BT Infinity FTTC, PPPoE Static IPs
-
Hi Guys,
I know this has been discussed before and I have read all the threads but for the life of me I cannot get this working.
We signed up for the BT Infinity 80/20 service and we have a pf 2.0.1 box purring away doing our LAN and VPN.
I got rid of the businesshub, and through other threads connected Openreach vDSL modem directly to the pfsense WAN port, and configured PPPoE which works perfectly.
Next, I needed to add our static IPs as I believe BT supply a dynamic IP for the main network and route your /29 static range do this dynamic IP.
Our welcome email stated:
You’ve ordered a range of Static IP addresses, which contains 8 addresses from XX.XX.XX.65 to XX.XX.XX.69. Three of these are reserved:
network address: XX.XX.XX.64
router/Hub address: XX.XX.XX.70So that would leave me with a usable range of .65 - .69 (although, I am unsure why I can't use .70 as well).
I have added these IPs, with corresponding NAT rules as "Other" and "IP Alias" with no luck. I basically want to use one of those as the default outbound NAT, but none of the IPs work.
I tried rebooting the box and the modem many times, and I have added routes for each static IP to the gateway the PPPoE connection generates, no luck.
Am I missing something quite simple here?
Thanks in advance.
-
After reading your description a couple of times I get the impression that BT have configured their gear so that IP packets with destination IP address xx.xx.xx.64/29 are delivered to your dynamic IP address.
For the sake of illustration (you haven't provided details of your "local" network), lets assume you have three systems on your pfSense LAN interface and you want all of them to have public IP addresses. Then these three systems and the pfSense LAN interface can all be assigned IP addresses on the xx.xx.xx.64/29 network and you don't need NAT or IP alias or static routes.
Maybe you have a good reason to want to use NAT, IP Alias and static routes but, on the information you have provided, I can't see a good reason for them.
I have added these IPs, with corresponding NAT rules as "Other" and "IP Alias" with no luck. I basically want to use one of those as the default outbound NAT, but none of the IPs work.
Why do you want to use one of the IPs as the default outbound NAT?
Please provide more detail than "none of the IPs work": for example, complete "I did … and I saw ... but I expected to see ...".
-
After reading your description a couple of times I get the impression that BT have configured their gear so that IP packets with destination IP address xx.xx.xx.64/29 are delivered to your dynamic IP address.
For the sake of illustration (you haven't provided details of your "local" network), lets assume you have three systems on your pfSense LAN interface and you want all of them to have public IP addresses. Then these three systems and the pfSense LAN interface can all be assigned IP addresses on the xx.xx.xx.64/29 network and you don't need NAT or IP alias or static routes.
Maybe you have a good reason to want to use NAT, IP Alias and static routes but, on the information you have provided, I can't see a good reason for them.
I have added these IPs, with corresponding NAT rules as "Other" and "IP Alias" with no luck. I basically want to use one of those as the default outbound NAT, but none of the IPs work.
Why do you want to use one of the IPs as the default outbound NAT?
Please provide more detail than "none of the IPs work": for example, complete "I did … and I saw ... but I expected to see ...".
Thank you for getting back to me, I agree and believe the /29 is routed to the dynamic address.
The local system is quite simple, we have two separate LANs, one for Workstations, one for Voice. Each has about 12 devices, with an internal IP, we also have a couple of servers on the workstation LAN (which will be moved to a separate LAN in time).
In terms of the inbound NAT, I would like to use NAT translation to map ports from one of the IPs to one of the servers.
In terms of outbound NAT which is more important, I would like all the workstations to use the same outbound IP address as they will be connecting to systems with ACLs, currently all outbound traffic shows as the dynamic IP meaning after each reboot of the pf box/modem we need to update our ACLs on the other side.
In terms of the IPs not working, once added they do not respond to ICMP requests from other sites (dynamic IP does, and the rules to allow ICMP are in place) and if I add a "catch all" outbound NAT rule we can't access the WAN.
Does that shed some more light? Thanks again.
-
I agree and believe the /29 is routed to the dynamic address.
