PfSense with ARRIS MODEM and Linksys E900 DDWRT

AnointedOne

Good day to all,

Having a bit of an issue here which has caused me after much trial and error and troubleshooting, I can't figure with my limited knowledge.

Recently completed CompTIA Network+ and Security+ passing both exam and due to lack of jobs, I decided to create my own little networking environment to further apply my knowledge for fun as well as experience till a job comes.

My test environment is at my church and I am the I.T admin. I chose there because some things,I would like to try out and learn how to configure (like internet access control, network monitoring, captive portal, the fun stuff), the numbers of individuals on the network is of a fair size.

My situation is this:
Before the firewall, all was pretty much simply, wireless router flashed with ddwrt for internet access control along with some security cameras accessible over the internet through DDNS. All of which worked fine. For some reason, my public ip changed (whats my ip on google) and as a result, the DDNS service got thrown off. The manufacturer of the security cameras offers the DDNS service which I am using. Since there is now a new public ip, I can't access the cameras outside church, like I use to before. After investigating, I could not trace the IP to a device on my network, so the only thing that I can think of is NAT.

https://www.youtube.com/watch?v=Rhxl1_tiBQM&t=43s In the early setup of the cameras, I followed this video to set the modem to bridged mode cause I had problems in getting the DDNS service to work properly.

So, after researching (lots of it), I saw someone mentioning that it is more secure to setup access of cameras over the internet through a VPN versus DDNS since with DDNS the entire internet has access to it and with VPN, only those who you want can access. This I understood and liked and again, for the experience, I learnt how to setup OpenVPN and got things working.

Soon after (couple of weeks into a month), i started having issues, couldn't access the network through VPN anymore thus no more cameras. Since I needed to get it available for other individuals, had to abandon the VPN since I couldn't fix it. Went back to the DDNS method which worked but then my public IP changed again. This is my issue.

My public IP before was my firewall IP but it changed to another IP. I did something pretty, unusual where i connected a cable from the modem to the WAN port on the router (desperate to get the thing on) so that way it can be available, which worked. Port forwarding was giving problem on pfsense so I used the router WAN port with the Upnp service (couldn't figure it out on pfsense) which got the cameras up.

BUT again, my public IP changed, messing up my DDNS service aka no more cameras. I factory reset everything, router, modem and firewall to no avail.

Sorry for the long statement but wanted to be detailed with all I have done and with all that has happened. So my question and request is this:

1. How do I get my public IP to reflect my firewall's WAN IP (and/or router IP)?
2. What is making my public IP change?

Thanks and I do eagerly await your response.

nycfly

1. How do I get my public IP to reflect my firewall's WAN IP (and/or router IP)?

You need to make sure your modem is properly set to bridge mode. Plug your pfsense router's WAN into the modem and it should acquire your public DNS via DHCP. For your modem to properly be in bridge mode, you need to make sure:

—It's set to bridge mode
—DHCP server is disabled
—Wireless is disabled
—Firewall is disabled

I think this is all covered in the the video you linked. In pfSense the WAN interface configuration for IPV4 should be set to DHCP.

Basically, you are setting the modem to act only as a modem. It won't get an IP address. Your pfSense box will acquire the IP address from your cable provider through the modem.

2. What is making my public IP change?

It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

AnointedOne

You need to make sure your modem is properly set to bridge mode. Plug your pfsense router's WAN into the modem and it should acquire your public DNS via DHCP. For your modem to properly be in bridge mode, you need to make sure:

—It's set to bridge mode
—DHCP server is disabled
—Wireless is disabled
—Firewall is disabled

Yes, as per the video, all of this is done

It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

Was more referring to what makes my public IP change, not really the DDNS. Before it was fixed with either, my modem IP, router IP or firewall IP. Now it is popping up this new IP. Want it back how it was. Example, a while ago i factory reset the modem and my public IP was the WAN IP of the modem. Did another reset and now it is showing that other IP which I am referring to.

nycfly

It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

I think I misunderstood you. So you're saying sometimes pfSense has your public IP and sometimes it has another IP? What is that other IP? Are you sure the DHCP server in the modem is disabled?

AnointedOne

I think I misunderstood you. So you're saying sometimes pfSense has your public IP and sometimes it has another IP?

IP on pfSense is constant doesn't change. When you go google "whats my ip" to find out your public IP, that's the IP that changes.

Are you sure the DHCP server in the modem is disabled?

Yes, on the modem, DHCP on the WAN is disabled but as I go through the video, the modem wants me to set a static WAN IP. When I do, DHCP is disabled. If I disable the static, it re-enables the WAN DHCP. Think the modem in the video is a model earlier than what I have.

nycfly

IP on pfSense is constant doesn't change. When you go google "whats my ip" to find out your public IP, that's the IP that changes.

OK that was my original understanding. This is going to happen and there is not a whole lot you can do to control it. If you want a static IP (as opposed to a dynamic IP) you will have to pay your ISP for that as an additional feature (if this is a business account, this is easy but if it's a consumer account you may be out of luck).

Yes, on the modem, DHCP on the WAN is disabled but as I go through the video, the modem wants me to set a static WAN IP. When I do, DHCP is disabled. If I disable the static, it re-enables the WAN DHCP. Think the modem in the video is a model earlier than what I have.

