Modem passthrough PPPoE Fixed IP handover error
-
I suspect pfsense is not updating my negotiated fixed IP correctly.
I don't know why but maybe related to DHCP client unable to get lease from cable provider [solved].Summary
I have an- ISP Technicolor DMS3-CTC-25-191 in bridge mode
- ISP PPP over Ethernet
- pfsense 2.5.2-RELEASE (amd64) (Running on Proxmox 7.02 with all igb i211 NIC passthrough)
- pfsense: Interface -> WAN -> IPv4 Configuration Type -> PPPoE. PPPoE Configuation Username & Password entered.
- Wan interface appears to work
- pfsense: Status -> System logs -> System -> General -> [wan] IPADDR 10.20.25.158 -> [wan] IPADDR 59.123.123.123 (My redacted Fixed IP address)
However pfsense: Status -> System logs -> System -> General -> subsequently intermittently shows
>>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%)
And pfsense: Status -> System logs -> Firewall -> More than once per second
Interface Rule Source Destination Protocol WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP
pfsense -> Interfaces -> WAN -> Reserved Networks -> Enabling or disabling results in no observable effect
I would like to reduce the log Spam and ideally fix the underlying issue. I'm not sure what I have done wrong though.
For those who can read System General logs, this may help (I have deleted entries from me login in to pfsense and updating the firewall rules)
Nov 9 18:08:22 ppp 16659 Multi-link PPP daemon for FreeBSD Nov 9 18:08:22 ppp 16659 process 16659 started, version 5.9 Nov 9 18:08:22 ppp 16659 web: web is not running Nov 9 18:08:22 ppp 16659 [wan] Bundle: Interface ng0 created Nov 9 18:08:22 ppp 16659 [wan_link0] Link: OPEN event Nov 9 18:08:22 kernel ng0: changing name to 'pppoe0' Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: Open event Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: state change Initial --> Starting Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: LayerStart Nov 9 18:08:22 ppp 16659 [wan_link0] PPPoE: Set PPP-Max-Payload to '1500' Nov 9 18:08:22 ppp 16659 [wan_link0] PPPoE: Connecting to '' Nov 9 18:08:22 ppp 16659 PPPoE: rec'd ACNAME "adl-fkk-lls-bras34" Nov 9 18:08:22 ppp 16659 [wan_link0] PPPoE: rec'd PPP-Max-Payload '1500' Nov 9 18:08:22 ppp 16659 [wan_link0] PPPoE: connection successful Nov 9 18:08:22 ppp 16659 [wan_link0] Link: UP event Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: Up event Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: state change Starting --> Req-Sent Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: SendConfigReq #1 Nov 9 18:08:22 ppp 16659 [wan_link0] PROTOCOMP Nov 9 18:08:22 ppp 16659 [wan_link0] MRU 1500 Nov 9 18:08:22 ppp 16659 [wan_link0] MAGICNUM 0x2d97cacf Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: rec'd Configure Request #1 (Req-Sent) Nov 9 18:08:22 ppp 16659 [wan_link0] AUTHPROTO CHAP MD5 Nov 9 18:08:22 ppp 16659 [wan_link0] MAGICNUM 0x1dac0332 Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: SendConfigAck #1 Nov 9 18:08:22 ppp 16659 [wan_link0] AUTHPROTO CHAP MD5 Nov 9 18:08:22 ppp 16659 [wan_link0] MAGICNUM 0x1dac0332 Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: state change Req-Sent --> Ack-Sent Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent) Nov 9 18:08:22 ppp 16659 [wan_link0] PROTOCOMP Nov 9 18:08:22 ppp 16659 [wan_link0] MRU 1500 Nov 9 18:08:22 ppp 16659 [wan_link0] MAGICNUM 0x2d97cacf Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: state change Ack-Sent --> Opened Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: auth: peer wants CHAP, I want nothing Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: LayerUp Nov 9 18:08:22 ppp 16659 [wan_link0] CHAP: rec'd CHALLENGE #1 len: 39 Nov 9 18:08:22 ppp 16659 [wan_link0] Name: ""adl-fkk-lls-bras34"" Nov 9 18:08:22 ppp 16659 [wan_link0] CHAP: Using authname "My_ISP_Login_User_Name" Nov 9 18:08:22 ppp 16659 [wan_link0] CHAP: sending RESPONSE #1 len: 51 Nov 9 18:08:22 ppp 16659 [wan_link0] CHAP: rec'd SUCCESS #1 len: 4 Nov 9 18:08:22 ppp 16659 [wan_link0] LCP: authorization successful Nov 9 18:08:22 ppp 16659 [wan_link0] Link: Matched action 