Verizon CR200a in ip passthrough?
-
@stephenw10 So I think maybe I did something wrong...?
I connected as you described, I think. The new interface is pulling an IP, but it's a local-type IP. IS that what I'm expecting to see?
If so, how can I now test if it's working from my desktop? Do I temporarily disable the original WAN interface, and see if I still have internet, or is there a better way? I ran a speed test, and not much has changed, although the speeds of my old and new ISPs are similar, so it would be hard to tell from just that.
-
Hmm, well it seems highly coincidental that the IP address it pulled is in the same subnet as your LAN.
Check Status > DHCP Leases. Make sure it didn't pull an IP address from itself. If it did then double check the wiring, you have a layer 2 link between LAN and Verizon.
If it didn't then you have a subnet conflict you will need to resolve.
If Verizon passes you a CGNAT address I'd expect it to be in the 100.x.x.x subnet.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Check Status > DHCP Leases. Make sure it didn't pull an IP address from itself. If it did then double check the wiring, you have a layer 2 link between LAN and Verizon.
If it didn't then you have a subnet conflict you will need to resolve.
Well, it did something, because after making that change I couldn't browse to any sites at all, including this one, but some of my other internet and network-dependent traffic was still working. It was very odd. It almost felt like a DNS issue, but I couldn't find anywhere to see or change that.
I tried disabling the new WAN and going back to the original one, but nothing worked. I ended up having to restore my pfsense backup to get it running again.
I wish I knew enough to follow your suggestion above. I looked at the DHCP leases, but I didn't really know what I was seeing. It did seem very odd that it was assigning a local IP to the new WAN, so I suspect that was wrong.
I have the new verizon modem plugged into a switch out in my shop, which then runs underground back to my main switch, and then into my pfsense box. Could that be causing the mix-up? Is that what you meant by a level 2 link? If so, I'm not sure how I could get around that, since there's no other physical way for me to connect the Verizon modem to my pfsense box. -
Is that main switch also connected to the LAN NIC? Because that would then put everything in the same segment which is not valid.
If those are managed switches you can add a VLAN to carry the traffic from the modem and isolate it.
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Is that main switch also connected to the LAN NIC? Because that would then put everything in the same segment which is not valid.
If those are managed switches you can add a VLAN to carry the traffic from the modem and isolate it.
It is indeed. That would be the issue, then. The primary switch is managed, but the little switch out in my shop is not. Is it still possible to split things out into a VLAN, or do both need to be managed?
I've never set up a VLAN, is that complicated? My switch is a TPLink T1600G-28PS, if that tells you anything.
I see an option for MAC VLAN, which appears to be selectable by port. That looks promising... :)
-
Do you need access to the LAN at the smaller remote switch?
If you do that's an issue because since the small switch doesn't support VLANs the link between the switches will only ever be a single segment.
Unless maybe the modem supports VLANs in which case you could potentially send tagged and untagged traffic over the link. But that would get complex to setup!
-
@stephenw10 said in Verizon CR200a in ip passthrough?:
Do you need access to the LAN at the smaller remote switch?
I do, since my laser cutter needs to be accessible to/from that small switch. That was actually the whole reason I ran the hardline out to the shop instead of just doing a wifi extension. :/
If I had a managed switch in the shop also, would that solve the problem? How would that work? Do they 'talk', VLAN to VLAN or something? I honestly have no idea how that works, which I'm sure is painfully obvious. lol
EDIT: I have a Cisco 3560-CG Gigabit/POE+ switch that I could install out in the shop if that would help the situation. I know nothing about Cisco management, though. If it's not web-based, and rather straightforward, like the TP-Link, I may be out of my depth.
-
Yes if you have managed switches at both ends you can just create a VLAN have the modem traffic use that. It will be isolated from the LAN.
Yeah my experience with Cisco switches is...limited! But there are many people here on the forum who are every experienced with them.
-
@stephenw10 Excellent. I can install the Cisco swich in the shop, no problem.
Any thoughts on setting up the VLAN in general? I've never done one. Which type would be the easiest/best for this application? I'd like to send the traffic from the modem (that specific physical port) over the VLAN, and let all the other ports remain on the local LAN, right? Did you see anything in that last screenshot that looked likely? Or are you aware of a good resource for tutorials on setting up VLANs? I know everything is on YouTube, I just wouldn't know exactly what to search for... -
You have two choices at the pfSense end. You can add a VLAN on the LAN NIC then assign that as WAN2 interface. Or you can just use a separate NIC for that since you have spares and connect it to the switch.
The switch would need to be configured differently in each case.In both cases the link between the switches needs to carry the tagged WAN2 traffic on, say, VLAN 100 and the untagged LAN traffic.
