Please help me understand "IP Passthrough" via ATT Fiber BGW500-320
-
I've set this up and it is working but I am not clear on exactly how it is working.
My setup is BGW500 - WAN of pfSense. There was a period spanning a few days in which I'd configured for IP passthrough and the only connectivity I was seeing was to other devices in my public IP subnet. No traffic to 8.8.8.8, pfsense unable to check for updates, etc.
I scanned the /23 and then to my surprise saw my ARP cache database full of my gateway's MAC address for every public IP on that block, including it's default gateway (23.xxx.xxx.1).
What's going on behind the scenes?
-
@boethius Passthrough gives your pfSense WAN a public IP. I used to use that setting with AT&T DSL at home. The AT&T router is still accessible via its private LAN IP.
-
This post is deleted! -
@steveits Ok to be more specific, why does pfsense report every address as being up when in fact only about ~10 hosts in this network are live? And why do they all have the MAC of the BGW500-320?
[2.5.2-RELEASE][admin@pfsense.52ae.gov]/root: nmap -sn 23.190.42.0/23 Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-10 13:16 PST Nmap scan report for 23-190-42-0.lightspeed.sntcca.sbcglobal.net (23.190.42.0) Host is up (0.0012s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-190-42-1.lightspeed.sntcca.sbcglobal.net (23.190.42.1) Host is up (0.00082s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-190-42-2.lightspeed.sntcca.sbcglobal.net (23.190.42.2) Host is up (0.00088s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-190-42-3.lightspeed.sntcca.sbcglobal.net .... .... .... CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-249.lightspeed.sntcca.sbcglobal.net (23.118.49.249) Host is up (0.00071s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-250.lightspeed.sntcca.sbcglobal.net (23.118.49.250) Host is up (0.00081s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-251.lightspeed.sntcca.sbcglobal.net (23.118.49.251) Host is up (0.00092s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-252.lightspeed.sntcca.sbcglobal.net (23.118.49.252) Host is up (0.00091s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-253.lightspeed.sntcca.sbcglobal.net (23.118.49.253) Host is up (0.00100s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-254.lightspeed.sntcca.sbcglobal.net (23.118.49.254) Host is up (0.0011s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-118-49-255.lightspeed.sntcca.sbcglobal.net (23.118.49.255) Host is up (0.0011s latency). MAC Address: CC:AB:2C:26:A5:0E (Humax) Nmap scan report for 23-190-42-246.lightspeed.sntcca.sbcglobal.net (23.190.42.246) Host is up. Nmap done: 512 IP addresses (512 hosts up) scanned in 3.52 seconds -
@boethius Don't know. My experience was the passthrough was via DHCP and I didn't try to scan the subnet.
If they're not your IPs how do you know there are only 10 active?
-
I ran the scan with ARP probes turned off, maybe there are more than ~10 but not many more. Also scanned from different networks with laptop
-
@boethius said in Please help me understand "IP Passthrough" via ATT Fiber BGW500-320:
@steveits Ok to be more specific, why does pfsense report every address as being up when in fact only about ~10 hosts in this network are live?
Where do you see this? On diagnostics/ARP table? Before or after running that nmap command?
And why do they all have the MAC of the BGW500-320?
The BGW320 is a very strange beast. It doesn't surprise me that it substitutes its MAC address for other devices on the WAN, which is, after all, what you're scanning with that nmap command.
-
@bpsdtzpw After the command, and I see it in arpwatch (an available package) database.
-
@boethius said in Please help me understand "IP Passthrough" via ATT Fiber BGW500-320:
@bpsdtzpw After the command, and I see it in arpwatch (an available package) database.
I am a little unsure exactly how this works, but I suspect that the ARP entries you are seeing are dummy entries. When you probe the WAN IP addresses, your requests get routed through the BGW, then through the ISP gateway. All of this is level 3 (IP) routing. You don't actually need (nor should you really get, for privacy reasons) the MAC addresses corresponding to the probed WAN IPs. You get only the MAC address of the BGW, and, because you're using passthrough mode, the MAC address of the ISP's gateway, 'cuz your pfSense has gotta have that to send it packets for routing onto the internet at large.
-
Yeah, seems like the gateway device is running proxyarp for some reason.
If you can connect to devices in the WAN subnet but nothing upstream from that it's either because there's no default route or the outbound NAT is not functioning. Either are probably because the WAN gateway is not configured on the WAN interface itself.
Steve
