Problem replacing Cisco ASA with pfSense on Comcast

  • Hopefully someone can help. I've searched this forum and Google but can't find an answer.

    I'm replacing an old Cisco ASA-5505 with a pfSense firewall. We're on Comcast Business with an SMC cable modem in "pseudo-bridge" mode as Comcast calls it. We have one static IP configured thusly (masked the octets no one needs to see, but they're valid):

    Comcast modem: x.x.x.130/30
    Current ASA firewall x.x.x.129/30

    I did a basic pfSense install and configured my WAN interface with the ASA's IP and the Comcast IP as gateway. I left the LAN configuration at default after install just to see if I could get to the Internet with my laptop (as the only device on the network for now.) I can't get to the Internet, the WAN gateway says it's down, I can't even ping Google DNS at from the WAN interface in diagnostics. The WAN gateway IS set as the default gateway.

    If I plug the network cables back into the Cisco everything works fine. I've double and triple checked all the addresses, firewall rules, etc. but as I said they're pretty simple as I wanted to get basic Internet access working before I set up more complicated rules.

    I even tried spoofing the Cisco's WAN MAC address, thinking perhaps I was having an ARP cache issue on the Comcast end, but that didn't work either.

    I used to do IT regularly, but I got out of the game and haven't done any serious networking in a while so I'm pretty rusty.

    Any ideas? Thanks in advance.

  • DOWN suggests no layer-2.  Old MDIX issue and/or auto-negotiate fails? What are the LEDs by the RJ45s are saying?

  • It might be some sort of auto-negotiate failure. I tried the same cable the Cisco uses and two other known good ones and the interface status for the WAN always says "No Carrier". Another curious thing, I turned off auto-detect for the WAN interface but it still said autodetect. I also tried reconfiguring the interfaces so the LAN interface that was working became the LAN and vice-versa. Still "no carrier". This is a new rackmount machine with an Intel H270 chipset and I'm using the built-in 1G LAN ports.

  • LAYER 8 Netgate

    You sure you actually know what port is what?

  • Well, I'm using the web interface from my laptop and getting a DHCP address in the range set up for the LAN, so I'm pretty sure my laptop is on the LAN and the WAN is connected to the cable modem. I shouldn't be able to access the web interface or DHCP from the WAN port, right?

    Also, I've got good connectivity lights, but that doesn't always mean it's connected…

  • Try a cheap, unmanaged switch between WAN and your modem. Might help with negotiation issues.

  • LAYER 8 Netgate

    Or a crossover cable.

  • OK, I’ve tried two different dumb switches on the WAN side. I always get “No carrier” but have connectivity lights on the adapter and switches.

    I tried switching interfaces. I have 3: em0, em1, and igb0. I use em1 for the LAN and it works fine. I’ve tried both em0 and igb0 for WAN and get “no carrier” The weird thing also is that on either em0 or igb0 if I try to force them to 1000 or 100 full duplex the interface status still shows auto select. Is there some weird bug with the WAN interface? I’m also using the new stable release 2.4.3, maybe I should try the previous release?

  • Are the 2 boxes right next to each other and the only thing connecting the 2 are one simple patch cable?  'Cuz recently there was another post he finally disclosed a buried cable blah-blah.  Do u have access to the SMC box can make conf changes there?  This is so simple it's maddening, the hardware LINK between the 2 is bad.

  • LAYER 8 Netgate

    No there is no weird bug on the WAN interface. It is something you are doing in your environment. No, do not try an earlier version.

  • Yes, the two boxes are right next to each other with just the one cable connecting them. And I’ve tried several different cables.

    Right now I’ve got things in an isolated test setup since it’s a workday and we need our Internet access (so we’re back on the Cisco for now). I’ve got the LAN connected only to my laptop and the WAN connected to a dumb switch. WAN still says no carrier regardless of whether I use igb0 or em0. Still no carrier on the WAN side.

  • LAYER 8 Netgate

    Take a KNOWN GOOD 8-conductor cable and loop igb0 and em0 (plug one end into igb0, the other end into em0)

    Execute this in Diagnostics > Command Prompt: ifconfig -a

    Post the output.

  • em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 68:05:ca:7b:42:2b
    hwaddr 68:05:ca:7b:42:2b
    inet6 fe80::6a05:caff:fe7b:422b%em0 prefixlen 64 scopeid 0x1
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet 100baseTX <full-duplex>status: active
    igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=6400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6>ether 70:85:c2:46:81:f9
    hwaddr 70:85:c2:46:81:f9
    inet6 fe80::7285:c2ff:fe46:81f9%igb0 prefixlen 64 scopeid 0x2
    inet netmask 0xffffff00 broadcast
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet 100baseTX <full-duplex>status: active
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=4009b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso>ether 70:85:c2:46:81:fb
    hwaddr 70:85:c2:46:81:fb
    inet netmask 0xffffff00 broadcast
    inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x3
    nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    options=600003 <rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6>inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    inet netmask 0xff000000
    nd6 options=21 <performnud,auto_linklocal>groups: lo
    enc0: flags=0<> metric 0 mtu 1536
    nd6 options=21 <performnud,auto_linklocal>groups: enc
    pflog0: flags=100 <promisc>metric 0 mtu 33160
    groups: pflog
    pfsync0: flags=0<> metric 0 mtu 1500
    groups: pfsync
    syncpeer: maxupd: 128 defer: on
    syncok: 1</promisc></performnud,auto_linklocal></performnud,auto_linklocal></rxcsum,txcsum,rxcsum_ipv6,txcsum_ipv6></up,loopback,running,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso,rxcsum_ipv6,txcsum_ipv6></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

  • And in doing this the WAN interface status shows up in the web tool. Weird that with a dumb switch or my cable modem connected it’s down.

  • LAYER 8 Netgate

    Yeah. Fix your layer 1/2. The igb0 and em0 should both auto-mdx. Hard to say what the problem is from remote.

  • Man I think I’m prepared to say I’m an idiot.

    I think I misread which port was which (someone asked me that early in this thread). I assumed both built-in NICs were em0 and em1 and the add on card was igb0. Reasonable right? After all the hardware for the built-in ports is the same on the motherboard. Well, it looks like one built-in is em1 and the other is igb0 and the add on is em0. Right now I have the add on card connected to the dumb switch and configured as the WAN port and it’s showing UP.

    Guess I should never assume anything. BTW does the underlying Linux of pfSense have a command line tool to blink the network ports? That would be the final confirmation.

  • I spoke too soon. I think the web interface isn’t updating status properly. Em0 is the WAN port, and it’s showing UP connected to my dumb switch now after doing the cross-connect to igb0.

  • LAYER 8 Global Moderator

    "underlying Linux of pfSense have a command line"

    pfsense is not linux its on freebsd… Big difference!!!

    As to your em sure you should be able to use this

        /dev/led/em*  identification LED device nodes

        Make the identification LED of em0 blink:

    echo f2 > /dev/led/em0

    Turn the identification LED of em0 off again:

    echo 0 > /dev/led/em0

    igb should be able to do it too

    When get home will validate with my 4860

  • LAYER 8 Netgate


    You sure you actually know what port is what?

  • Yeah, I feel really stupid, especially after the "you sure you know what port…" comment. I wish I knew that blink command yesterday!

    Thanks for all the help everyone. Now does anyone know why pfSense would call the two built-in ports em1 and igb0 and the add on card em0? Makes no sense to me at all. That's what tripped me up.

  • LAYER 8 Netgate

    The operating system enumerates the ports. It has to do with the PCI bus they are on, etc. Every motherboard is different. You need to look at the MAC addresses and be sure you're talking to the correct port.

Log in to reply