HELP! Comcast Ethernet Dedicated Service and setup

Gadgets4grls · Feb 28, 2018, 3:47 PM

HELP

We just got Comcast EDI fiber at work and I've been tasked with setting it up and never have dealt with dedicated internet I'm lost.

We have a pfSense protectli 4 port firewall that was up and working, or at least it was with our DSL.
1 wan and 3 lans all worked fine though the DSL

Now that our fiber was installed I'm trying to switch it over and it's not working.

Comcast supplied this information
WAN
Link IP Address: 24.xx.xx.132/30 Gateway: 24.xx.xx.133 Layer 3 IP: 24.xx.xx.134 Subnet: 255.255.255.252

Public LAN
Usable IP Block: 24.xx.xx.32/28 Usable IP Range: 24.xx.xx.33 - 24.xx.xx.37 Subnet 255.255.255.248

I set my WAN port to static 24.xx.xx.134 with a Gateway of 24.104.128.133
I than setup a Virtual IP on the WAN interface as 24.xx.xx.33 one of our public IP Addresses
Finally I setup an Outbound NAT Source 192.168.3.0/24 (LAN1) and NAT address as 24.xx.xx.33

It doesn't work. On the "Dashboard" the WAN traffic graphs show continuous out activity but nothing in.
If I change my Gateway address on the WAN to 24.xx.xx.132, which is shown as the "Link" address, which I don't think is right. I show both in and out traffic on the WAN in dashboard but still no internet service. :'( :'(

I'd really appreciate is someone could give me step by step how this should be setup because I'm hitting my head against a wall not knowing if I'm doing something wrong. I've spent 8 hours on google and I'm honestly lost now.

Finally this morning I got a "Comcast ECMC Serice Alarm" email and I not sure if I caused that or not.
Any help would be GREATLY appreciated.
Thanks

Gadgets

Razidd · Feb 28, 2018, 4:31 PM

What entries do you have for routing (System->Routing)?

Which is listed as the default gateway - (default) after the name?

Gadgets4grls · Feb 28, 2018, 4:40 PM

Hi Razidd,

Thanks for taking the time to reply. Really appreciate it.

Under Routing Gateways
Name: Comcast Interface: Wan, Gateway: 24.xx.xx.133 Monitor IP: 24.xx.xx.133

Static and Gateway Groups are blank

JKnott · Feb 28, 2018, 4:41 PM

I than setup a Virtual IP on the WAN interface as 24.xx.xx.33 one of our public IP Addresses

Why are you doing this? That address is part of your /29 network, which would be on the LAN side. When traffic is sent to that address, the ISP will route it via the address you were assigned for the WAN interface. Then, pfSense will route it appropriately to the LAN. How many devices are on your LAN? If 6 (including pfSense) or less, you don't need NAT.

Gadgets4grls · Feb 28, 2018, 5:02 PM

Hi Jknott,

This is part of where I'm really confused.

I always understood Lan to be local network but this is a public lan which I think are my addresses on Comcast/internet.

How do I bridge my local lan across the WAN to the Public Lan addresses?

After reading everything I could find I thought I had to setup a virtual ip address on the WAN because the WAN and Public Lan are in different subnets. 132/30 and 32/28

As for device have WAY more than 6 on my "LAN" ie internal network. Between ethernet and wifi connected devices probably a couple hundred.

If I'm totally messed up tell me so I can try and figure this out.
Current I'm not trying to host any servers on the internet I just trying to get things taking to the internet.
Really appreciate any possible direction

Thanks

Razidd · Feb 28, 2018, 5:11 PM

If you needed NAT, I would think you could just get away with using your WAN 24.xx.xx.134 address as the NAT inside global address.

Those "LAN" addresses are ones you could set if you needed publicly accessible addresses, such as a DMZ for servers. You'd probably want to set up another interface on pfsense to handle this and assign it the appropriate settings to handle traffic for that subnet (24.xx.xx.32/28).

JKnott · Feb 28, 2018, 5:11 PM

There are 2 sides to your pfSense router, the WAN side and the LAN. It is possible to have multiple LANs. You were assigned an address for the WAN side. You that to configure your WAN interface. On the LAN side, you have up to 6 usable public addresses but have many more devices, which will require NAT. In this situation, you'd typically have one LAN for those public addresses and a 2nd LAN for the NAT devices. PfSense can route as appropriate for public and NAT addresses. However, I have not set up such a configuration, so someone else will have to provide the details. Incidentally, a separate network for public addresses is commonly called a DeMilitarized Zone (DMZ), which provides additional protection between the publicly reachable devices and the internal LAN. PfSense supports this.

dotdash · Feb 28, 2018, 5:22 PM

The easiest way to do this is to put the /30 on your WAN and use the /28 for VIPs off the WAN. Comcast is just calling it a LAN block- you can use those IPs as CARP or Alias VIPs on your WAN. Leave the LAN like it was before.

