Need help with hardware setup please.

jim.thornton

Okay…  I'm a total Noob when it comes to networking so I'm going to try and explain what I know of the setup.  My cousin came over a few weeks ago and helped me setup a server in my SOHO.  Right now, I've got a Dell Power Edge 840 with 4GB ram and 2.4 Ghz Xeon cpu and 2 x 500GB RAID-1 Hdd.

He chose to go with ESXi 4 as the Host OS and has created some VM's.  The diagram would look like this (I think):

ISP MODEM ---> Nortel Layer 2 switch ====>  HOST ESXi

The modem is plugged into one of the ports on the switch and the switch has two WAN ports plugged into a dual Intel NIC.

VM's:
1 - pfSense box (192.168.4.1)
2 - Zimbra box (192.168.2.1)
3 - TrixBox (192.168.3.1)

1 & 2 were up and running, but Zimbra is falling short of my needs so I have decided to shut that off.  Trixbox has not been up and running as yet.

PRIOR setup:
MODEM --->  Tomato Router ---> LAN

With my PRIOR setup I was able to use Tomato on my Buffalo router for the purposes of using Single Link MLPPP from TekSavvy (ISP).  This setup worked perfectly for getting around DSL throttling.

Under the new setup that he setup pfSense is getting throttled again and it is driving me crazy.

MY QUESTION:
Is it possible to take my Tomato router and OPEN it up completely but use the SLMLPP connection option?  Basically, let my Tomato router establish the ISP MLPPP connection and then don't use any firewall features or anything, just have a wide-open pipe into the pfSense box and let pfSense take care of everything.

If I could do this then I would just change the settings in pfSense not to establish a PPPoE connection letting the Tomato router do that instead.

In addition, I have a STATIC IP from my ISP, if that matters at all.

JoelC707

You could do that, but under the WAN type in 2.0 RC2 I have the option of PPP for the type. Would that not work as well? I don't want to change anything just to look on my end but it should be doable I think. I've never used PPP for anything since dialup days.

Does Tomato give you the option of sharing your WAN address with a connected PC? If so you should be able to have Tomato establish the PPP session and act as the modem, and configure your static IP on pfsense. If Tomato doesn't have that option what about DMZ? Or better yet turn off NAT and do a static route to pfsense and have a /30 subnet between the Tomato router and pfsense (can also technically use any old subnet even a standard /24, it's just a "waste of space" but won't hurt anything). You can use a private range, just make sure it's different from your LAN range. It'll show up as another hop in a traceroute but that's fine. With a static route and no NAT on the first router that should leave you open to run NAT on pfsense and forward ports as you need.

If that's confused you I'll try to better explain it with a diagram and actual addresses and such.

jim.thornton

For the most part I understood what you said. The /30 thing is a little confusing but I think that means that there is only one IP address, is that correct?

I also found out that he has created port groups within the switch, I don't know if that changes anything.

In order to bypass the throttling you have to set Tomato to MLPPP (single link). I then have to select PPPoE for the type of connection. So, I don't think I can use just PPP as the type.

Would I have to re-configure the whole network or can I just unplug the wire going from the modem to the port on the switch and then pu the tomato router in between?

JoelC707

A /30 would give you one "usable" address in terms of a routed static IP range. But it actually has two addresses capable of being assigned to devices (the other usable address would get assigned to the gateway/modem). That's what makes it good for point-to-point links like between two routers. No you don't need to reconfigure the whole network, just stick the Tomato router between the modem and pfsense. You won't need a switch or anything in between, just connect them together with regular patch cables.

Let Tomato handle the MLPPP and PPPoE sessions and also let it have the public IP.
Turn off NAT and the firewall in Tomato.
For the LAN side of Tomato assign it say 192.168.10.1 with a subnet of 255.255.255.252 (a /30).
On the WAN side of pfsense assign it 192.168.10.2 with the same subnet. Uncheck the "block private networks" check box.
Setup a static route in Tomato routing to the WAN address of pfsense.
That's it, you're basically done. Configure NAT and firewall rules as you want on pfsense.

If your normal LAN network behind pfsense happens to be in 192.168.10.0 then for the link between Tomato and pfsense, replace "10" with any number between "0" and "255". I chose 10 because it's just a number that's not 0 or 1 as a lot of things like to default to 192.168.0.x or 192.168.1.x and it's usually just better to avoid those to keep future headaches at a minimum.