'bundle "wan" ""' Nov 9 18:08:22 ppp 16659 [wan_link0] Link: Join bundle "wan" Nov 9 18:08:22 ppp 16659 [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps Nov 9 18:08:22 ppp 16659 [wan] IPCP: Open event Nov 9 18:08:22 ppp 16659 [wan] IPCP: state change Initial --> Starting Nov 9 18:08:22 ppp 16659 [wan] IPCP: LayerStart Nov 9 18:08:22 ppp 16659 [wan] IPCP: Up event Nov 9 18:08:22 ppp 16659 [wan] IPCP: state change Starting --> Req-Sent Nov 9 18:08:22 ppp 16659 [wan] IPCP: SendConfigReq #1 Nov 9 18:08:22 ppp 16659 [wan] IPADDR 0.0.0.0 Nov 9 18:08:22 ppp 16659 [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Nov 9 18:08:22 ppp 16659 [wan] IPCP: rec'd Configure Request #1 (Req-Sent) Nov 9 18:08:22 ppp 16659 [wan] IPADDR 10.20.25.158 Nov 9 18:08:22 ppp 16659 [wan] 10.20.25.158 is OK Nov 9 18:08:22 ppp 16659 [wan] IPCP: SendConfigAck #1 Nov 9 18:08:22 ppp 16659 [wan] IPADDR 10.20.25.158 Nov 9 18:08:22 ppp 16659 [wan] IPCP: state change Req-Sent --> Ack-Sent Nov 9 18:08:22 ppp 16659 [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent) Nov 9 18:08:22 ppp 16659 [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Nov 9 18:08:22 ppp 16659 [wan] IPCP: SendConfigReq #2 Nov 9 18:08:22 ppp 16659 [wan] IPADDR 0.0.0.0 Nov 9 18:08:22 ppp 16659 [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent) Nov 9 18:08:22 ppp 16659 [wan] IPADDR 59.123.123.123 Nov 9 18:08:22 ppp 16659 [wan] 59.123.123.123 is OK Nov 9 18:08:22 ppp 16659 [wan] IPCP: SendConfigReq #3 Nov 9 18:08:22 ppp 16659 [wan] IPADDR 59.123.123.123 Nov 9 18:08:22 ppp 16659 [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent) Nov 9 18:08:22 ppp 16659 [wan] IPADDR 59.123.123.123 Nov 9 18:08:22 ppp 16659 [wan] IPCP: state change Ack-Sent --> Opened Nov 9 18:08:22 ppp 16659 [wan] IPCP: LayerUp Nov 9 18:08:22 ppp 16659 [wan] 59.123.123.123 -> 10.20.25.158 Nov 9 18:08:22 check_reload_status 376 rc.newwanip starting pppoe0 Nov 9 18:08:22 ppp 16659 [wan] IFACE: Up event Nov 9 18:08:22 ppp 16659 [wan] IFACE: Rename interface ng0 to pppoe0 Nov 9 18:08:23 php-fpm 347 /rc.newwanip: rc.newwanip: Info: starting on pppoe0. Nov 9 18:08:23 php-fpm 347 /rc.newwanip: rc.newwanip: on (IP address: 59.123.123.123) (interface: WAN[wan]) (real interface: pppoe0). Nov 9 18:08:25 php-fpm 80078 /interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 9 18:08:25 php-fpm 347 /rc.newwanip: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 9 18:08:25 php-fpm 80078 /interfaces.php: Default gateway setting Interface WAN_PPPOE Gateway as default. Nov 9 18:08:25 php-fpm 347 /rc.newwanip: Default gateway setting Interface WAN_PPPOE Gateway as default. Nov 9 18:08:25 php-fpm 80078 /interfaces.php: Gateway, none 'available' for inet6, use the first one configured. '' Nov 9 18:08:25 check_reload_status 376 Restarting ipsec tunnels Nov 9 18:08:25 php-fpm 347 /rc.newwanip: Gateway, none 'available' for inet6, use the first one configured. '' Nov 9 18:08:25 rc.gateway_alarm 50984 >>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%) Nov 9 18:08:25 check_reload_status 376 updating dyndns WAN_PPPOE Nov 9 18:08:25 check_reload_status 376 Restarting ipsec tunnels Nov 9 18:08:25 check_reload_status 376 Restarting OpenVPN tunnels/interfaces Nov 9 18:08:25 check_reload_status 376 Reloading filter Nov 9 18:08:26 php-fpm 346 /rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 9 18:08:26 php-fpm 346 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Nov 9 18:08:28 php-fpm 347 /rc.newwanip: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1636443508] unbound[21162:0] error: bind: address already in use [1636443508] unbound[21162:0] fatal error: could not open ports' Nov 9 18:08:30 check_reload_status 376 updating dyndns wan Nov 9 18:08:32 check_reload_status 376 Reloading filter Nov 9 18:08:32 php-fpm 80078 /interfaces.php: Creating rrd update script Nov 9 18:08:32 php-fpm 347 /rc.newwanip: Resyncing OpenVPN instances for interface WAN. Nov 9 18:08:32 php-fpm 347 /rc.newwanip: Creating rrd update script Nov 9 18:08:34 rc.gateway_alarm 34750 >>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%) Nov 9 18:08:34 