Gadgets4grls · Feb 28, 2018, 5:37 PM

Thank you both for all of you help but you've both completely lost me.

Backing up.
I previously had the pfSense server working with a DSL modem.

So what I did when I got the fiber was only change the WAN connection to static 24.xx.xx.134 with a gateway of 24.xx.xx.133 figuring that would connect me to the internet and with pfSense performing Private LAN to WAN NAT like it had been.

I got no connection to the internet. So I though maybe I had to route my traffic though one of the Public Lan address still no luck.

Here is the only diagram from Comcast that I can find explaining their EDI.

At this point all I want to do is connect my private lan through the pfSense to the internet no public addresses.
Thanks

Gadgets4grls · Feb 28, 2018, 5:43 PM

Hi dotdash,

Curious your name have anything to do with morse??

Appreciate any help you can give me. All I want to do is just connect my pfSense firewall to the internet like it had been with DSL but I've run into a nightmare of nothing working.

I don't need any public ip address just access so devices can connect but it just doesn't seem to work.

Any pointers to get myself an internet connection over this stupid fiber would be appreciated.

Razidd · Feb 28, 2018, 5:46 PM

Go back to the way you had it when you first configured it after the move from the DSL. Once this is done, test with the diagnostics if you can ping from PFSense to the gateway address (24.xx.xx.133). If this works, and since you're using static IP addressing, what have you configured for DNS?

Gadgets4grls · Feb 28, 2018, 6:02 PM

Ok went back to the dsl and checked.
Pinging modem and Internet was working.

Move wan back to fiber and set static 24.xx.xx.134 and gateway 24.xx.xx.133 only changes made
Ping failed to 24.xx.xx.133 100% loss
Ping failed to 24.xx.xx.132 100% loss (Link IP Address)

I even tried changing my gateway to 24.xx.xx.132 which is supposed to be my Link IP and it also gives me a 100% loss on ping.

If I'm not mistaken this means something is wrong with Comcast's equipment???

Razidd · Feb 28, 2018, 6:04 PM

You got rid of the virtual address on the WAN too, right? The 24.xx.xx.33 one and the outbound NAT stuff associated with that? That's the only other thing I could think of is that maybe it's trying to use this virtual address still when pinging.

edit: also your link address is the network address, 135 is broadcast, 133 and 134 are your only two host addresses on this subnet.

Gadgets4grls · Feb 28, 2018, 6:40 PM

Yep VIP deleted before the ping test.
100% loss.

Razidd · Feb 28, 2018, 6:49 PM

If everything is set as you claim, don't take it the wrong way, but are you sure subnet masks are correct? Your original post didn't mention if you had set /30 prefix for the static IP on the WAN IP address (it defaults to /32, not gonna talk to much else with that). If everything's set correctly, a reboot of pfsense can't hurt anything either.

dotdash · Feb 28, 2018, 7:53 PM

@Gadgets4grls:

Hi dotdash,

Curious your name have anything to do with morse??

Only in a roundabout way. It's actually a reference to a Wire song.
Anyway, this shouldn't be so hard. I've done similar setups. Comcast usually takes the last usable, so try the /30 with 133 on your pfSense WAN and 134 as the default gateway. Do a packet capture on WAN if you can't arp the gateway.

Gadgets4grls · Feb 28, 2018, 8:28 PM

I just found out.

At this point it turned out to be a Comcast problem.
My connection is dead so it wasn't my mistake at all.

I'm not saying I wont still need help when they fix their part so I could be back shortly.

I do want the say thank you Thank you THANK YOU!!!!!!.

To everyone that replied.

Gadgets

GMeister08 · Apr 24, 2019, 3:07 PM

So what was the final solution to this pfsense issue? I was thinking that you had to place the comcast router in Bridge Mode and then it would work for you. But would like to hear what was the final answer. thanks -Hope it is working.

stephenw10 · Apr 24, 2019, 6:39 PM

Seems like it was not a pfSense issue at all. It should have worked in any of the suggested configurations but there was no response from the Comcast gateway.

Steve