JoelC707

I dug deeper into the PPPoE settings on the pfsense WAN side and there are MLPPP options in there. It's been a while since keeping up with Teksavvy on DSLReports but I do know about the MLPPP and so forth, I just don't know what they have you set. What version are you running of pfsense? Do you see the settings in there, and if so do any of them look like what you want to do with Tomato? It says you have to select at least two interfaces for MLPPP. Which makes sense, MLPPP is as the ML portion says, Multilink; which is what doesn't make sense about you needing to do singlelink MLPPP. But as I said I haven't kept up to date on Teksavvy's configs using MLPPP to bypass throttling by Bell.

jim.thornton

Thank you so much for taking the time to help.  I really appreciate the time you have taken to help me with this.

I do have a couple of questions:

1.  When you say setup a static route, do you just me set static IP's on the Tomato and pfSense boxes?  Or is there something else that I need to set?

2.  I forgot to mention in the first post that my cousin also set me up with OpenVPN.  Will having the Tomato box in the front effect the OpenVPN?

JoelC707

For the static route you do need to do more than setup the IP addresses in the respective devices. Pfsense will be taken care of through a gateway (which I forgot to tell you in the steps outlined before). The Tomato side needs a static route. I've never played with Tomato, only DD-WRT. On DD-WRT and the original Linksys firmware you basically input an IP address, subnet and gateway, just like in configuring a NIC. You'll probably have a name field and a route number, give it route 1 and name it whatever you want (pfsense works). For IP address input the WAN address of the pfsense box (192.168.10.2 in my example above). Subnet would be 255.255.255.252. Gateway will be either the LAN side of Tomato (.1 in the example) or your public IP. It's been a long while since I've configured static routes so I'm not 100% but I think it's going to be the LAN address of Tomato not the public IP. If you don't have those fields, show me what you do have and I'll figure it out.

As for the OpenVPN I really don't know. It should work, it's just another hop in the route, it's not going through NAT which has a BAD habit of breaking things.

jim.thornton

Okay…  I've started working on the situation.  Hopefully, you are around today to help out as today is the only day that I can do this to ensure that I don't have downtime during work hours.

So far, here is what I have done.
1.  I did a factory reset on the Tomato router.
2.  Setup PPPoE/Single Line MLPPP as the type of connection and entered my login details.
3.  Setup the Static IP for the Tomato/LAN to 192.168.99.1 (192.168.10.X is being used for my ESXi Host machine)
4.  I have created a snapshot within VMware to save pfSense incase this new setup doesn't work, I will be able to revert with minimal effort.
5.  I've disabled the firewall features within Tomato.

Now, I'm ready to setup the routing table on my Tomato router.  I've taken a screen shot of the Tomato Routing table page.  Could you please tell me what to fill in where?

As for the default gateway, currently pfSense is handling the whole network 192.168.X.X where X.X is (1.X, 2.X, 3.X & 4.X).  Currently the HOST ESXi machine has the default gateway set to 192.168.4.1 (pfSense).  After this is done, should I be changing that to 192.168.99.1 (Tomato)?

Once you give me the routing page settings, I will enter them, save them and then bring the Tomato router to my modem/swtich and put the Tomato router in between the two.  Just before that I will login to pfSense and change the type of the connection so that pfSense is not establishing the PPPoE session.

Finally, should I change it to STATIC as the type and give it 192.168.99.2?

JoelC707

Hrrmmm your Tomato routing page already has what looks like a sufficient rule in place for routing traffic. Make sure NAT is turned off as well, sometimes it is separate from the firewall. Turn on the RIP v1&v2 in Tomato on the routing page shown in your screen shot, it should take care of any errant routing not already handled by the existing route shown. If that doesn't do it we'll tackle a static route. As for the ESXi host it should point to pfsense, in fact everything should point to pfsense for default gateway. The fun part will be getting to Tomato's config page once it's on the WAN side of pfsense. You might not have any problems but firewall rules could cause problems. If you do have problems make sure you enable remote admin access and try coming at it from the WAN side.

jim.thornton

RIPv1&v2 on LAN, WAN or BOTH?

JoelC707

LAN side, sorry I didn't know it would ask which interface.

jim.thornton

No worries…  I changed the settings that you had suggested.

