Request for Dashboard Tweak

stephenw10

What exactly were you seeing there?

At the very minimum I would expect to see no IP address. But in 2301 at least it will also show as down if there's a bad password:

Good password:

Steve

voxmagna1

@stephenw10 I see the WAN with my Static IP provided by my ISP and a green up arrow as though everything on the WAN side was o.k. But pfsense update manager was trying to run and froze (1st clue) then when I tried to browse, I could ping IP addresses but couldn't get domains resolved (2nd clue but sent me looking for a DNS problem) and there was no IO traffic from web browsers or my AV update request showing on the WAN graph.

I tried to explain everything. This IP must open the channel without credentials because it first needs a way to address and populate its own routers with the POE username and password as it takes on new subscribers. It always puzzled me why they used to say it could take an hour or 2 for a new subscriber to get connected on an ADSL router even though its green leds were all lit. Now the penny has dropped because new or changed account credentials have to be sent to their router. Once received, the router will reconnect properly logged in in about the same time as pfsens.

My Dashboard showed WAN as green and up and timing, but nothing from the LAN side was getting through. I've tried putting in the wrong POE password, rebooted pfsense and got the same green up and IP address on the WAN interface. It's only by looking at the PPP log showing the POE login transaction that I can see my ISP account username and encrypted password attemps several times and a CHAPS confirmation of fail or success. When the correct username/PW is entered and confirmed, I still get the same static IP and green up tick but now there is browsing traffic on the WAN graph and DNS is resolved.

I may have this wrong, but all commercial ISP supplied routers must start with the WAN open to allow the credential handshake over POEe to take place which is why I think pfsense says the link is up, but not good for transferring data?
I would just like the dashboard WAN link status to show its properly active and authenticated, either by change of color or if authentication is attempted and fails, it goes to red down to?

Now my ISP WAN side password has been changed it means I could fall foul of the same problem if I import older config settings because they have the wrong POE passord. It's slightly more problematic because the xml password string is hashed and uneditable so I would have to remember to enter the new password via the webconfigurator after importing the backup settings.

stephenw10

Hmm, how do you have the static IP configured? Normally it would still be the ISP that passes that to you.
A PPPoE interface should always appear as down until the linkup is complete. It shouldn't matter what the parent NIC status is.

voxmagna1

@stephenw10 After they assigned the static public IP and I got problems (not realising the change of web account password affected the router) I tried setting the WAN to IPV4 fixed IP. I got the green up tick, but nothing pased through. I didn't check the PPP log but now assume that whilst I can set a static IP in pfsense and ping the public IP, the connection isn't authenticated for traffic?

Another clue I gave: I don't know how Pfsense or other routers confirm the WAN UP status, but I said could always ping my public static IP and get a reply even after CHAPs authentication handshake had failed. Because I never changed the password in the past with their dynamic allocated IP, I can't say what happens when the username or password string is wrong.

There wouldn't be a problem with an ISP supplied router because it seems pre-configured to import credentials from your account details or if they change, the router is updated? Their router GUI PPPoE settings are hidden.

Perhaps this U.K ISP works differently, but for home services you have to have a fixed landline phone number and they could use that as a first step to establish your customer ID and sending credentials to their router. That makes sense because all their routers are shipped the same with PPPoE enabled with default or empty login fields. When a customer leaves they only have to close the account and their router won't login.

stephenw10

@voxmagna1 said in Request for Dashboard Tweak:

Perhaps this U.K ISP works differently, but for home services you have to have a fixed landline phone number and they could use that as a first step to establish your customer ID

That is certainly true for some UK ISPs. BT for example don't require a password but pfSense does so you can use anything. My login there is bthomehub@btbroadband.com/password. They use the line you are connecting on to identify you so the login doesn't matter.

@voxmagna1 said in Request for Dashboard Tweak:

I tried setting the WAN to IPV4 fixed IP.

If you do that the link is not using PPPoE at all. In that situation it will show as up because it's only looking at the state of the link on the NIC and that is linked to the modem.
You will always be able to ping the public IP you set as static there because it's on the firewall itself whether or not the upstream link is up. However you would note that the ping response time is very low. Too low to actually be crossing the WAN connection and back.

The setup I expect here is that the WAN is still configured as PPPoE and the ISP hands you the same static IP at each connection.

Steve

voxmagna1

@stephenw10 Thanks. I spent a lot of time digging around on this looking for an explanation. Every time the WAN link was marked as UP and green I checked the ppp log and when the link wouldn't accept DNS requests, the PPP log showed my ISP account username but CHAPS authentication had failed. When I entered the correct password with the same username, the PPP log comfirmed authentication o.k, I got the same green UP arrow and could then pass data. I changed nothing else in my router configuration.

stephenw10

I sounds like it was somehow still connecting the PPPoE link even though the WAN was set as a static IP. Which is odd. How is it configured now?

voxmagna1

@stephenw10 Like this which is how it always worked. It's a simple home configuration. LAN to WAN, client PCs are allocated static IPs to allow filtering according to their IP address.

stephenw10

Yeah, that should work fine. But I would certainly expect it to show as down with the wrong credentials. Plusnet require correct credentials.

voxmagna1

@stephenw10 Agree, but do you know how pfsense determines the WAN link is UP?

When I reboot with wrong credentials my WAN static IP is shown on the Dashboard which I can ping o.k, the UP timer is running but I can't do anything else and that puzzles me? My Pfsense box is behind an OpenReach fibre modem. Can that issue an IP address from the ISP which does nothing until the link is authenticated by the firewall?