[SOLVED] Configuring pfSense behind Actiontec Router



  • I've been working on the issue below for the past several days and am hoping some of the good people here would be willing to shed some light on the solution for me.  I have FiOS and I'm trying to configure a pfSense box behind my Actiontec router (ONT->Verizon Actiontec->pfSense) to handle VPN connections and the associated processing.  I wanted to do this because not all of the devices in my network need to be connected to the VPN at all times whereas some do.

    I'm was thinking that this could occur in three phases:
    -Configure pfSense router behind Actiontec so that clients connect to pfSense router can access the internet.
    -Configure Private Internet Access with OpenVPN on pfSense router.
    -Add USB WiFi to pfSense router to connect clients wirelessly.

    Currently I'm struggling with the first phase.  I have TV service so I need to use the Actiontec for VOD, on screen guide, etc.
    I've read many posts and installation guides that I've found by searching the internet and this forum and tried many of the suggestions all to no avail.

    Here is where I am currently.  The IP address of the Actiontec is 192.168.1.1/24.  I've read that the LAN & WAN addresses must be in different subnets so I configured a static IP in the Actiontec (192.168.1.12), put this address in the DMZ (I had luck putting an address in the DMZ when I was using a secondary router running DDWRT) and assigned it to the WAN and the LAN interface as 192.168.10.1/24 which I think is a different network (I think this takes care of the different subnets requirement for the LAN and WAN?)  I've tried several different combinations of LAN & WAN addresses and still can't connect to the internet through the pfSense router.  Also, everytime I change the LAN address I can't access the webConfigurator.  If I reset pfSense to the default configuration I can access the webConfigurator but when I make any changes and click apply I can no longer access the webConfigurator.

    I took a basic networking class some 5 years ago and remember just enought to get myself into trouble.  I genuinely appreciate your time and any suggestions or help offered.  Please do bring any incorrect information to my attention as I'm here to learn and hopefully one day contribute.



  • Update.  I found a how-to on Hackology titled "Pfsense behind a router" so I reset my pfSense router to its default configuration and went through the following steps.

    FiOS Router Address: 192.168.1.1/24

    Assigned IPs to Interfaces
    LAN IP: 192.168.2.1/24
    Gateway: 192.168.2.1
    Enable DHCP
    IPRange: 192.168.2.50 to 192.168.2.100

    WAN IP: 192.168.1.12/24 (static IP in DMZ)
    Gateway: 192.168.1.1

    Accessed webConfigurator (connected laptop to LAN via Ethernet)
    DNS1: 8.8.8.8
    DNS2: 8.8.4.4
    Allow router to override DNS
    Allow 192/172/10 addresses
    Set the web gui password

    Configure FiOS Router (I'm not positive about these.  I googled directions on how to do this)
    Created rule to route: 192.168.2.0 255.255.255.0 192.168.1.12
    Created firewall rule:
    Ports: 1-65534
    Protocol: ALL
    Destination: 192.168.1.12

    One thing I noticed is that while I'm connected to the LAN via Ethernet, the icon in my system tray which indicates if I'm connected to a network goes red x (not connected) -> spinning circle (identifying) -> yellow exclamation (connected no internet) and then the connection is lost after some random amount of time and then it goes through the whole sequence again.  I tried configuring the other three ports on the LAN and I couldn't get any of them to configure.  This along with the inability to get an IP address assigned to my laptop is leading me to believe that the 4 port card in this router is bad.  I don't have another card of this type to swap and I don't know if a single port NIC from a PC would work.

    With this configuration I was able to successfully ping 192.168.1.1 but could not ping any other address.



  • I have setup similar to yours. On your Actiontec, you only need to ensure the pfsense WAN port has a static IP reservation and this IP address is configured as the DMZ host IP address. It sounds like you've done that using 192.168.1.12. No static routes are needed, so you can remove the rule you created.

    Ensure your pfsense LAN interface is configured with a separate network, I'd recommend 10.0.0.0/24 as an example to easily differentiate what's inside and outside of your firewall. Your pfsense WAN interface will show as DHCP, but your Actiontec will always renew the lease with the same address since it's reserved.