I've now done the following:

1.  Plugged in Tomato next to the modem/server.
2.  Connected the MODEM to the WAN port on the Tomato router.
3.  Connected the LAN PORT 1 to the switch in with the same cable/port the Modem use to use.
4.  Changed the pfSense connection type FROM PPPoE to STATIC.
5.  Set a STATIC IP address for the pfSense box to 192.168.99.2
6.  Saved and applied settings in pfSense.

Now...  My network behind pfSense is still fully functional.  I can ssh into the pfSense box, go to shell and ping 192.168.X.1 (1, 2, 3 & 4).

I can ping 192.168.99.1 (Tomato/MLPPP).

But that is as far as I can go.  I tried to ping the IP 8.8.8.8 and it would not work.  I believe this is Google?  Anyway...  It seems that pfSense can ping as far as the Tomato router but not outside of it.

Any suggestions?

JoelC707

So you can SSH in from the outside all the way to the pfsense box and can ping the Tomato LAN side from inside your network but you basically can't surf? Do you have a default gateway configured on pfsense (should be 192.168.99.1)? If not that's your problem. It sounds like the routing in Tomato is working correctly but I'm looking into it just in case it isn't.

jim.thornton

Sorry I guess that is a mis-communication on my part.

Right now I can have two setups:

Setup 1:  Hard-wired into my switch which is routed through pfSense.  My pfSense is configured to STATIC IP's.  I have assigned an IP address of 192.168.1.200 to my laptop.  The other subnets are for the other VM's which are currectly shutdown (ie. Zimbra & Trixbox)

Setup 2:  I can use my iPhone (tethered) to obtain an IP address from the "outside" to try and connect into my network.

SETUP # 1:
When I'm hard-wired in under setup #1 I have the IP address of 192.168.1.200 and I can login to the pfSense router.  I can ping 192.168.1.1 without a problem.  When I go to the browser and try that IP it brings me to the pfSense router.  However, from my laptop under this setting, I cannot ping the other subnets on my network anymore (2, 3 & 4).

Under this setup I can ssh into 192.168.1.1:22 and use my pfSense login/password and get to the commandline menu.  From there I select option #8 and go into the shell.  From the pfSense box, I'm able to ping ALL the subnets that are configured in pfSense.  I tried pinging 192.168.99.1 (Tomato Router) and I can successfully do that too.  However, I can't get "outside" of my modem.

SETUP # 2:
When I'm tethered through my iPhone (Setup 2), I get a completely different IP address and try pinging my modem (static IP provided by TekSavvy) and I get no response.  Even though I have turned on the remote access.  In addition, I tried to wirelessly connect to the Tomato router but because it is /30 I am not getting a valid IP address (I think that is the reason why anyway).

My next step is that I'm going to take my laptop down to the Tomato router and unplug the switch from LAN Port #1 and try connecting to it through my laptop.  Maybe, I'll be able to login to the Tomato router and test to see if the MLPPP is logging in correctly and connecting to the internet.

JoelC707

Definitely verify with your laptop connected to the Tomato router you are getting access. You will need to re-enable NAT and the firewall else you will have to configure a static route. The fact you can't ping the Tomato router from outside with a tethered connection is worrisome. That indicates Tomato is still firewalling the connection (or NAT is still on), or the DSL circuit isn't connected for some reason. Skip ping for now, Tomato could be ignoring it. With your tethered connection can you access the web interface for Tomato from the outside?

For setup 1 that makes sense. You are getting to the pfsense box like you should be. You said the other subnets are VMs on ESXi are are shutdown right now so unless pfsense has an IP or ESXi has an IP in one of those additional subnets I wouldn't expect you to be able to ping them. And depending on how pfsense is setup to handle traffic between the subnets you might need a firewall rule in place to allow communication if pfsense is acting as the router (which it should be).

JoelC707

Wow, how did I miss this? I looked at your route table again, you have no route going OUT, no route on the WAN interface to send internet traffic to Teksavvy. Either you have an issue with the connection or Tomato isn't building the routing table correctly (that route should automatically be added by the PPPoE session if I'm not mistaken).

jim.thornton

Okay…  Just got back upstairs.

I successfully connected to the Tomato router.  I unplugged the cable connecting the pfSense box (cable going to the switch) and put a cable connecting Port # 1 on the Tomato router to my laptop.  I created a Static IP in my laptop as 192.168.99.2 and was able to ping 192.168.99.1 and I was also able to successfully login via the web interface (locally, not tethered).

