Could not connect to the internet without ISP-Provided Router

j4bbyj03 · Mar 15, 2024, 3:52 PM

Hi,

I need some help on my pfsense box. It could not connect to the internet without first doing this: ONT > Eero router > PFsense box.

I would like to remove the ISP-provided Eero Router and have a direct connection from the ONT to the PFsense box. From what I can see, the Eero router does not have any special configuration for it to work. In fact, I have tried connecting a PC ( using DHCP) directly to the ONT device and it was able to reach the internet.

When I Connect PFsense box directly to ONT, it can also get the same public IP that the Eero router and the PC but all devices behind it could not reach any website.

What I have tried:

Turning off ONT and PFSense box for 5 minutes, connect them, turn on ONT and PfSense box
spoofing Eero MAC address then did the first bullet point

Additional Information

My Outbound NAT is on Hybrid. there are manual mappings but specifically only to a group of IP addresses that needed to be routed to PIA VPN. Other than that, they are all automatic rules
I tried pinging 1.1.1.1 with ONT > PfSense box setup but it could not reach it
My ISP is Telmax (https://www.telmax.com/)
Looking at EEro's configuration, it is set to DHCP with uplink VLAN Tag disabled

Am I missing a PfSense configuration to apply? or should the ISP get involved to release the router's MAC. If I am going to contact the ISP, what other information should I get from them?

Thanks in advance

tinfoilmatt · Mar 15, 2024, 4:17 PM

@j4bbyj03 given that pf obtains the same (presumably valid) DHCP lease from ISP as the Eero, the issue does seem to be with your pfSense configuration.

can you please post a screenshot of the firewall ruleset for your LAN interface?

Gertjan · Mar 15, 2024, 4:22 PM

@j4bbyj03 said in Could not connect to the internet without ISP-Provided Router:

I have tried connecting a PC ( using DHCP) directly to the ONT device and it was able to reach the internet.

But you didn't need to

@j4bbyj03 said in Could not connect to the internet without ISP-Provided Router:

or should the ISP get involved to release the router's MAC.

right ?

The PC was using the classic DPCP, right ?
So is, by default, pfSense.

If some device, whatever device, using DHCP gets an IPv4 lease from some ISP upstream DHCP server, then will be valid for pfSense also.
The only difference is that pfSense, behaves on the WAN side 'as any device' but it can do NAT and some more stuff, so you can now have LAN's. That's a router.

j4bbyj03 · Mar 15, 2024, 5:51 PM

@cyberconsultants here is the screen shot for the LAN interface rule set:

and this is the WAN Rule set

j4bbyj03 · Mar 15, 2024, 5:55 PM

@Gertjan and this is what's baffling me. A PC, running Linux even, can connected directly to ONT and can access the internet but a PfSense box that has DHCP on WAN cannot. I am covering all bases because I read somewhere that ISPs can "lock" an ONT's into only a specific MAC address. I am all out of ideas :-(

Gertjan · Mar 15, 2024, 6:14 PM

@j4bbyj03 said in Could not connect to the internet without ISP-Provided Router:

PfSense box that has DHCP on WAN cannot.

Double check that you are actually using the "WAN" interface.

Goto Diagnostics > Packet Capture, select WAN, add the useful DHCP ports 67 and (the other one), protocol UDP, and hit start.
What do you see ?

You should see : the DHCPv4 client (pfSense) sending out requests.
Answers back would be even better ...

Jarhead · Mar 15, 2024, 7:44 PM

@j4bbyj03 ~~There's almost no way you would receive the same DHCP address with a different router. Did you power cycle the ONT after connecting the pfSense?~~

Disregard, just reread and saw you did.
But there's still little chance you'd get the same address.

tinfoilmatt · Mar 15, 2024, 7:58 PM

thinking along the same lines as @jarhead over here. consistenly power cycling all devices after making any reconnections is going to be important here.

spoofing L2 addresses is a bad idea and inevitably a bad time. i would avoid it entirely.

it also might not be a bad idea to confirm that ISP doesn't need to whitelist MAC of your pfSense WAN NIC. it's possible that their whitelist is only 'enforced' when it detecs a router at the other end (to put it crudely)—so it'd stand to reason that you can successfully directly-connect to ONT with your PC but not with the pf host, a router. worth a quick call to avoid chasing your tail.