In general you would create VLAN 100 in the switch then add it as tagged on the port linking the two switches. Add it as untagged on the port connected to the modem.
Then either as tagged on the port to the pfSense LAN if you added the VLAN in pfSense. Or as untagged on the port to the pfSense WAN2 if not. -
@stephenw10 OK, that sounded like French, but I'll go back and read it a few more times and see if it begins to make sense when I compare it to my GUI options. ;)
Thanks so much for your help! -
@stephenw10 So this is super weird. I noticed that my network was acting slower than usual, so I checked the interface status, and saw that suddenly my new "verizon" gateway had no IP address. I went out to the shop and looked, and it had no status lights on the bottom of the unit at the LAN port, even thought the unit itself was on and reporting good signal.
I decided to move it back inside temporarily, until I could get the new switch that would allow me to set up the VLAN as we discussed above.
I moved it back onto my primary LAN, so that it's only connected through my main switch. It's now Cellular modem -> switch -> pfsense. Although now that I type that, I think maybe that's still no better than before.
Regardless, when I plug it all back in, I'm still getting no IP address at all on the modem. This is weird, since earlier, I was getting an IP, it was just a LAN-type IP. Any idea what might be going on here? I assume the modem is still functioning correctly, since it's basically brand new, but otherwise, what could be causing it to suddenly refuse to pull the IP, even the 'wrong' one?
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way?
-
You should not have that modem connected to a LAN side switch directly without a VLAN in place. Doing that means it 'competes' with pfSense to be the router on that network. Other LAN devices may get an IP from the modem or start using a public IP even.
Having that NIC in pfSense (igb3) connected to the LAN switch without a VLAN is invalid. It can only get a lease from itself which then creates a subnet conflict between the Verizon and LAN subnets. So it's better it doesn't get an IP at all.
The only valid setup there without VLANs is to connect igb3 to the Verizon modem directly without any switch in between. It should then get an IP from the modem or from verizon upstream.
-
@stephenw10 yep! I added this edit above before I saw your reply...
EDIT: So after a bit of thinking (it's early...), I moved the modem to another location, and plugged it directly into the pfesense box. This of course worked exactly as you described, since there was no switch in between, and now it has an external IP! So... how do I get my devices to start using the new service instead of the failover? Do I have to disable the original interface, or is there another, less destructive, way? -
The easiest way is to simply set the System default gateway to the Verizon gateway in System > Routing > Gateways.
You can also setup a failover group with the Verizon gateway as the primary gateway and then set that group as the System Default.
Note you cannot set a load-balance group there. If you want to try that you need to policy route traffic via that.
-
@stephenw10 This appears to be working, thanks! I'll leave it like this for now, until I can get my new switch, and set up that VLAN. I really appreciate your assistance, but can't promise I won't need you again. :)
-
@stephenw10 So this is weird.
I have it up and running using the settings you suggested, and for the most part all is well. However, initial connection to sites is a little slow, and certain elements won't load at all. For example, when I hit google and do a search for whatever, that mostly works fine, but once I actually choose a result and visit a page, it seems to pause for a moment, almost like it's having trouble resolving the DNS record or something. This happens on many, but not all sites.
The other, more pressing issue is with YouTube. I can browse the site with no problem, but no videos will play. At all. Nothing. Any video I select just spins forever and never plays. I've tried turning off my ad blocker(s) and it makes no difference. I'm using adguard DNS on my local PC (in the NIC settings), but even changing that back to google or cloudflare DNS doesn't help.
Anything jump out at you as being an obvious cause of either of these issues? -
Something that can present like that is if you have IPv6 but only partially. A hosts device will almost always prefer IPv6 if it has a routable address and try to use it. If that's blocked or in some other way broken it has to timeout before falling back to IPv4.
-
@stephenw10 Do you mean on the modem, router, or my PC? It seems that all other devices in the home can access sites (and YouTube) without issue, it's just my desktop that is having trouble, so I assume it's on the client side. I've checked my network settings, and I don't think IPv6 is enable anywhere that I can see. Is there a way to check, or to definitively disable it?
I saw something last night about some having issues with the Verizon modem using IPv6 SLAAC, but that wasn't with IP Passthrough. I'm wondering if, since I didn't turn of v6 before enabling passthrough, it's somehow "leaking" v6 info through the connection. Is that even a thing? If so, would perhaps taking the device out of passthrough, turning off IPv6 entirely, then putting it back in passthrough perhaps help? Obviously, I'm grasping at straws here. lol
-
I mean on the local PC where you are seeing the delays. Though usually that would be because pfSense is passing it an IPv6 address.
Check Diag > DNS Lookup in pfSense. Are all the configured DNS servers responding?
