PfSense Bridge Mode with ISP Router

panzerscope

Hello all.

I have since moved to a new ISP (Lightspeed Broadband) that allows for their router to be put into Bridge Mode which I know is a much more ideal setup than what I have now which is having two routers on the network, meaning double NAT. This would be my first time setting up a Bridge in this way.

I know it is as simple as enabling it on the ISP Router end, that is the easy bit, however I am unsure what steps I need to take on my PfSense firewall to complete the bridge plus any DO's and Don'ts you guys may be aware of. I did do a search on how to setup bridge mode, but upon my searching I did not find a particularly accurate or decent guide on how to do it, so I wanted to call in on those here who have already set this up successfully.

Let me know if there is any particular additional info needed

Many thanks in advance,
P

stephenw10

If you pfSense WAN is set as DHCP already and currently receiving a private IP from the ISP router you may not need to do anything. After putting the ISP router in bridge mode pfSense will simply get a DHCP lease from the ISP directly.
If the ISP is not using dhcp that requires other changes, setting up PPPoE for example.

With a public IP on the pfSense WAN it's important to check your WAN rules are not openning any ports that should not be.

You may have to add a VIP on WAN to access the ISP router for diagnostic data etc.

Steve

panzerscope

@stephenw10 said in PfSense Bridge Mode with ISP Router:

If you pfSense WAN is set as DHCP already and currently receiving a private IP from the ISP router you may not need to do anything. After putting the ISP router in bridge mode pfSense will simply get a DHCP lease from the ISP directly.
If the ISP is not using dhcp that requires other changes, setting up PPPoE for example.

With a public IP on the pfSense WAN it's important to check your WAN rules are not openning any ports that should not be.

You may have to add a VIP on WAN to access the ISP router for diagnostic data etc.

Steve

Hello Steve,

Thanks very much for your reply. Currently my WAN is set to a static IP but I can change it to DHCP and see what happens once I change my ISP router to Bridge Mode. Fortunately on my ISP router, I can select which of 4x Lan ports goes into bridge mode, so re-accessing the ISP admin page will be possible using one of the other ports, until I learn how to setup VIP as you describe. I should have said that my ISP router is a Nokia XS-2426G-A

Looking at the ISP WAN Page, it is getting its public IP using DHCP as per below, so hopefully it will be as simple as setting PfSense WAN to DHCP.

Thanks for the warning regarding ports, right now I only have ports open for items like Plex and Games, everything else is not setup, should I setup anything else in respect to the ports ? I assume if there is no rule for them created, they are not "Open".

stephenw10

Everything is closed b default, yes.

It looks like it requires a VLAN (1081). The ISP router may or may not still do that in bridge mode. If it doesn't you would need to add the VLAN in pfSense.

JKnott

@panzerscope

Does Lightspeed provide IPv6? If so, you'll also want to set up that.

panzerscope

@stephenw10 said in PfSense Bridge Mode with ISP Router:

Everything is closed b default, yes.

It looks like it requires a VLAN (1081). The ISP router may or may not still do that in bridge mode. If it doesn't you would need to add the VLAN in pfSense.

I guess I will find out when I get it set up. I called the ISP today as their Bridge mode is still in its Trial Phase, as such you have to specifically request that your account be enabled. I am just waiting for that to happen now. Ironically my broadband just went down, so need to tackle that first haha.

@JKnott said in PfSense Bridge Mode with ISP Router:

@panzerscope

Does Lightspeed provide IPv6? If so, you'll also want to set up that.

I believe so, yes. They have IPv6 in their router, though I am using IPv4 at the moment. How would I go about enabling IPv6 on PfSense? I mean that could be something I can do now irrespective to what ISP I am using. At least that way it is done.

Thanks for the assistance thus far guys.

stephenw10

@panzerscope said in PfSense Bridge Mode with ISP Router:

I called the ISP today as their Bridge mode is still in its Trial Phase, as such you have to specifically request that your account be enabled.

That's probably a good thing. There will be relatively few people doing it and they will be trying hard to make it work. They can probably tell you if you need a VLAN.

JKnott

@panzerscope said in PfSense Bridge Mode with ISP Router:

Does Lightspeed provide IPv6? If so, you'll also want to set up that.