I'm referring to the LAN DHCP server. This needs to be disabled (see picture) Sounds like pfSense is getting an IP address from your modem (presumably a 192.168.x.x address). You want pfSense to be acquiring the WAN address.

As for the WAN DHCP, I believe you should be able to disable WAN DHCP and just ignore the settings for static IP. You then need to reboot the cable modem. Afterwards, pfSense should be able to acquire the WAN address. Once you have pfSense getting the WAN address you can then setup the DDNS client on pfSense to update your DDNS provider whenever your IP address changes.


AnointedOne

I'm referring to the LAN DHCP server. This needs to be disabled (see picture)

It is disabled.

You want pfSense to be acquiring the WAN address

It is acquiring a WAN address.

As for the WAN DHCP, I believe you should be able to disable WAN DHCP and just ignore the settings for static IP

WAN DHCP is disabled through setting a static WAN IP; can't ignore it.

nycfly

It is acquiring a WAN address.

Is it acquiring this address from your ISP?

If I understood you correctly, you said pfSense had an IP that never changed but you said your WAN IP changes. I'm having trouble understanding this. What is the WAN IP on pfSense? Is it static or is pfSense set to DHCP?

AnointedOne

If I understood you correctly, you said pfSense had an IP that never changed but you said your WAN IP changes.

pfSense successfully obtains a WAN IP when connected to the modem. That IP does not change. As far as before, whenever I use to check my public IP through google, it would show the pfSense WAN IP as my public IP. Before setting pfSense, it would show my modem's WAN IP as the public IP. When I set up the linksys, it would be the Linksys WAN IP as the public. For some reason, it stopped and show an entirely different WAN IP for my public IP, which does not match pfsense.

That's the IP that changes. It looks like NAT but I am not sure how to adjust it.

nycfly

This behavior indeed seems strange.

Is the WAN interface on pfSense set to DHCP?

AnointedOne

This behavior indeed seems strange

Yes it is and annoying. But I just decided to use what I have rather than trying to re-establish what was there before. I port forwarded with the public ip and it works now. Thanks a bunch. Would like for it to be how it was but time is a factor. :) But now i have another problem. Will start a separate post for that one x.x

nycfly

DDNS clients that run on Windows/Mac/Linux client machines will use an external website to verify your public IP (there may also be such a client available as a package for pfSense as I don't think the built-in client does this). You could use one of those to update your DDNS so that your cameras or VPN can be used if your public IP changes, even if it doesn't change on pfSense.

MikeV7896

Some ISPs require that you use their gateway (modem + router in one) in order to get a static public IP address. They run a routing protocol on their router that communicates with their upstream routers, telling them to route data for your static IP address to your gateway. They don't allow third-party devices to run the same routing protocol because there is significant potential for abuse by giving out the key(s) needed for the routing protocol to function.

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

AnointedOne

Some ISPs require that you use their gateway (modem + router in one) in order to get a static public IP address. They run a routing protocol on their router that communicates with their upstream routers, telling them to route data for your static IP address to your gateway. They don't allow third-party devices to run the same routing protocol because there is significant potential for abuse by giving out the key(s) needed for the routing protocol to function.

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

Ahhhhh, ok. Thanks for the info. Things is now that I have opened the required ports, and have access to the cameras, I don't have access from a remote location. I think when I go there for the weekend, I will reset the modem back to default and see what I can do.

My VPN don't work remotely either. On site, all is well, offsite no connection

AnointedOne

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

Quick update
Ok, here is another thing now. I got the same modem home (think it should be the same model, ISP change the models some time) and the modem in bridged and my public IP is the same as my router WAN IP.

Chrismallia

Why aren't you  setting  pfsense to update ddns any time the IP changes ?  thats all you have to do to keep using dynamic IP

AnointedOne

Why aren't you  setting  pfsense to update ddns any time the IP changes ?  thats all you have to do to keep using dynamic IP

The DDNS service is from the camera manufacturer. If I can set pfSense to use the service that would be great. Is there a tutorial on how to set it up if possible?

https://myq-see.com/ That's the website

remlei

check your IP camera if it has something like a polling task that checks your wan ip every x minutes. if those IP cameras doesnt have that feature, those IP camera probably suck ask the manufacturer to fix that.

and since you paid for DDNS service (I dont know why you would since there's a lot of free DDNS service out there anyway) ask them how to integrate the DDNS service to pfsense.

AnointedOne

check your IP camera

Not IP cameras (sadly)

since you paid for DDNS service

The service is free with the product (but yea guess in a way it is paid for)

there's a lot of free DDNS service out there anyway

Will check online but you recommend? Desperate here.

UPDATE
For a quick fix, I reset the modem again, set in bridged mode and directly connected to the linksys. WAN IP is shown as my public IP online. Decided to work "normally" for some reason but still getting hiccups with that ddns thing. Worked fine last night when i tested it at home but now…....in and out x.x

UPDATE 2
I took the pfsense PC to my home to do further troubleshooting and diagnostics. And again my public ip matches my pfsense WAN IP. Lol This is a odd things that's happening here. Right now, I'm going to monitor it and I have isolate the issue either to the modem or linksys (thoughts are pointing to the modem for me personally)

Chrismallia

Just setup pfsense to update you ddns account anytime the IP changes.

NO-IP is free https://www.noip.com/

Tutorial  https://turbofuture.com/computers/How-to-Configure-Dynamic-DNS-in-pfSense