Remove LAN interface

A Former User · Nov 13, 2019, 1:40 AM

Hello - I have a 4 port NIC installed.

em0 = wan
em1 = lan
em2 and em3 = lagg0

lagg0 interface is used for several vlans.

I'd like to utilize the second ethernet connection on my modem for a second WAN interface. However, I don't have any ports left.

Can I delete my lan interface since it's not being utilized? If so, can I change pfsense IP to an unused IP on a vlan?

johnpoz · Nov 13, 2019, 1:44 AM

Your internet connection is over a gig? The only "modems" I have seen with multiple interfaces is for higher than gig setups. What is the specific make and model of your modem - just curious.

Pfsense does like its lan - you can rename it, and could move it to your lagg if you want. But the "lan" interface is where it puts the antilock out rule. But sure you could disable the antilock out rule if you want, etc.

A Former User · Nov 13, 2019, 1:58 AM

@johnpoz said in Remove LAN interface:

Your internet connection is over a gig? The only "modems" I have seen with multiple interfaces is for higher than gig setups. What is the specific make and model of your modem - just curious.

Pfsense does like its lan - you can rename it, and could move it to your lagg if you want. But the "lan" interface is where it puts the antilock out rule. But sure you could disable the antilock out rule if you want, etc.

Internet connection is 1000/25 and I have the ARRIS Surfboard SB8200. I tested the second ethernet connection and was lucky enough to get an IP assignment. I thought my ISP would prohibit that.

Anyway, is it as simple as creating another vlan on lagg0 and assigning the LAN to that vlan?

JKnott · Nov 13, 2019, 2:23 AM

@angdigi said in Remove LAN interface:

I tested the second ethernet connection and was lucky enough to get an IP assignment. I thought my ISP would prohibit that.

My Hitron modem also supports 2 connections. When I connect a computer to the 2nd port, it gets a public IPv4 & IPv6 addresses. I suppose if I were to connect another pfSense system to it, it would also get a /56 prefix. I use that 2nd connection for testing my firewall & VPN from outside my network.

JKnott · Nov 13, 2019, 2:45 AM

@angdigi said in Remove LAN interface:

I'd like to utilize the second ethernet connection on my modem for a second WAN interface.

Does pfSense support multiple WAN connections? One thing it does support is assigning priority, for IPv6, on the LAN side, so that you could have more than 1 WAN connection, through more than 1 pfSense system and making one WAN the default.

johnpoz · Nov 13, 2019, 10:50 AM

@JKnott said in Remove LAN interface:

it gets a public IPv4 & IPv6 addresses.

So your isp provides you how many IPv4 addresses - because what your saying is I just put a switch on my modem be it 1 port or 2 ports model and now I could get say 100 public IPv4 addresses?

The activation of the 2nd port would come down to the ISP, and what their config setups on the device. Unless it gives you a 2nd public IPv4 That you want to use for forwarding, or outbound that is different than your 1st IPv4 I don't really see the point there.. You still really only have 1 internet connection. When it comes to ipv6 - they could give you 100,000 IPs doesn't matter since your not natting the IPv6 address.

Anyway, is it as simple as creating another vlan on lagg0 and assigning the LAN to that vlan?

Yup!

This frees up the physical interface - bobs your uncle.

JKnott · Nov 13, 2019, 11:43 AM

@johnpoz said in Remove LAN interface:

So your isp provides you how many IPv4 addresses - because what your saying is I just put a switch on my modem be it 1 port or 2 ports model and now I could get say 100 public IPv4 addresses?

The modem already has a switch, like most. When used in gateway mode, there are the usual 4 ports available. In bridge mode, it provides 2 addresses, as I mentioned. It doesn't matter which 2 of the 4 ports are used. So, I can have 2 addresses on both IPv4 and IPv6. In gateway mode, I get a single /64. In bridge, a /56 prefix through pfSense. I haven't tried getting 2 /56s, but I expect that would work too.

johnpoz · Nov 13, 2019, 6:32 PM

@JKnott said in Remove LAN interface:

The modem already has a switch, like most.

No not like most.. If your talking a gateway device then sure... But "MODEMS" normally only have 1 lan side port..

There are
Modems
Routers
Gateways - a gateway is a combo modem and router.