I believe so, yes. They have IPv6 in their router, though I am using IPv4 at the moment. How would I go about enabling IPv6 on PfSense? I mean that could be something I can do now irrespective to what ISP I am using. At least that way it is done.

Here's the basic setup for Rogers (my ISP). Perhaps someone here could provide more specific info for Lightspeed.

panzerscope

@JKnott said in PfSense Bridge Mode with ISP Router:

@panzerscope said in PfSense Bridge Mode with ISP Router:

Does Lightspeed provide IPv6? If so, you'll also want to set up that.

I believe so, yes. They have IPv6 in their router, though I am using IPv4 at the moment. How would I go about enabling IPv6 on PfSense? I mean that could be something I can do now irrespective to what ISP I am using. At least that way it is done.

Here's the basic setup for Rogers (my ISP). Perhaps someone here could provide more specific info for Lightspeed.

Hey guys,

So my ISP switched my service to Bridge Mode, I have set the WAN interface for IPv4 and IPv6 to DHCP on PfSense. I can see that my PfSense is fetching a public IP on my WAN, so that part is good. The issues I have having is a DNS Probe Failure Issue, that being said, if I ping a DNS server I am getting an unreachable message, so may not necessarily just be DNS.

I am not sure if I need to setup some form of VLAN as mentioned before ? If so how would I go about doing that ? I did ask Lightspeed if there was anything specific I need to setup, other than simply turning on Bridge Mode, and they said no, but I was talking to a non techie.

I also tried the above settings you tried for Rogers @JKnott but this has not helped unfortunately.

FYI this is what the WAN pages of my ISP router look like

This is what the WAN page on PfSense currently looks like (Excuse the photographs.)

Any help or advice greatly appreciated.

Jarhead

@panzerscope Should just have to create vlan 1081 using the wan as parent, then in interfaces/assignments, assign the vlan to WAN.

stephenw10

You might not have to since it still seems to be enabled in the 'modem' and dhcp seems to be working.

Do you receive a gateway and default route on the WAN?

Can you ping the gateway? Ping 8.8.8.8?

panzerscope

Thanks for all the help guys.

I actually found what the issue was. So to start, to get bridge mode working, as suspected, all I needed to do was change my WAN to DHCP on PfSense. I also enabled DHCP for IPv6, just for future. The issue was that in PfSense, my IPv4 default gateway was still set to use my WANGW profile which was using a static address for my old setup. After changing my default gateway to WAN_DHCP, everything came alive!

So for anyone using Lightspeed with PfSense that wants to use Bridge Mode, take the following steps

1. Call Lightspeed as they have to specifically enable Bridge Mode on your account (at least at the time of writing this as they are still trialling Bridge Mode)
2. Login to your Nokia ISP router, go to Network>LAN and enable Bridge Mode on whichever LAN interface you will be plugging in your PfSense PC/Device WAN into. As per the below example

3. Log into PfSense, go to Interface>WAN.

Ensure/Change your IPv4 and IPv6 WAN to DHCP as per below example.

4. From System>Routing>Gateways, you need to ensure that your IPv4/IPv6 default gateways are set to WAN_DHCP as per the below example.

Only last thing I need to figure out guys, is how do you setup a "VIP" on PfSense so I can login to the ISP Router ?

Thanks!

JKnott

@panzerscope

There is one other setting to check. On System / Advanced / Networking, select Do not allow PD/Address release. This will prevent the IPv6 prefix changing, provided the ISP supports it. If they don't, you may want to consider Unique Local Addresses so that devices on your LAN will have consistent addresses.

stephenw10

@panzerscope said in PfSense Bridge Mode with ISP Router:

Only last thing I need to figure out guys, is how do you setup a "VIP" on PfSense so I can login to the ISP Router ?

You may not need a VIP, it depends how the router/modem handles the connection when it's in bridge mode.

Try to access the modems management IP from a client behind pfSense.

panzerscope

This post is deleted!

panzerscope

@JKnott

Thanks I will look into that :)

@stephenw10

I cannot access the ISP modem using anything behind PfSense :(

stephenw10

OK then you probably need a VIP on the WAN in the modems subnet and an outbound NAT rule.

https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html?highlight=modem#configure-nat