Need help with hardware setup please.
-
You know I've had issues like that too where the gateway was checked and triple checked but it wasn't till actually modifying it, or re-saving it that it stuck. If you can get online from Tomato on wireless then it is most likely running NAT (unless your laptop is getting a public IP which would be odd). If Tomato is running NAT you've got a problem because pfsense is running NAT as well. NAT by itself is bad for some apps but two NATs back to back is bad for almost everything except basic HTTP. From what I can gather changing the operating mode from Gateway to Router should disable NAT. Unless of course RIP is creating the necessary routes in place of NAT? Either way yes a separate AP behind pfsense would be ideal. Unfortunately I'm not sure if it's even possible to detect double NAT.
Regardless, I'm glad it's working finally.
-
Another issue has popped up which might be caused by the double NAT thing.
My OpenVPN session into my LAN is no longer working. It was working before I placed Tomato in front.
I just tried to go in and change it back to "Router" instead of "Gateway" but when I did, I lost connectivity again (both ways) to the internet. I was no longer able to get to Tomato via the tethered connection and I was no longer able to get to the internet from the LAN (or the Tomato router).
-
Correction.
With mode set to "Router" instead of gateway:
- Wireless connection: Can login to Tomato router, no internet
- Tomato ping: Tomato CAN ping 8.8.8.8 successfully.
- pfSense (within LAN): Cannot ping outside of the Tomato router
With mode set to "Gateway"
- Wireless connection: available.
- Tethered connection: Cannot connect to Tomato
- pfSense (within LAN): internet connectivity available
- OpenVPN: not available
-
Wait you set the mode to Gateway instead of Router to get online? That will definitely turn on NAT in Tomato. Sounds like there's still a bug to iron out. OpenVPN support may be flaky anyway due to pfsense not having a public IP, I'm not positive about that. Out of curiosity, what chance is there in getting a routed /30 subnet (or bigger if you want more addresses to play with) from Teksavvy? I know it's going to cost you money but if you swap the static IP for a routed /30 subnet it might work out price wise and it would make things more "kosher".
-
TekSavvy said they can do it almost instanteously. So it's not difficult at all.
I have the Static IP because at somepoint I'm going to be running some servers that are publicly available (work related). I thought it would be better to have a static IP instead of dynamic one using dynDNS or something.
Also, if I remember correctly, but I could be wrong with this, a Static IP was necessary for MLPPP to work.
I just on the phone with TekSavvy now to double check the Static IP thing and to order a /30 subnet.
What do I need to do now?
-
Just got off the phone with TekSavvy and they confirmed while the static IP is not required with the MLPPP it is basically free. MLPPP is $4 per month whether you get the dynamic IP or the static IP, so I took the static IP.
I just ordered a /30 subnet. He gave me two IP addresses. However, of the two, he said one was a broadcast IP address and the other was a usable IP address. I'm a little confused with that as I thought /30 meant you could have 2 IP addresses.
Anyway… I await your instructions on how to configure this.
-
Yeah for sure a static IP is best for servers. Then sometimes you get things like a DHCP based cable modem service and your IP won't change unless they rescope the DHCP server or you leave the modem off for a week or so. So MLPPP basically includes a static IP. Sounds like Bellsouth a few years ago. You could get a 3 Mbps tier or a 6 Mbps tier, the 6 included a static IP. You could add a static IP to the 3 tier but the cost was the same as just upgrading to 6. Guess what most everyone did lol.
What did you get from Teksavvy on the /30 block? A /30 is 4 addresses, starting at 0 you would have 0 as the "network" address, 1 and 2 as host addresses and 3 as the "broadcast" address. A /32 which would almost certainly not be used would give you only one host address (think loopback address). So in that case you would assign the x.x.x.1 address to the Tomato LAN side and the x.x.x.2 address to pfsense WAN side with pfsense's WAN gateway being x.x.x.1. You'll need to set Tomato back into Router mode to disable NAT and the firewall.
From what I'm seeing on that DSL Reports thread I linked you to, the Tomato WAN will get it's static IP as usual, you can use it for remotely configuring Tomato if you want, won't really need it for anything. Since pfsense will have a publicly routed IP it shouldn't have ANY problems with OpenVPN or anything. Also forcing a public IP on Tomato's LAN side should give it the hint that it doesn't need to go behind your back and do NAT or something when you've told it not to. I think the issue we were running into before was Tomato doing something funky because we had a private IP inbetween and technically it's not supposed to be in a route.
