought I did) on the VM site for info on this. Perhaps I was searching the VB rather than VM site.
GRRR - modified this post then added kudos (or Karma as it's called her) to a couple of people and lost my edit because I forgot to save! Anyway, as I was saying…
I reviewed a lot of the 13 pages of posts on the above site but most of it was about people ranting and raving about flaky speeds and not being able to use the fixed IP on anything but the Hitron itself. Needless to say I posted my $0.01 (or more like $2.00) worth on the forum to let them know of my recent experience.
-
There is a problem with the hitron router in modem mode and pfsense.
I have never managed to get it to sucessfully assign me an ip address via dhcp. As we need the modem/bridge mode because we can hit large no of states we eventually found a workarround. We spoofed the pfsense wan firewall address on a pc and attached that directly to the modem which then assigned us an ip address. After that it appears to be happy until the ip address expires Every 12-14months then we have to repeat the execise but it works and so far i have been unable to configure pfsense to the point where it will do it. -
Well, at least I can confirm that those Hitron devices are junk.
Three+ years ago I got one from my cable provider. Issues were too numerous to remember. Contract ended 24 month after it began and I happily returned this crap.
I would dismiss a future great deal if it would imply having to use one of those devices. -
Agreed. Hitron devices are junk. But with the right firmware, wifi disabled and bridge mode my Hitron have 9 months uptime on a Gbps connection.
-
Mine was commissioned from ISP via TR-069, no bridge-mode and WiFi always on for "free fonero WLAN" or so. Crap^2
A firmware-update rendered the device useless for about 1 week or so. -
I keep seeing references to posts that claim that it is possible to configure pfsense to establish the gre tunnel with the hitron in modem mode in order to login for the stAtic ip on virgin. Has anyone managed this?
I cant even get pfsense to get a dynamic address when the existing smarthub 2 is in modem mode and have to spoof the mac address. -
I keep seeing references to posts that claim that it is possible to configure pfsense to establish the gre tunnel with the hitron in modem mode in order to login for the stAtic ip on virgin. Has anyone managed this?
I cant even get pfsense to get a dynamic address when the existing smarthub 2 is in modem mode and have to spoof the mac address.The Hitron and Smarthub are two completely different devices, aren't they?
