BT static ip block help please.



  • Firstly many thanks for creating such a wonderful firewall. I have been suing it in our small office for about 6 
    months now without a hitch. No reboots at all. :D. Please note that this thread is not a question about an HGV2700 but how I go about configuring the pfsense box to emulate / do what the HGV already can.

    I have looked through the forums and with have not managed to figure out how to set up the following scenario. ??? Please bare with me in this as I'm no expert but merely a small company employee trying to get the best out of great free products pfsense being one of them.

    Explanation
    –---------

    Our small company is with BT and we have been using a HGv2700 router for the pppoe connection. This has worked fine 
    for our needs up until now.

    System
    Model: BT2700HGV
    DSL Modem Type: ADSL
    Current Software: 5.29.117.6 
    DSL Modem: 7.2.6

    The HGv connects and serves an ip address to the pfsense box that is downstream of the HGv. Pfsense then picks up an 
    ip from the HGV via DHCP on wan and everything works. I have enabled the dhcp server in pfsense and the internal lan 
    clients have DHCP enabled and pfsense takes care of the rest. Appropriate rule sets have been created for our needs.

    Now the scenario has changed a little

    We have decided to purchase 5 ip addresses from BT in order for us to route these static ip's through to machines 
    for testing purposes (in the gif belows case kingdom).

    At the moment to route a static IP through to an internal PC I must connect it directly via a patch cable to the 
    HGV2700 this then assign the static ip to the individual PC using the HGV interface (please see gif below).

    My goal is to get rid of the HGV and swap over to a vigor 100 (which I have and has been tested to work) this would 
    take away any HGV setup and leave pfsense to do all of my tasks. I have setup pfsense to do so with the vigor and 
    the pppoe on WAN works like a dream.

    Only thing is I do not have a clue to set up static IP's with pfsense.

    BT supplied me with the following

    5 static ip addresses 81.137.1.2 - 81.137.1.6
    The bt router address 81.137.1.1
    subnet mask 255.255.255.248

    The pppoe connects with DHCP and get a dynamic address every time.

    I figured if the HGV can perform this task then the pfsense box can do it with ease.

    I'm sure there are hundreds of people with the same problem so a documented solution on this forum may be benficial 
    to the viewing public (including myself).

    Comments from the pfsense experts would be greatly appreciated. If you require clarification then I would gladly try and provide whatever information may be required to overcome my problem.

    Regards

    Sam
    (IP addresses shown have been changed for privacy)




  • Sam

    I'm also running a 2700hgv with 5 BT fixed IPs and pfsense 1.2.1 rc2.

    The trick is to forget the local LAN ips used by the 2700hgv and stick with your fixed IPs.

    You need to set your pfsense wan interface to be one of your fixed IPs (eg 81.137.1.2)
    and give it the right subnet (/29) and the correct BT gateway (81.137.1.1).

    Then create four virtual interfaces for your remaining fixed IPs (create 4 new CARP vips with IPs 81.137.1.3-81.137.1.6) again with the right subnet, same interface and unique vhid group for each.

    Once these are created and running, go over to NAT settings and enter whatever incoming IP translations you need, then go to "Rules" and create WAN rules to allow the traffic through on the relevent ports to the internal IPs.

    Next check that your 2700hgv is allowing the traffic through, either by an "allow all" or by specifically allowing the right ports through. Note that your CARP interfaces may take a few minutes (or hours?) to appear in the 2700 modem gui.

    Nick.

    PS. I'm looking to get rid of the hgv modem too. Elsewhere on the net people like it for it's wireless power and dsl capabilities, but in my system it crashes every 3 or 4 days, often needing a hard power cycle to recover. Not ideal.



  • Many thanks for the help NickC

    I will have a go using the BT box although it would be great for me to ditch the BT box altogether and use the vigor 100 to get the dynamic ip and then use the pfsense box to route our 5 ip's. Thinking about it though your method could work for me with the vigor box couldn't it?. The vigor gets a dynamic ip and providing I know the ip details for my fixed ones I could then set up pfsense as per your instructions. In my opinion the vigor is a better product for such an application it just sits there without any whistles and bells doing it's job. This way pfsense can route and protect as it were intended.

    Your thoughts please

    Adrian



  • i've been using BT and 5block static IP's at a customer site for a few years now….so I am not sure if you have the same BT router as I do...but it shouldn't matter...

