ATT Internet AIr
-
@stephenw10 said in ATT Internet AIr:
I wouldn't expect any firewall rule to be needed.
I'm not sure the any to any rule is actually created automatically when you create a VLAN?
-
The outbound NAT rules are created automatically.
Firewall rules are not but shouldn't be required. Hence I'm curious about exactly what rule had to be added manually.
-
@stephenw10 said in ATT Internet AIr:
The outbound NAT rules are created automatically.
Yes but the NAT reference was
@ahole4sure said in ATT Internet AIr:
I wasn't sure if I needed any other settings like - should I normally be able to get by with "auto-created" Outbound NAT?
And the rule I was referring to at least was related to this question, where a rule is needed for internet to be accessible.
My LAN internet (delivered mostly by Eero wireless) was not existent until I created a rule for the ATT modem to beable to access any source and any destination? Is that acceptable?
But now I'm wondering if there is something that is not right in the setup, since one VLAN at least, is only for WAN2 (or 3?). And in this case, there shouldn't be rule, other than for testing that the VLAN is actually working...
-
Yup exactly. That rule shouldn't be required. So lets see it.
-
I have been so frustrated with the whole process I have not acted very systematically
I know the any rule depicted here was forgotten by me and for sure not added automatically. So I know it has to be manually added (I guess for VLANs)
But in my frustration I added a NAT rule that most likely wasn’t needed.I have until the end of the week. Thank you both for the replies. I’ll go back to auto rules on the outbound NAT and test
Then I’ll go to my firewall rules and try to get them cleaned up (maybe send some screenshots later)
Hopefully you both won’t mind chiming in on my mess of rules. lol don’t be judgmental lol -
Hmm, nope you absolutely shouldn't need that rule on a WAN. That passes traffic from the modem side into the firewall which should not be needed.
-
@ahole4sure A rule like that will be needed for your NAS- or Guest-VLANs only.
But not for the VLAN you have for the ATT modem (rosegate...). Not sure anymore which VLAN is used for what though...
-
The saga continues -- it appears that the second (in my discussions) of my two ATT modems may be bad. The back end ATT people swear that it is provisioned correctly. They are overnighting a replacement device with new SIM tomorrow.
On another note - I did as @Gblenn suggested and set up an additional test scenario and I was able to get Modem #1 to work through the TP- Link switch
So her is the current problem -- I have simulated power failures and reboots of the pfsense box. The modem and switch boot quicker on power failure AND if I just do a reboot of the pfsense box without booting the modem - I am unable to reegain connection. The connection is restored after modem manual reboot. During the time of trying to regain connection the modem just cycles through connection and disconnection to the pfsense box. (screenshots are 5 sec apart)
I assume it is just not renewing the lease - but can I force it???
Have you ever seen this behavior before? Any fix or workaround? I am trying to make this as self fixable as possible since I will eventiually deploy 5 physical hours away from me with no tech savvy on site employees.
-
What do the pfSense logs show when that's happening? Check the system and dhcp logs.
-
@stephenw10
Soi strangely enough , while testinng the TP-Link switch, and this time without power failure or reboot - the gateway just went down (not sure exactly when) but has remaained down for several hoursWhen I checked the modem it was doing that cycling connecting , disconnecting thing
The only relevant entries in the log (as far as current time-wise) were int he DHCP log
see attached
-
@stephenw10
I rebooted the modem and connected to the Linksys switchThe modem shows connected to the pfsense igb3 mac address , but the interface never showed the IP address this time, and the gateway never showed coming online
BUT the cmd ping lets me ping google.com from the OPT6VLAN10 interface that doesn't show up as online ???Also at the end -- do you have any idea waht those numerous "default deny" things are in my firewall logs -- for both my WAN2 and my LAN. ?? There are just so many !!
I didn't even know I had a "default deny" rule
-
I don't think that ping is real. It doesn't show a source address in the output. That should appear like:
But since it doesn't it implies OPT6VLAN10 doesn't have a valid address.
The DHCP logs there simply show no servers responding.
-
@stephenw10
So does that mean that the ATT servers are "to blame" in this case?I need to make a decision soon -- I have enjoyed learning and pushing through the process but sooner or later I gotta decide --
-
failover internet at my second location is not an option
-
I need a different gateway than the Nighthawk (the odd think here is that if I stay away from VLAN connection the Nighthawk seems to be stable (and survive reboots and simulated power failures)
So on the one hand it seems like the Nighthawk>VLAN>pfSense scenario is to blame , while on the other hand is it just the Nighthawk to blame??
Any thoughts on how I might should proceed to getting to the source of the issue?
Running another ethernet cable to my proposed modem location is just not an option - it has about a 10ft run UNDER concrete floor to get to the outer wall and that run is what is feeding the cameras -
-
@ahole4sure That blocked device that you have showing in the picture from the ATT modem is your TPLink switch, right? I wonder if that may play a part in this? The ATT modem is connected to the only device it's trying to block?!
I think you should set the IP manually and try removing that entry in the ATT modem. If you haven't done it already, it's under System - IP Setting and there you set DHCP to disable and enter the IP you want when accessing it.
-
@Gblenn Are you suggesting that I go back to trying to manually set the IP address for the VLAN interface to the static address I have form ATT? I hasn't worked in the past but I'm up for anything -- I had hoped that I could get DHCP to work and it DOES when connected directly to the pfsense (but the issuess start when I thow the VLAN into the mix)
-
@ahole4sure No, I meant the management IP for the TPLink switch. I believe you set that block in the ATT modem so it wouldn't pick up that MAC instead of pfsense.
So keep everything as it is, set the correct MAC (for pfsense) in the ATT modem, and remove the blocking. AND, set the IP of the TPLink switch to whatever it is that you want it to be. I suppose you have already set it as static in pfsense DHCP, but still. Just to make sure it doesn't try to get an IP from the ATT modem. -
Like this
-
@Gblenn
So in reesonse to your initial reply I switch my interface to static - (so far it is staying pretty stable) I actually think that I had not gone back to that AFTER I found out one of my modems was "bad"
I would like to be able to keep using DHCP ( like appears to have been working well with dorect connection to the pfssense interface as compared to the VLAN connecting through the switch
But at this point , just getting it working is all I care about!
And it appears that ATT has no problem with providing my static IPI had already set both the Linksys and the TP-Link to static as per your pic -- that didn't really change anything
I just don't know why connecting through the VLAN screws up the DHCP delivery and stable connection ??That said - I can connect to my ATT modem after I added the virtual IP address in that subnet to the VLAN interface (that address is 192.168.2.1)
For some reason - with a ethernet cable connected as a trunk to port one of the switch and the ATT modem connecteed to port 2 of the switch I can't connect to the management interface of the switch (192.168.3.100) -- any suggestions for that ?THANKS again
-
Those IPAlias VIPs are all conflicting. You can't have the same subnet defined on different interfaces.
-
@stephenw10
Oh crap , my bad
I thought you had said I couldSo I can have multiple subnets on one interface, but not the same subnet on two different interfaces??