-
The rep at TekSavvy did say "first usable IP" but then only gave me one. I don't know if it is a security risk to post the IP at this time so I will just do this:
x.x.x.240 -> broadcast
x.x.x.241 -> first usable IP addressSo, if I understand correctly, the following should work?
Tomato WAN -> Will aquire the static IP like normal
Tomato LAN -> x.x.x.241 (first usable IP)
pfSense WAN - x.x.x.242I would then set the default gateway for the pfSense WAN to x.x.x.241 and change it back to Router mode.
Is this correct?
-
Usually /30 subnets go like this
x.x.x.240 network name, unusable
x.x.x.241 you can use it
x.x.x.242 gateway, this is isp's use
x.x.x.243 broadcast, unusableBut i might be wrong here also
-
With a properly functioning firewall it shouldn't be an issue to post your IP, of course DoS attempts on it can't be stopped by a firewall alone they require something like snort or the help of the ISP. So yeah just the last octet is fine. Yep first usable is what is the key there. Assign 241 to Tomato's LAN and 242 to pfsense's WAN, switch to Router mode on Tomato, reset pfsense's default gateway to 241 and you should be surfing.
-
Thanks so much for your help! Are you going to be around tomorrow evening? it is 12:40am right now where I am and I have to work tomorrow. Since my internet is working I can leave it as-is right now and pick up on it tomorrow night. However, if you are not going to be available tomorrow then I'll continue this evening.
-
Usually /30 subnets go like this
x.x.x.240 network name, unusable
x.x.x.241 you can use it
x.x.x.242 gateway, this is isp's use
x.x.x.243 broadcast, unusableBut i might be wrong here also
Correct in most cases. But since Teksavvy is apparently offering a separate routed subnet, this could be used for almost anything. It's odd to see routed subnets on a residential connection, but this is Teksavvy we are talking about, they thrive on doing things different like this, that's what I like about them. My experience with routed subnets has been on business grade DSL/Cable and a T1. In all those cases the actual WAN side would have a dynamic address that was basically unused. They would then give you the routed subnet, one address (usually specified out of the group like you said) would be the LAN side of the modem/router and the rest are for your use on whatever you wanted (firewall, server, etc).
If 241 on Tomato's LAN and 242 on pfsense's WAN doesn't work then swap them. What I read they don't assign anything to the LAN side, it's up to you to assign it and you should be able to assign it in whatever order you like (won't make any difference) but it's always worth a try if things don't work properly for some reason.
-
Yep, I'll be here. We're in the same time zone (I'm in Atlanta, GA) so the bed is calling me as well lol.
-
Thanks for sharing some knowledge, i don't have any info about this isp. We don't have that in here.
-
Yeah Teksavvy is a Canada company, Ontario and one other city IIRC (sad I can't remember it, maybe it's cause I'm tired lol)
I've got some reading for you that you might find interesting. Teksavvy users attempting to get MLPPP working on 2.0. http://www.dslreports.com/forum/r23826167-working-mlppp-in-pfsense-20 and http://forum.pfsense.org/index.php/topic,23094.0.html. Might be able to get rid of the Tomato in front and have pfsense directly connected to the modem.
-
Yeah Teksavvy is a Canada company, Ontario and one other city IIRC (sad I can't remember it, maybe it's cause I'm tired lol)
I've got some reading for you that you might find interesting. Teksavvy users attempting to get MLPPP working on 2.0. http://www.dslreports.com/forum/r23826167-working-mlppp-in-pfsense-20 and http://forum.pfsense.org/index.php/topic,23094.0.html. Might be able to get rid of the Tomato in front and have pfsense directly connected to the modem.
mlppp is already built into 2.0… There are several of us using it.
/interfaces_ppps.php
-
That's what I thought too and I mentioned it (at least I think I did) but nothing ever got brought up about it.
-
Its pretty much this easy…
-
How about SLPPP connections like he has? There wouldn't be a second interface to select to bond.
-
I believe you either make one up such as a VLAN or install a second interface that just goes unused…
Hopefully someone who knows for sure will chime in otherwise some experimentation may be in order...