The 8200 he mentions is a "modem" but it has 2 ethernet interfaces. Some isp don't enable the 2nd interface, etc.

What is the make and model of your device?

A Former User · Nov 13, 2019, 4:06 PM

The activation of the 2nd port would come down to the ISP, and what their config setups on the device. Unless it gives you a 2nd public IPv4 That you want to use for forwarding, or outbound that is different than your 1st IPv4 I don't really see the point there.

Forwarding is exactly what I want t use it for. Now I can have two reverse proxies, one of them being in a true DMZ, along with other services, and keep it separate from the rest of my network.

Anyway, is it as simple as creating another vlan on lagg0 and assigning the LAN to that vlan?

Yup!

This frees up the physical interface - bobs your uncle.

Awesome. So pfsense will retain the default 192.168.1.1 address. Can you think of any other implications? I have a Unifi controller managing a few APs and managed switch. I suppose I'll need to add the new VLAN in the controller, otherwise nothing will be able to talk to pfsense...

JKnott · Nov 13, 2019, 6:32 PM

@johnpoz said in Remove LAN interface:

What is the make and model of your device?

Hitron CGN3ACSMR. As mentioned, it can be configured in gateway or bridge modes. Mine's in bridge. It's been years since I've had a plain modem. Also, while it is a gateway device, the ISP calls it a modem, as do many others.

A Former User · Nov 14, 2019, 12:39 AM

So, just wanted to report back that I created a vlan on lagg0 and assigned the LAN interface to that vlan. All seems OK.

However, the extra nic on the modem is now plugged into em1 but does not seem to be getting an IP, which I don't understand because when I plugged my laptop into that extra nic it did get an IP.

Status->gateways just says pending for the new WAN interface

stephenw10 · Nov 15, 2019, 12:09 AM

Might be locked to the laptop MAC address.

Could be it was never supposed to happen and the second port is not intended to be used.

Steve

johnpoz · Nov 15, 2019, 2:55 AM

Yeah... maybe your laptop had a rfc1918 address? 192.168.100 is common for modems to hand out.

Also as mentioned you almost always have to reboot a cable modem when you change the device connected to it.. To release the mac pairing.

A Former User · Nov 17, 2019, 2:24 PM

It was locked to the laptop MAC. I spoofed the interface with the MAC and it obtained an IP.

Connection doesn't seem stable though. I can't route traffic out the new WAN gateway. Also, the interface bounces between up and down frequently.

johnpoz · Nov 17, 2019, 2:39 PM

Have you actually validated with your ISP that you should get and be able to use a 2nd IPv4 address on this interface.. I find it highly unlikely that ISPs would just let users have a 2nd IP without the user paying for it at min.

Are you paying for more than 1 IPv4 address?

A Former User · Nov 17, 2019, 2:42 PM

I called a few times and each person had a different answer. First it was only one IP address per modem, then it was we don't offer the service of adding a second IP anymore, finally it was we don't lock ports on customer provided modems. That's when I tried with a laptop.

JKnott · Nov 17, 2019, 2:54 PM

@johnpoz said in Remove LAN interface:

Have you actually validated with your ISP that you should get and be able to use a 2nd IPv4 address on this interface.. I find it highly unlikely that ISPs would just let users have a 2nd IP without the user paying for it at min.

I read about it on a my ISP's user forum, which is moderated by some employees. I am not paying extra for the 2nd address.

johnpoz · Nov 17, 2019, 3:03 PM

And are you on the same ISP as the OP?

That your ISP doesn't charge for extra IPs is nice for you - they are leaving money on the table ;) More then likely they don't even know its happening and have just not locked it down yet ;)

Are you on a business line, that an ISP would hand out multiiple IPv4 in this day and age of shortages seems like really bad business practice if you ask me.

That 2nd IP could be used to support another customer, or at min get more money from you per month.. If they just have IPs sitting there unused... But to hand them out for free, they should prob fire their business model guy ;)

JKnott · Nov 17, 2019, 3:10 PM

@johnpoz said in Remove LAN interface:

Are you on a business line

No, just a plain residential account. However, I generally don't use the 2nd address, other than for occasional testing.

A Former User · Nov 17, 2019, 3:11 PM

@johnpoz

My ISP used to offer the service of a 2nd IP but now they don't. Yet they don't lock down customer modems with multiple ports.