Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Please help me understand "IP Passthrough" via ATT Fiber BGW500-320

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Boethius
      last edited by

      I've set this up and it is working but I am not clear on exactly how it is working.

      My setup is BGW500 - WAN of pfSense. There was a period spanning a few days in which I'd configured for IP passthrough and the only connectivity I was seeing was to other devices in my public IP subnet. No traffic to 8.8.8.8, pfsense unable to check for updates, etc.

      I scanned the /23 and then to my surprise saw my ARP cache database full of my gateway's MAC address for every public IP on that block, including it's default gateway (23.xxx.xxx.1).

      What's going on behind the scenes?

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Boethius
        last edited by

        @boethius Passthrough gives your pfSense WAN a public IP. I used to use that setting with AT&T DSL at home. The AT&T router is still accessible via its private LAN IP.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        B 1 Reply Last reply Reply Quote 0
        • B
          Boethius
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • B
            Boethius @SteveITS
            last edited by

            @steveits Ok to be more specific, why does pfsense report every address as being up when in fact only about ~10 hosts in this network are live? And why do they all have the MAC of the BGW500-320?

            [2.5.2-RELEASE][admin@pfsense.52ae.gov]/root: nmap -sn 23.190.42.0/23                                                                                                 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-10 13:16 PST                                                                                                           Nmap scan report for 23-190-42-0.lightspeed.sntcca.sbcglobal.net (23.190.42.0)                                                                                            Host is up (0.0012s latency).                                                                                                                                             MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-190-42-1.lightspeed.sntcca.sbcglobal.net (23.190.42.1)                                                                                            Host is up (0.00082s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-190-42-2.lightspeed.sntcca.sbcglobal.net (23.190.42.2)                                                                                            Host is up (0.00088s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-190-42-3.lightspeed.sntcca.sbcglobal.net 
            ....
            ....
            ....
            CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-249.lightspeed.sntcca.sbcglobal.net (23.118.49.249)                                                                                        Host is up (0.00071s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-250.lightspeed.sntcca.sbcglobal.net (23.118.49.250)                                                                                        Host is up (0.00081s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-251.lightspeed.sntcca.sbcglobal.net (23.118.49.251)                                                                                        Host is up (0.00092s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-252.lightspeed.sntcca.sbcglobal.net (23.118.49.252)                                                                                        Host is up (0.00091s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-253.lightspeed.sntcca.sbcglobal.net (23.118.49.253)                                                                                        Host is up (0.00100s latency).                                                                                                                                            MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-254.lightspeed.sntcca.sbcglobal.net (23.118.49.254)                                                                                        Host is up (0.0011s latency).                                                                                                                                             MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-118-49-255.lightspeed.sntcca.sbcglobal.net (23.118.49.255)                                                                                        Host is up (0.0011s latency).                                                                                                                                             MAC Address: CC:AB:2C:26:A5:0E (Humax)                                                                                                                                    Nmap scan report for 23-190-42-246.lightspeed.sntcca.sbcglobal.net (23.190.42.246)                                                                                        Host is up.                                                                                                                                                               Nmap done: 512 IP addresses (512 hosts up) scanned in 3.52 seconds                               
            
            S B 2 Replies Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @Boethius
              last edited by

              @boethius Don't know. My experience was the passthrough was via DHCP and I didn't try to scan the subnet.

              If they're not your IPs how do you know there are only 10 active?

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              B 1 Reply Last reply Reply Quote 0
              • B
                Boethius @SteveITS
                last edited by

                @steveits

                I ran the scan with ARP probes turned off, maybe there are more than ~10 but not many more. Also scanned from different networks with laptop

                1 Reply Last reply Reply Quote 0
                • B
                  bPsdTZpW @Boethius
                  last edited by

                  @boethius said in Please help me understand "IP Passthrough" via ATT Fiber BGW500-320:

                  @steveits Ok to be more specific, why does pfsense report every address as being up when in fact only about ~10 hosts in this network are live?

                  Where do you see this? On diagnostics/ARP table? Before or after running that nmap command?

                  And why do they all have the MAC of the BGW500-320?

                  The BGW320 is a very strange beast. It doesn't surprise me that it substitutes its MAC address for other devices on the WAN, which is, after all, what you're scanning with that nmap command.

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    Boethius @bPsdTZpW
                    last edited by

                    @bpsdtzpw After the command, and I see it in arpwatch (an available package) database.

                    B 1 Reply Last reply Reply Quote 0
                    • B
                      bPsdTZpW @Boethius
                      last edited by

                      @boethius said in Please help me understand "IP Passthrough" via ATT Fiber BGW500-320:

                      @bpsdtzpw After the command, and I see it in arpwatch (an available package) database.

                      I am a little unsure exactly how this works, but I suspect that the ARP entries you are seeing are dummy entries. When you probe the WAN IP addresses, your requests get routed through the BGW, then through the ISP gateway. All of this is level 3 (IP) routing. You don't actually need (nor should you really get, for privacy reasons) the MAC addresses corresponding to the probed WAN IPs. You get only the MAC address of the BGW, and, because you're using passthrough mode, the MAC address of the ISP's gateway, 'cuz your pfSense has gotta have that to send it packets for routing onto the internet at large.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Yeah, seems like the gateway device is running proxyarp for some reason.

                        If you can connect to devices in the WAN subnet but nothing upstream from that it's either because there's no default route or the outbound NAT is not functioning. Either are probably because the WAN gateway is not configured on the WAN interface itself.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.