    I also found that trying to make the 2Wire behave as a router caused it to lock up evert 2-3 days....so i found some steps on the web to turn off the router and act solely in "bridged" mode...this is where all NAT, routing etc is turned off and runs purely as a DSL modem.....you then setup pfSense to obtain its IP via PPPOE (pfsense will pickup a dynamic ip first) and then you have to assign Virtual IPs to match your Static IP block and then configure the necessary NAT, rules etc....its pretty easy.

    From trial & error, the most stable devices that I have found are the older 2Wire (vertical black) one, and a Linksys 4 port dsl/modem router (again in bridge mode). Currently these have operated for 412 consecutive days.



  • @sam_son:


    I will have a go using the BT box although it would be great for me to ditch the BT box altogether and use the vigor 100 to get the dynamic ip and then use the pfsense box to route our 5 ip's. Thinking about it though your method could work for me with the vigor box couldn't it?
    ...
    Your thoughts please

    Adrian

    Curiously since my last post I have had a go with the Vigor 100. Though it was about a month ago I'm trying to remember why I went back to the HGV.
    The Vigor 100 is a "straight through" adsl modem. You must configure PPPoE on your WAN to get the dynamic IP from your ISP (BT).
    At this stage I two things put me off the Vigor:
    Firstly the line speed was less than the HGV. I'm 4.5km from the exchange the HGV gives 2Mbit and the Vigor 1Mbit or less.
    Secondly I realised that CARP would no longer work for the 5 fixed IPs since CARP requires that the subnet be the same as the interface subnet.

    If your line speed comes up fine the second one is probably not a show stopper. You just need to look at the other VIP options (Proxy Arp/Other) that don't require the same subnet as the interface. You'll need to search  the forums though.

    So I'm back with the HGV. If I try to disable the firewall and configure it as router only I'll post details here.

    Nick.



  • Many thanks for the reply Nick,

    Right I'm no expert as you may have gathrered by the questions. So it looks like I'm back to my HGV then as you say CARP will not work, it's a bit of a learning curve here to get this to work. So I have to go back to my HGV give the pfsense one of the IP addresses out of my block with the subnet they provided me with. After that it it goes a little hazy

    Then create four virtual interfaces for your remaining fixed IPs (create 4 new CARP vips with IPs 81.137.1.3-81.137.1.6) again with the right subnet, same interface and unique vhid >>group for each.

    Once these are created and running, go over to NAT settings and enter whatever incoming IP translations you need, then go to "Rules" and create WAN rules to allow the traffic >>through on the relevent ports to the internal IPs.

    The carp vip and unique vhid has thrown me a bit. I don't suppose you could break this down any simpler?. If not then I will have a go and hope I muddle my way through. I would love to get this system working as the HGV does not recognise all devices attached to it and I have a few IP devices that pfsense could route to no problem. If I put one of these devices on the pfsense lan side I can just tell it the mac address and the ip required and it works if I connect the device to the HGV it cannot see the device at all so I cannot give that device a dedicated ip from my block (see the chicken and egg here).

    Once again your help and time is much appreciated, maybe some screen shots of pfsense with the IP's changed for your own security.

    Cheers

    Sam



  • Hi there Nick I have done the following,

    WAN - Assigned a static IP using one of the BT IP's Correct gateway and subnet /29

    Virtual IP - Set up ProxyARP with the static IP address / 32 and given it a name.
    I could not set up carp as it asked for a password to be set and I didn't understand why. Or is this the password of the HGV?

    Nat - Set up a prot forward for protocols 1 - 10000 (for testing)

    WAN Rules - Allowed any to my internal LAN address.

    I have not seen any entries on the HGV front end perhaps you could post a screen shot for me

    Note that your CARP interfaces may take a few minutes (or hours?) to appear in the 2700 modem gui.

    Forgive me for being a plum but to get this working would be a milestone for me and future of my small business and any help from HGV users would be great.

    Regards

    Sam



  • @sam_son:

    Hi there Nick I have done the following,

    I could not set up carp as it asked for a password to be set and I didn't understand why. Or is this the password of the HGV?

    I'm pretty much a Pfsense newbie myself however i believe the password is required becuase carp is used to sync settings between multiple PFsense firewalls.
    If your setting up the VID group for the first time it can be anything  ;)
    and if your adding each virtual ip to it's own VID group then just put something random in each time  :P

    I think i was feeling lazy when I did mine and just mashed a load of keys on the keyboard, not a very scientific way of picking a password  :-[


Locked