check_reload_status 376 updating dyndns WAN_PPPOE Nov 9 18:08:34 check_reload_status 376 Restarting ipsec tunnels Nov 9 18:08:34 check_reload_status 376 Restarting OpenVPN tunnels/interfaces Nov 9 18:08:34 check_reload_status 376 Reloading filter Nov 9 18:08:34 php-fpm 347 /rc.newwanip: pfSense package system has detected an IP change or dynamic WAN reconnection - 59.123.123.123 -> 59.123.123.123 - Restarting packages. Nov 9 18:08:34 check_reload_status 376 Starting packages Nov 9 18:08:35 php-fpm 346 /rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 9 18:08:35 php-fpm 346 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Nov 9 18:08:35 php-fpm 80078 /rc.start_packages: Restarting/Starting all packages. Nov 9 19:13:14 check_reload_status 376 Syncing firewall Nov 11 14:33:53 php-fpm 3547 /interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 11 14:33:53 php-fpm 3547 /interfaces.php: Gateway, none 'available' for inet6, use the first one configured. '' Nov 11 14:33:53 check_reload_status 376 Restarting ipsec tunnels Nov 11 14:33:57 check_reload_status 376 updating dyndns opt4 Nov 11 14:33:59 check_reload_status 376 Reloading filter Nov 11 14:33:59 php-fpm 3547 /interfaces.php: Creating rrd update script Nov 11 14:34:01 rc.gateway_alarm 83475 >>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%) Nov 11 14:34:01 check_reload_status 376 updating dyndns WAN_PPPOE Nov 11 14:34:01 check_reload_status 376 Restarting ipsec tunnels Nov 11 14:34:01 check_reload_status 376 Restarting OpenVPN tunnels/interfaces Nov 11 14:34:01 check_reload_status 376 Reloading filter Nov 11 14:34:02 php-fpm 3547 /rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 11 14:34:02 php-fpm 3547 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Nov 11 14:35:07 check_reload_status 376 Syncing firewall Nov 11 14:35:12 php-fpm 53354 /interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 11 14:35:12 php-fpm 53354 /interfaces.php: Gateway, none 'available' for inet6, use the first one configured. '' Nov 11 14:35:12 check_reload_status 376 Restarting ipsec tunnels Nov 11 14:35:17 check_reload_status 376 updating dyndns opt3 Nov 11 14:35:19 check_reload_status 376 Reloading filter Nov 11 14:35:19 php-fpm 53354 /interfaces.php: Creating rrd update script Nov 11 14:35:21 rc.gateway_alarm 10756 >>> Gateway alarm: WAN_PPPOE (Addr:10.20.25.158 Alarm:1 RTT:0.000ms RTTsd:0.000ms Loss:100%) Nov 11 14:35:21 check_reload_status 376 updating dyndns WAN_PPPOE Nov 11 14:35:21 check_reload_status 376 Restarting ipsec tunnels Nov 11 14:35:21 check_reload_status 376 Restarting OpenVPN tunnels/interfaces Nov 11 14:35:21 check_reload_status 376 Reloading filter Nov 11 14:35:22 php-fpm 53354 /rc.openvpn: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Nov 11 14:35:22 php-fpm 53354 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. '' Nov 11 15:48:37 check_reload_status 376 Syncing firewall
And a sample of And pfsense: Status -> System logs -> Firewall -> filtered for the destination 10.20.25.158
Time Interface Rule Source Destination Protocol Nov 13 15:05:37 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:38 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:38 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:39 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:39 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:40 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:40 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:41 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:41 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP Nov 13 15:05:42 WAN Block local traffic leaving WAN (Netgate Recipe R... (1627606605) 59.123.123.123 10.20.25.158 ICMP
-
@patch said in Modem passthrough PPPoE Fixed IP handover error:
And pfsense: Status -> System logs -> Firewall -> More than once per second
Interface Rule Source Destination Protocol
WAN Block local traffic leaving WAN (Netgate Recipe R...This rule, presumably a floating, blocks the gateway monitoring, since it might block any outgoing packets to private IPs, but your gateway has a private one.