When I logged into the Tomato router it showed that the PPPoE MLPPP connection had been established.

I turned on the sshd from within Tomato and logged into the Tomato router via Putty at 192.168.99.1:22.  From within the Tomato shell I was able to ping outside 8.8.8.8.  I then tested to make sure that the DNS was working and successfully pinged www.google.ca

I kept everything connected and went into the command line of my laptop and tried pinging 8.8.8.8 and it wouldn't work.  I could successfully ping 192.168.99.1 (Tomato) but not past that point.

I just tried pinging the Tomato router from the outside again and it worked!  I was able to remotely login to the Tomato router.  Now, all I have to do is see if it is working from the wired network.

From the wired network on my laptop:

192.168.4.1 ->  pfsense - I can login no problem
192.168.4.1 ->  putty - from within shell of pfsense - I can ping 192.168.99.1 (Tomato router) and all other subnets
192.168.1.1 ->  default gateway for LAN and when I go there I also get pfSense
192.168.99.1 ->  I can ping here, but for some reason when I go there I get the pfSense login screen and not the Tomato login screen.

I CANNOT past the Tomato router from the inside out.

So, it seems that Tomato is correctly establishing an internet PPPoE w/ MLPPP connection.  I've got Tomato running on a specific port for remote connections, and pfSense running on another port.  When I put in the port for pfSense, I get timed out.

It seems to me that Tomato is blocking access in and out.

jim.thornton

I've posted a new screenshot for Tomato.  The original screenshot was from when I was just configuring it without the PPPoE connected.  This one is from the current setup as explained.

JoelC707

Good, you have connectivity then. It also looks like it has correctly built the routing table. As I said unless you re-enable NAT/firewall on Tomato you won't get online even from the laptop connected directly to it. It needs NAT somewhere to translate.

It sounds like RIP isn't configuring the routes like it should, or pfsense isn't running RIP. You will need to configure a static route in Tomato. Leave NAT/firewall in Tomato off and connect pfsense back to Tomato LAN side. Go to the static routing section of Tomato and add a route for each of your four LAN networks behind pfsense.

In your screenshot you have a few fields to fill out for each static route. Destination, Gateway, Subnet, Metric and Interface.

For destination put in 192.168.1.0 (and subsequently 2.0, 3.0 and 4.0), gateway is always going to be 192.168.99.2, subnet is always going to be 255.255.255.0 assuming each of them is a full class C, metric should be 1 IIRC but if that doesn't work try 0, Interface will be LAN.

To break that down for each one it will be as follows:
192.168.1.0 192.168.99.2 255.255.255.0 1 LAN
192.168.2.0 192.168.99.2 255.255.255.0 1 LAN
192.168.3.0 192.168.99.2 255.255.255.0 1 LAN
192.168.4.0 192.168.99.2 255.255.255.0 1 LAN

Try that and let me know if it works.

jim.thornton

Okay…  Still not working.  I did figure out that a week or so ago I setup a temporary VM under the 192.168.99.x subnet that I was testing with.  So, I have changed the Tomato IP to 192.168.199.1 and the pfSense to 192.168.199.2 and have updated all those routes you gave me to use pfSense 192.168.199.2 as the gateway.

Question:  In order to use 1.0, 2.0, 3.0 and 4.0 in the routing table and tell Tomato to use 192.168.199.2 as the gateway, doesn't the gateway have to actually be accessible to/from the internet?

I have taken some screenshots of my pfSense and Tomato setups.  I'm not sure what to do from here.

I think that the firewall rules on the Tomato router are correct.  I haven't changed anything on the pfSense router other than the STATIC IP address of the pfSense box to 192.168.199.2.

Any ideas?  Same situation.  I can access the Tomato router from the tethered connection, I can access the pfSense router from within the LAN, but I cannot access pfSense from the tethered connection and I cannot access Tomato from within the LAN.  I can ping the Tomato router from within the pfSense shell (192.168.199.1 - is pingable).  I changed the subnet from 255.255.255.252 to 255.255.255.0 to test if the wireless internet was accessible, and it was.  Therefore, if connected wirelessly to the Tomato Router, I can get full access to the internet.  However, for somereason the pfSense box is not accessing the internet.  I have set the default gateway on the pfSense box to 192.168.199.1

Here are the screenshots: