pfSense > Frontier modem connection question

winzlo

I’ve been running pfSense successfully for years now, and hadn’t even touched the box for weeks. However, this morning I begun having an outage. The problem is that their inept support staff just looked at the ONT status, which said it was OK, and wouldn’t even talk to me because I wasn’t using their router (geesh).

Is there a way to use the Frontier router (WAN = DHCP, LAN = 192.168.254.254/24) after pfSense so that Frontier can see it and get off my back about “It’s your router’s fault” crap?

tinfoilmatt

Is there a way to use the Frontier router [ . . . ] after pfSense so that Frontier can see it

You would typically say in front or upstream of pfSense (i.e., on the outside of the pfSense firewall). And the answer is 'yes'. Things may then need to be configured a couple different ways, depending on the capabilities of any Frontier router device.

Ideally that 'gateway' (they're sometimes called) device could be configured in what's called 'bridge[d] mode'. This basically turns it into a switch whereby your pfSense's WAN interface would remain configured for DHCP and 'pulls' its lease 'through' the Frontier device. Frontier support would be able to see you're doing this, but it still may be a preferable network design.

You could also configure an IP subnet between the two routers—Frontier LAN interface connected to pfSense's WAN interface—but then you start getting into double NAT concerns, which could potentially be addressed a number of ways.

Do you not currently have any Frontier equipment in your possession aside from the ONT? Or do you mean to say that the ONT device has router functionality built-in? If the latter, what make/model is that device?

winzlo

@tinfoilmatt -

I have the “Frontier Gateway” but pulled it as soon as the technician left many years ago. I cloned the MAC address of the WAN port on the Gateway and plugged that into my WAN interface on pfSense. The usual way I think this is done.

What I was trying to explain (badly, sorry) is that I want 1 cable coming out of the ONT into the pfSense router, which has lots of spare ports. I’d like to plug the Frontier Gateway into one of those ports so that It is isolated from the rest of my network, but accessible to Frotner.

Any ideas?

tinfoilmatt

So you actually did mean behind pfSense.

I mean, yeah. This is possible. But what would be the point? You'd allow their access to the (isolated) Frontier gateway through/inside the firewall. But they'd still see pfSense sitting at the edge, and you'd therefore not overcome the 'our service is good, the issue is your router' presumption.

The risk of misconfiguring isolation and/or remote access alone isn't worth it.

SteveITS

@winzlo said in pfSense > Frontier modem connection question:

I cloned the MAC address of the WAN port on the Gateway and plugged that into my WAN interface on pfSense

I would think pfSense wouldn't like having the same MAC address on multiple networks...?

Can you use their router and set it as passthrough or DMZ, to pfSense WAN?

winzlo

@tinfoilmatt -

As it turns out, my neighbor has the same fiber service I do, and doesn’t have any issues. This really points my outage back to something internal on my end. I can’t imagine what, since I hadn’t even been on or near the router in weeks. My next guess, Frontier (now Verizon) changed some sort of DHCP policy and I have to get my 5 static IP’s on the Internet differently.

See my next reply for more details.

winzlo

@SteveITS -

This is no longer appearing to be a problem that needs the Frontier Gateway at all, it appears to be something that changed precisely at 4:30am this morning, and I have no logs of anything except the WAN_DHCP gateway going down. This thread has changed a bit to a new issue/question.

I have 1gig symmetrical fiber coming into the premises. It enter the ONT, which is reporting no issues (3 solid green lights). From there, a cable connects the ONT to pfSense. Here’s where the fun begins.

pfSense has a WAN interface, a LAN interface with VLANs, a cable connecting to a second 6100 to keep a backup router on stand-by. I have 8 static IP’s, for the sake of this conversation, let’s call them VIP1 through VIP6 (VIP0 would be the network, and VIP7 would be the broadcast)

WAN interface is configured for DHCP, and prior to this outage, got a dynamic IP address. I then created a second gateway for network VIP0’s network. VIP1 through VIP5 are /32 addresses for virtual IP’s, and I use VIP6 as the link between me and my ISP (Frontier). I have no idea if the DHCP address was even usable, but it seemed to permit my static IP’s a route to let the VIP gateway establish its connection.

The LAN side of my firewall should be inconsequential for this discussion, so my remaining question is:
A) What do I need to change to get things working?
B) (Less important, but useful) What permitted this exact configuration to work for years until 4:30am this morning?

Thanks guys, you may be saving my hide on this one.

SteveITS

@winzlo is the gateway maybe no longer pingable? pfSense gateway monitoring will mark the WAN offline. You can disable the monitoring action or set a different IP to monitor is System>Routing.

winzlo

@SteveITS The strange part is that WAN_DHCP doesn’t get an IP address any more. It just says Pending for all status fields and (dynamic) for where the IP address should have ben. I never could figure out why the WAN_DHCP didn’t hand out my GW address and instead gave me some other subnet’s address, then by adding the second gateway and VIP’s, that was originally how I got things to work. I’m not sure of anything anymore, with very little information to go off of.

winzlo

After some more digging, I discoeverd that at 4:12am this morning, the Frontier DHCP server stopped accepting my recurring 15 minute RENEW requests. There is the root of my outage. Now to convince Frontier…ugh…

stephenw10

Because they are too frequent? You can set a or request a custom renew internal in the client.

JKnott

@winzlo said in pfSense > Frontier modem connection question:

and wouldn’t even talk to me because I wasn’t using their router (geesh).

That is entirely normal because they can't support everything out there. I was a telecom tech and my job was to ensure the service was working properly, not that the customer's equipment was OK.

Make sure the circuit is working properly with their firewall and then then try to find the problem with pfSense.

JKnott

@SteveITS said in pfSense > Frontier modem connection question:

I would think pfSense wouldn't like having the same MAC address on multiple networks...?

Actually, it's entirely normal. A MAC only has to be unique on an individual network. What happens elsewhere is irrelevant. You will learn this with link local IPv6 addresses, where the interface is part of the address and is specified by the application using that address.

JKnott

@winzlo said in pfSense > Frontier modem connection question:

My next guess, Frontier (now Verizon) changed some sort of DHCP policy and I have to get my 5 static IP’s on the Internet differently.

Wireshark is your friend, though in a pinch you can use the Packet Capture in pfSense. If you think the problem is with DHCPv6 then use my instructions on capturing it. You may want to use a "data tap" for this, as it's a lot easier than without.

winzlo

That is entirely normal because they can't support everything out there. I was a telecom tech and my job was to ensure the service was working properly, not that the customer's equipment was OK.

The problem really came down to “It worked at 4:29am, at 4:30am it tried renewing DHCP on the WAN and never got a response. Not exactly sure how this is “my fault”, but it had been working for years prior without incident. I can see the argument both ways though so it does make sense, I just wish they would even consider for a moment that it is on their side.

Make sure the circuit is working properly with their firewall and then then try to find the problem with pfSense.

ONT has the standard 3 green lights for power, connection and activity. That’s what kept the techs going down whatever path in their scripting tells them to reboot your router, reboot the ONT and then say that there’s nothing they can do to help me. That was the aggravating part.

winzlo

Ok, help me out here. This may be a settings translation issue between what is programmed into my Frontier router and what is configured in pfSense.

As I understand it, the router (connected to the ONT) requests its IP address from Frontier. That’s the address that the gateway is assigned as from pfSense perspective it’s what WAN_DHCP gets as its IP address.

Since I have a block of static IP’s, there’s also confusion on whether or not I get 4 or 5 usable. I’m paying for a block of 5 usable IP’s. Yesterday I was told that one of those has to be used as the router’s WAN address. That made no sense to me, so I pushed back and explained how I understood this to work, and that it had worked like this for years. I have a second gateway that establishes the link to the static IP addresses, which all 5 are defined as Virtual IP’s.