Best practice would be to set another, public IP for monitoring in System > Routing > Gateways.
-
@viragomann said in Modem passthrough PPPoE Fixed IP handover error:
This rule, presumably a floating, blocks the gateway monitoring, since it might block any outgoing packets to private IPs, but your gateway has a private one.
Thanks for identifying my mistake. You are indeed correct I created a floating rule on the WAN interface long ago and had forgotten about it when installing a pfsence appliance at another location,
At this site PPPoE is used instead of DHCP.
The local address is used during initial PPP negotiation with my ISP (probably to support customers on their carrier grade NAT) prior to changing to my fixed IP address. It appears pfsense continues to use the old local address but the floating rule is applied after PPP negotiation.Thanks for the solution. Changing the rule from reject to pass showed it was used once then the log spam stopped.
-
Another question for the same interface, how do I make gateway monitoring work? Or is this not possible as it is blocked by my ISP?
pfsense -> Status -> Gateways ->
Name Gateway Monitor RTT RTTsd Loss Status Description WAN_PPPOE ( Default) 10.20.25.152 10.20.25.152 0ms 0ms 100% loss Offline, Packetloss: 100% Interface WAN_PPPOE Gateway pfsense -> States -> search 10.20.25.152
Interface Protocol Source (Original Source) → Destination (Original Destination) State Packets Bytes WAN icmp 59.123.123.123:11316 -> 10.20.25.152:11316 0:0 881 / 880 25 KiB / 48 KiB pfsense -> Diagnosis -> Traceroute shows (independent of Use ICMP)
1 10.20.25.152 6.066 ms 5.601 ms 5.225 ms 2 203.219.182.5 6.303 ms 6.451 ms 6.187 ms
pfsense -> Diagnosis -> Ping 10.20.25.152 fails with 100% packet loss.
pfsense -> Status -> Interfaces shows
WAN Interface (wan, pppoe0)Item Value Status up PPPoE up Uptime 02:34:04 IPv4 Address 59.123.123.123 (My redacted fixed IP) Subnet mask IPv4 255.255.255.255 Gateway IPv4 10.20.25.152 IPv6 Link Local fe80::2e0:4cff:fe68:25a1%igb0 MTU 1492 In/out packets 193195/210658 (142.05 MiB/56.75 MiB) In/out packets (pass) 193195/210658 (142.05 MiB/56.75 MiB) In/out packets (block) 1678/0 (154 KiB/0 B) In/out errors 0/0 Collisions 0 Firewall rules
FloatingAction States Interfaces Protocol Source Port Destination Port Gateway Queue Schedule Description Pass & Log 0 /2 KiB WAN IPv4 * * * PrivateIPv4 * * none Don’t reject local traffic leaving WAN (to ISP gateway) WAN
Action States Protocol Source Port Destination Port Gateway Queue Schedule Description Block 0 /0 B * Reserved Not assigned by IANA * * * * * Block bogon networks Pass Port forwards -
@patch
Take any IP in the internet, which you know is responding to ICMP requests. You can set it for monitoring in the gateway settings.