Switching upstream Modem into Bridge mode blocks PfSense
-
I setup a basic configuration and it's been working for a few months as a test. I wanted to change my Arris G54 modem/router to bridge mode, and let everything be handled by PfSense as a firewall and possibly a VPN server. In the future, running Dynamic DNA for devices on my network.
The Arris device is what I had before getting new equipment and has a 10G port, so I'm trying to get it to be a 10G modem. I'm using DAC cables and dongles to connect all the hardware. Those have been working well and giving a 10G route from Switch>Router>PfSense>Modem/Router>Internet.
I have my VLANs defined in the Omada router.
I wanted to change the Modem/Router into bridge mode. When I do, I can't get PfSense to connect. It's been connected for several weeks with the Arris Modem/Router in router mode. I can also by pass the PfSense and connect the Omada router into the Arris Modem/Router in bridge mode and it will connect.
I've walked through these Help Doc pages starting here and updating the settings on both WAN3 and WAN4 on the Netgate device.
https://docs.netgate.com/pfsense/en/latest/interfaces/wanvslan.htmlIn tinkering with the settings and following the Help Docs, it seems the IPv6 was connecting but not the IPv4. Even when I disable the IPv6 gateway, it still seems to be connecting. I know the Arris device will only allow one connecting in Bridge mode.
I've attempted to setup bulk 'all everything' NAT and firewall rules but I just can't get it to work. I have Charter/Spectrum internet. Myself and my spouse work from home and both use outgoing VPNs for work so I'm attempting to maintain as high a speed as possible in the setup.
Hardware setup
Omada Switch, SG3438XPP-M2, Port25, 10G > Omada ER8411, SPF+ WAN1, 10G >WAN 4, 10G, Negate 6100, PfSense, WAN3 10G > Arris G54, LAN Port 1, 10 GI have LAN port 1 on the Netgate device setup as a 'Console' port I have my desktop plugged into to tinker with the setting and monitor it.
In the future I'd like to use Dynamic DNS for my NAS and Security Camera setup. This is way I'm wanting the Arris device in bridge mode and to utilize it's 10G port. I'd also like to eventually be able to use a VPN to access my home network while traveling.
-
@HuntyBadger Have you tried setting pfsense WAN to reject leases from e.g. 192.168.100.1 (assuming that is the Arris modem IP). I think I had to do something similar when I was playing around with a 5G modem in bridge mode.
May I ask why you have the Omada Router involved, when you have pfsense? I get that you need to manage your switch, but this will definitely complicate things when you move forward to the VPN and Dynamic DNS you are mentioning. You can run the Controller SW on a Pie or as a VM...
-
@Gblenn The Omada router is there because I purchased the Omada setup as a stack first. After exploring the promised functions, it doesn't have the level of privacy I wanted. I added the Netgate device later and though it would be more work to translate the settings from the Omada Router to PfSence since that stack is native to each other and functions fine.
The Omada controller I have is an actual hardware device itself, separate from the Omada Router.
The physical connections are:
Omada Controller>>Omada Switch>>Omada Router>>Netgate 6100I was hoping to have PFSense be a DNS Resolver/Firewall pass through. Two of the major things the Omada stack doesn't do well.
I'm fine with having the VPN server and Dynamic DNS on either the Omada router or PfSense device. I think PfSense would be the better choice.
I did finally figure out the main issue, I was missing some NAT rules. I had put them on the wrong interface. I had to walk away for a day or two then I seen what I did wrong. I'm still attempting to figure out a 'bridge mode' on either PfSense or the Omanda Router.
-
@Gblenn I'm wondering if I should be using a internal/external bridge on PfSense.
-
@HuntyBadger I think that everything the Omada Router (Gateway) can do, pfsense can do as well, and often better. It is anyway never a good idea to have multiple firewalls in a chain. It only adds complexity and no benefits, except if you want to learn and test one or the other.
-
@HuntyBadger I would just toss the omada router, or sell it - what do you think it can do that you can't just do with pfsense and some APs
Or maybe put it on your shelf as a spare in case your pfsense box takes a dump.. Electronics fail - never a bad I idea to have something you can use to get back on the internet until you get it replaced. I have old unifi usg-p3 on the shelf if my sg4860 died, I could at least get everything back on the internet until I got a replacement/upgrade for the 4860
-
Make sure when you are switching devices behind the modem that you hard reboot the modem as it will stick to one MAC address at a time.. when it is not in bridge mode it becomes that one MAC address by itself so you don't have to worry about the reboot process. But in this case pfSense is the router and the interface of your win needs to be that MAC address..