Frontier is saying that they thing someone misprovisioned my static IP addresses, and instead of VIP1, VIP2, VIP3, VIP4, VIP5 and the gateway IP as a 6th, network and broadcast would bring the number to 8. Since they also offer a block of 8 static IP’s, this seems to be what’s tripping them up. My opinion, right or wrong, is that if I’m paying for a block of additional static IP’s, I should be able to assign all 5 to whatever I choose, not loose one to the gateway itself.

Anyone have comments on whether I’m off my rocker from too little sleep or if I’m right on track with what needs to happen with regards to pfSense? Please ask any questions and I’ll be happy to respond. I am hoping to resolve this today, but their offline support only works standard business hours, meaning all services, including my mail and web servers, are unavailable since Friday morning at 4:30am.

Grateful for any insight into how I’m supposed to connect these static IP’s - I’ve read a lot of conflicting threads on the Frontier -> pfSense connectivity, but nothing constant enough to feel confident in taking any road other than the one I have already taken and had proven to work prior to this outage.

JKnott

@winzlo said in pfSense > Frontier modem connection question:

I just wish they would even consider for a moment that it is on their side.

A few years ago, I had a problem with my ISP not giving the right IPv6 address. Even though I had a Wireshark capture showing the problem was at their end and showed the host name of the failing equipment and despite my next door neighbour having exactly the same problem and despite calls to the support people who agreed with me and despite a tech coming to my home, they didn't want to accept the problem until the tech went to their office and tried four different CMTS. Three of the four worked fine, but the one I was connected to failed. They then accepted they had a problem.

Incidentally, a few years later I was working in that office and saw the equipment that caused the problem.

winzlo

@JKnott I do get it too - I spent my life in IT services. I have a tech coming out Wednesday to reprogram my ONT and router. After that, I put in a request to add to my static IP block, so I’ll probably get a whole part of the subnet.

On the Arris, the LAN & DHCP section has a “Public Subnet” where my public IP was specified with the netmask assigned. My unterstanding is that the Aris gets a DHCP-assigned IP unrelated to my static IP range, and then by adding the Public Subnet, the Arris then routes all traffic over to the assigned address, which enables the incoming routes to disperse to my block of static IP’s.

When the tech leaves, I will be mirroring that configuration into pfSense so I can switch back to that as my gateway. Can anyone confirm for me the process of WAN_DHCP getting its own IP address and then using Firewall -> Virtual IP’s to establish each IP address as a /32 CIDR? Do I need to add the second gateway from WAN to one of my static IP addresses? I would think so but I’ve not done this transition before, and once I have this confirmed, plan to make sure I never lose it.

Good thing 5G is fast in this area, I at least can get online to keep myself from going mad (too late?)

Thanks!

stephenw10

@winzlo said in pfSense > Frontier modem connection question:

My unterstanding is that the Aris gets a DHCP-assigned IP unrelated to my static IP range, and then by adding the Public Subnet, the Arris then routes all traffic over to the assigned address

Hmm, that's confusing. What I expect to happen is that the router gets a public IP DHCP assigned to it's WAN that's outside the static subnet. Then the ISP routes that subnet to that IP.

If that router is pfSense then you can use the subnet directly on an internal interface. That means pfSense uses one of the IPs on it's interface and all other clients use it as their gateway. Or you can add the IPs as VIPs in pfSense and port forward etc.

What isn't clear in that situation is how the ISP knows to forward that subnet to you. You may need a custom client identifier in the dhcp setup for example.

chpalmer

@winzlo

My unterstanding is that the Aris gets a DHCP-assigned IP unrelated to my static IP range, and then by adding the Public Subnet, the Arris then routes all traffic over to the assigned address

What model was the Arris? If it was a bridge only type modem then the only address it would have been assigned is the internal to the ISP maintenance address that you generally would know nothing about.. Any public IP would be the router behind the modem..

If the model was a router equipped modem (Im actually assuming you had a Comcast commercial account) then that model has is the "Gateway" and would have had the first of your static block assigned to it.

Your Frontier service does not now require VLAN tagging does it? Quantum appears to have done to a friend of mine.. He didn't need it then he did..

https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html