Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FRR - RIPv2 Setup

    FRR
    1
    1
    459
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      howardb
      last edited by

      I found this How-to setup my exact setup at one of my new sites but the guy was using a Cisco 4948. Is there anyone here familiar enough with Cisco to convert this to work on pfSense? I want to use pfSense because it is what I have and I am familiar with working on. I just have not done very much dynamic routing nor used FRR much at all. I will greatly appreciate someone with the knowledge to convert this setup. The router that the ISP put in is causing all sorts of issue plus a bottleneck of about 20% bandwidth because it is only 1gbe on the WAN and the modem is 2.5gbe. I have some issues with a SaaS and the vendor is saying its this router, I tested it out over the DHCP connection via pfSense and they are right it is the router causing the issue. But I need the static IPs to work for VPN connections that are all across the country at my other sites, I would have to go-to every location to change them, that would be a big mess over a POS $100 router.

      Here is his post:

      How to bring your own equipment and have static IPs
      While it may be going away. Classifying ISPs under Title II is a great thing, and requires that an ISP (Comcast) let you use your own equipment.  This is federal law, and even if Title II was repelead. Saying it is technically mandatory for you to use comcast's equipment just to get you to rent it, I'm pretty sure that could violate parts of the uniform commercial code, but let's just say the tech's don't know any better.
       
      Let's clarify some things.

      1. Comcast owns no propietary internet technology everything from your modem / router to their hub runs on well known standards usually described in RFC's
         
        2.Every piece of comcast equipment you will see is mass produced linksys / netgear devices.
      2. Comcast uses a well known standard called DOCSIS 3.0 to get you internet over coax, tftp to load your modems config and SNMP to manage it. While they have some smart people. They didn't make any changes to the standards and while some of them may have been a part of the design, I doubt it.
      3. Comcast built it's one custom web interface for your device specificially designed to prevent a consumer from getting full access to their information.
      4. Aside from popping up xfinity hotspots these modem/routers scan your internal network and are vulnerable. The CG300DCR for instance. You cannot fully turn off or change the 10.1.10.1 ip addresses. You can't isolate them. it also has an way more open ip address if 192.168.100.1/24. It will respond to DNS requests from almost any local ip set. It will grant that 10.1.10.1 access to the internet, and so on.
      5. At no time are all the Static IPs loaded into a comcast modem router. That doesn't even make sense.
         
        Here is how comcast does their static ip address configuration.
         
        There is a virtual port (or perhaps it's the coax port) that gets a dynamic public ip address. This is not part of your static range.
        The modem/router then gets the default gateway IP address assigned to another virtual port. Which those ports on the back can talk to. 
         
        What needs to be loaded is the dynamic routing config. (because apparently one spoke site couldn't possibly work with a static routing. That'd be to easy).
         
        Comcast uses RIPv2 with an authentication key to do route updates. The comcast techs can log into your modem and see what this authentication key is, among other things and make other changes.
         
        I rent a business class internet with 13 static IPs and I finally found an employee who would provide the info. I am running a CPE TP link modem in bridge mode and my Cisco 4948 is doing the RIPv2 routing, and it works, and a device I can fully control is now the gateway, which for people who use their own firewalls or perhaps like to not do nat on an internal network between public and private ips,and while I acknowledge that some of the comcast routers can do some of this, they don't do it well, their techs aren't informed and it just creates more headaches for the it department.
         
        Anyway here's the excerpted config from my cisco 4948 switch, but any device that supports RIPV2 will be able to handle this.
         
        So get a CPE modem and put it into bridge mode (I used a TPLINK 7620)
         
        plug it into a port on the cisco switch (I used Gi1/1)
         
        Configure rip globally. (notes in bold
         
        ////

      router rip brings you into the rip config
      version 2 specifies version
      no validate-update-source This may not be necessary. In fact comcast doesn't send any rip routes your way
      passive-interface default This turns off RIP messages going out all the interfaces on your switch,
      no passive-interface GigabitEthernet1/1 This tells it to use port Gi1/1 to send RIP routing info
      network 0.0.0.0 so this is lazy, it identifies any network you want to advertise and advertise on, but because the wan ip is dynamic there was really no other way
      distribute-list 28 out GigabitEthernet1/1 This refers to an access list and uses it to prevent you from sending internal routes out to comcast
      no auto-summary This is probably unecessary but a hold over from training or a place I worked
      //////
       
       
      ////////  So  this access list basically blocks any private ip address from being advertised to comcast. (and I hope they have some safequards on their end. If you have other wan links in your network I would add them to deny statements if possible
      access-list 28 deny 10.0.0.0 0.255.255.255
      access-list 28 deny 172.16.0.0 0.15.255.255
      access-list 28 deny 192.168.0.0 0.0.255.255
      access-list 28 permit any
      ////////
       
      /////// this is the authentication key for the rip messages, I've blocked it out. It's done in the global config
      key chain comcast
      key 1
      key-string 7 ##########################
      ////////
       
       
      ////////// Interface to comcasat router
      interface GigabitEthernet1/1
      description /Link -> Comcast Router/
      no switchport
      ip address dhcp tell's it to grab an ip address via dhcp. Also on cisco make sure you don't have a gateway of last resort. this will add one to your config with a space than 254 at the end. If you have another one pointing at the same interface it will screw with your performance on some models
      ip rip authentication mode md5
      ip rip authentication key-chain comcast
      ip summary-address rip xx.xx.xx.xx 255.255.255.240 this should be your static ip address, makes it really easy for rip to advertise
      no cdp enable 
      spanning-tree bpdufilter enable
      //////////////
       
       
      ///////////////So to each his own, but I use Vlans and this just happens to be where my static ip vlan is.
      interface Vlanxxx
      description /Static Gateway/
      ip address xxx.xxx.xxx.xxx 255.255.255.240
      ////////////
       
      and we're done

      ///////////END of his post.

      So if anyone knows howto convert this it would help me out a lot!
      Thanks

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.