AT&T screwed me over, now can't reach services behind pfSense from outside

RonRN18

I have had AT&T Fiber Internet since April 2020. I remembered having a bit of a hassle originally setting up the BGW210-700 router they provided me with back then but I had everything working as I expected it to until Thursday. I made the mistake of contacting them about an absolutely MINOR annoyance of an issue. They ended up telling me that the thing that would fix it would involve factory resetting the device. I mentioned that even if I thought it was worth it, I could not do a factory reset of the device until a Sunday, as my wife works from 7AM-5PM every weekday and requires a constant Internet connection. They told me that there was something that they could do that might solve the issue so that I wouldn't have to perform the factory reset and it wouldn't affect us. What they did was they remotely factory reset the BGW210-710. This instantly killed our Internet. As it had been many years since I messed with their router, I couldn't remember how to put it back to the settings I had before. It took about three hours of panic to try to get back online. My wife was unable to finish her workday because of the Internet going down. I was having a terrible time trying many things before I finally got the AT&T router to properly get my pfSense device back online. I initially thought I was back to normal, but upon ME going to work, I realized not everything was back functioning properly.

Just a bit on my setup. I have a block of static IPv4 addresses (I actually only need one). I have many (mostly) personal servers that I use both inside and outside the home. I have HAProxy and several sub-domains that allows me to access these devices from outside the home or give access to friends or family that could use my servers. I also have WireGuard setup to connect both my laptop and my iPhone when I am not physically at home to function as if I am. This allows me to route all traffic through the WireGuard connection, which using things like pfBlockerNG, I can block ad servers and keeps my traffic private when I get on public WiFi hotspots.

While I did get the network to work for most Internet traffic, WireGuard is not currently connecting and none of my HAProxy setups are working to access things behind my pfSense. I never really changed anything on pfSense, so I'm thinking that the issue still resides within the IP Passthrough settings. I followed the steps seen in this YouTube video about how to setup IP Passthrough. The only variance I did was on my WAN setting on pfSense, I have selected to NOT use DHCP but rather static IP and I enter the primary static IP that I use. I also have a WAN Gateway setup that has my static IP block's gateway address. As stated, I can browse the Internet as usual from behind the pfSense and if I were to go to whatismyipaddress.com or ipchicken.com, it does show my correct, static home IP address.

Another interesting detail is that I have a Plex Media Server running at my house. I am able to log in to Plex (https://app.plex.tv) and it connects to my home server. What I cannot do is connect to an Emby server that I have routed in using HAProxy. (Both Emby Server and Plex Media Server have access to the exact same media content, but there are aspects I like of each over the other, depending on what I want.)

I am baffled as to what is preventing WireGuard and HAProxy to properly allow connections. If anyone can point me in the right direction, I would appreciate it.

Gblenn

@RonRN18 Two things come to mind, related to your external IP...
Firstly, have you checked if that has changed, and for some reason your dynamic DNS has not been updated to point at the right addess?
Second, have you checked your external IP, what range does it belong to? Could it be that AT&T took the opportunity to change you over to a private IP and you are now behind double NAT??

elvisimprsntr

I've had ATT residential fiber since 2016, although with an Arris NVG599.

I would think the passthrough settings would be similar.

• Allocation Mode: Passthrough
• Mode: DHCPS-Fixed
• Passthough Fixed MAC Address: {MAC address of pfSense WAN}

HLPPC

This post is deleted!

stephenw10

Do you actually see the public IP on the pfSense WAN directly?

RonRN18

[SOLVED]

I was getting quite frustrated with AT&T technical support. They clearly do not know their product. I tried contacting them again and they were thinking that the problem was either a problem with MY router (pfSense 23.09.1-RELEASE) or something catastrophically wrong that they couldn't figure out on their router. They said that they were going to send me a new AT&T router. I was trying to document every page of my AT&T's BGW210-700 router and the settings that were currently set and taking screenshots of it all. Some of the information, anyone on my network can see and some requires entering a code that is physically printed on the side of the AT&T router. It wasn't until I was on one of the pages that requires the code to view that I saw one little thing that as soon as I read it, it stood out to me as the most likely cause of my issues.

This is under "Home Network" → "Subnets & DHCP". In the section of "Public Subnets" I have my block of static IPs defined. In the image, I have "sanitized" my actual static IPs, but I saw a yes/no question called "Allow Inbound Traffic". This was set to "No". I immediately realized that this was the reason I could not access anything on my system, such as my WireGuard VPN server or any ported ports or HAProxy'd machines. I changed this to "Yes" and all of a sudden, everything started working as it was supposed to. I'm not sure why AT&T "Tech Support" didn't know that this would be required to be on if you wish to reach anything directly behind your firewall.

johnpoz

@RonRN18 said in AT&T screwed me over, now can't reach services behind pfSense from outside:

I'm not sure why AT&T "Tech Support" didn't know

hahaha - sorry but is the first time you have had to call any tech support? Don't mean to laugh, but this is pretty much all tech support for these companies.. If your not talking to 2nd or 3rd level they are reading off a script, and more than likely don't even know what a modem is, or even an IP..

One that that got my panties in a twist, is when I had an outage with comcast back in the day.. I wasn't getting an IP.. Which I clearly stated, and mentioned more than a few times.. I was showing link on the modem, but couldn't get an IP.. They wanted me to ping 8.8.8.8 - I was like how is that going to work, when I don't have an IP.. ugggghhh.. Just move me up the queue please!

stephenw10

Shibboleet.

Phizix

@johnpoz said in AT&T screwed me over, now can't reach services behind pfSense from outside:

One that that got my panties in a twist, is when I had an outage with comcast back in the day.. I wasn't getting an IP.. Which I clearly stated, and mentioned more than a few times.. I was showing link on the modem, but couldn't get an IP.. They wanted me to ping 8.8.8.8 - I was like how is that going to work, when I don't have an IP.. ugggghhh.. Just move me up the queue please!

I feel your pain brother!
Same with Spectrum (can't put what I call them).

Phizix