The rest of this will depend upon that being the correct understanding of what should happen and that it is what does happend. I suggest you test this be starting a packet capture on the pfSense WAN interface and from a system with another internet connection (e.g. a mobile phone with Internet access) send a ping or ssh or telnet or web access etc to each of those "/29" addresses in turn: xx.xx.xx.65 through xx.xx.xx.71 and verify that access appears in the packet capture.
Packet capture will be your friend in this exercise because it will help you see what packets are actually received and sent and so help with debugging.
I haven't done any of what follows, but this is how I would proceed if I had to implement what I think you have described.
Out of your 6 public IP addresses I would put aside, for the time being, xx.xx.xx.67 and xx.xx.xx.68 and pick one of the remaining addresses to be used for access to the "server", define a firewall alias for the current IP address of the server (Firewall -> Aliases) then configure a port forward (Firewall -> NAT, Port Forward tab) on your WAN interface for that selected IP address to the alias. If you use the alias it will be easier to adapt the rules when you switch the server(s) to a separate subnet.
The above is fairly straight forward and familiar to me. So then I did some investigation for configuring outbound NAT for that server so that accesses to the internet appear to come FROM the IP address you used as the destination address in the port forward rule. I guessed it would be necessary to configure an outbound NAT rule to change the source address to the static IP address. The Outbound NAT page to create a new rule includes a Translation field which I guess is meant to give the IP address to replace the source address. It seems to be a requirement that this address be either the interface address or a IP alias address on the interface. So I created an IP address on my WAN interface, saved and applied. The Virtual IP address was written to the pfSense configuration file but didn't appear on my WAN interface (pppoe0).
I then tried through the ifconfig shell command to add an alias IP address to my PPPoE interface through and ran into a problem:```
$ ifconfig pppoe0 alias 8.8.7.7 netmask 0xfffffffc
$ ifconfig: ioctl (SIOCAIFADDR): Destination address required
$ ifconfig rl0_vlan10 alias 8.8.7.7 netmask 0xfffffffc
$ ifconfig rl0_vlan10
rl0_vlan10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 00:30:18:b0:50:fb
inet6 fe80::219:e0ff:fe68:314b%rl0_vlan10 prefixlen 64 scopeid 0x8
inet 192.168.1.2 netmask 0xfffffffc broadcast 192.168.1.3
inet 8.8.7.7 netmask 0xfffffffc broadcast 8.8.7.7
nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 10 parent interface: rl0
$</full-duplex></performnud,accept_rtadv></up,broadcast,running,simplex,multicast>Apparently the magic chant to create an IP alias address on a PPP interface (if this is even possible) is different from that required to create an IP alias address on a broadcast interface. I don't know if the pfSense GUI knows a different chant is required. That the attempt to create the alias address was accepted but apparently didn't work suggests to me the GUI might not be up to this task (if it is possible). I suspect if you are going to get very far with this in the short term it will be necessary to reconfigure your modem to handle the PPP itself so you can use a broadcast interface on pfSense to converse with the modem. Comment welcomed from others, especially pfSense developers.
-
This came up before and I remembered reading it but I could remember what the problem is.
You just nailed it though. In the previous question the user had a similar BT business package with a combination of static and dynamic IPs, as outlined above. This is a weird setup that BT uses presumably to make it easier to integrate with their standard home offerings. The previous poster was trying to add IP aliases and 1:1 NAT them to machines on his LAN but ran into the problem;you can't add IP aliases to a PPP connectionEdit:Not sure about this now. That was from memory because I can't find the post.Conversely this post suggests it should just work:
http://forum.pfsense.org/index.php/topic,17596.0.htmlSteve
Edit: Found the post, wasn't quite what I remembered: http://forum.pfsense.org/index.php/topic,47812.0.html
-
Conversely this post suggests it should just work:
http://forum.pfsense.org/index.php/topic,17596.0.htmlThat post says the dynamic IP is assigned by DHCP. This post says the dynamic IP is assigned by PPP:
@ehuk:configured PPPoE which works perfectly.
-
Ah, interesting. I read that more as a figure of speech than a defined connection method. As in simply not one of the static IPs. However I could be mistaken. He was not using a fibre connection though so it could easily be different. I was not aware that BT offered a dhcp assigned service for broadband at any time. Some LLU ISPs did though. I've been caught out by that before.
Steve