    Make sure the DCHP server is running on your pfsense LAN interface to hand out addresses to clients. Note that the "LAN" ports on your Actiontec will pick up a 192.168.1.0/24 address since they're external to your pfsense firewall, so you'll need a switch or wireless interface (as you mentioned) on your pfsense LAN to connect multiple clients.



  • Thank you for the response.

    I deleted the static routing rule in the Actiontec firewall.  I left the IP addresses as is and made sure DHCP was running on the LAN interface and that the address assigned from the Actiontec router to the pfSense WAN was static.  When I connected to the pfsense LAN via Ethernet and ran ipconfig /all I noticed that the IP address assigned to my laptop was 169.254.217.138/16.  This seems odd to me as the address range I entered when I configured the IP LAN was 192.168.2.50 to 192.168.2.100 and I thought only addresses in this range would be assigned to devices connected to the LAN.  I was unable to connect to the webConfigurator by entering 192.168.2.1.

    I swapped out the Ethernet cable and tried another port and it corrected the issue of not getting an IP address as I mentioned previously.  From the pfSense console I could ping 192.168.1.1 and 192.168.1.12 but when I tried 74.125.224.72 (Google) I received "No route to host."

    I appreciate your taking the time to respond.  Thank you again.



  • The 169.254.0.0/16 address are used by Microsoft and other vendors when DHCP isn't available or has failed. Sometimes the client device has to be rebooted or the network interface has to be reset after the DHCP server comes online. Moving from one port to another seems to have worked for you.

    Can you ping 192.168.2.1 (the pfsense router LAN IP address) from a client connected directly to the LAN port of your pfsense router (e.g. IP address of 192.168.2.50)?



  • Thank you for clarifying the issue about the strange IP address.  Sorry I forgot to mention that I had tried to ping from the client attached to the pfsense LAN the following IP addresses: 192.168.1.1, 192.168.2.1, and 192.168.1.12.  They all returned 100% packet loss.



  • Until you can successfully ping the pfsense router LAN interface, pinging addresses beyond the router is going to fail as well, so I suggest focusing on reaching 192.168.2.1 for now.

    I'm assuming you're using a client with a Windows OS, is this correct? What is the IP address and gateway given to the client via DHCP? Are the interfaces on the pfsense router and the client fast ethernet or gigabit? If they're both fast ethernet, you'll need a roll-over cable. If one or both are gigabit, then a straight-thru cable should be okay (this is one of the enhancements of the gigabit ethernet spec).



  • Yes, my laptop is Win7.  I know the interface on my laptop is fast Ethernet and I'm pretty sure the quad port card in the router is fast Ethernet also.  I never thought about the roll-over cable as I had been able to access the webConfigurator using just a normal Ethernet cable.  I'm assuming that a "roll-over" cable is the same as a "crossover" cable and I'll pick one up tomorrow and try it.

    I connected my laptop to the pfsense LAN again just to make sure and once the icon in the system tray showed the yellow exclamation point I ran ipconfig /all and got Autoconfiguration IPv4 Address: 169.254.0.0, Subnet: 255.255.0.0 and no default gateway.



  • Yes, unless you're connecting through a switch or hub, then there's good chance you'll need a roll-over/cross-over cable (yes, they're the same thing). If you're back to the 169.254 address space, then something's definitely not working correctly.

    You may want to try assigning a static IP address to your laptop, for example 192.168.2.5 (mask 255.255.255.0), and see if that enables you to ping the LAN interface of pfsense router. If not, then it could be hardware problem, either with the cable or one of the interfaces. Is the quad-port card in the router an expansion card? Perhaps try re-seating it?



  • Progress.  I bought a crossover cable and tried it with the quad-port card in the router and experienced the same problems as before.  I then swapped out the quad-port card with a single-port NIC from another machine I knew worked and I'll be but I had zero problems accessing webConfigurator and both the LAN & WAN interfaces show status as up.

    I ran ipconfig from the command line on my laptop and had IP address 192.168.2.50, Subnet 255.255.255.0, Gateway 192.168.2.1, and DNS 192.168.2.1.  I could successfully ping both the LAN (192.168.2.1) and WAN (192.168.1.12) from the laptop but when I tried to ping 192.168.1.1 (Actiontec) router I received "Request Timed Out."

    Now that I can get an IP address assigned to a client and access webConfigurator, how do I get out of the pfSense router and onto the internet?  I remember reading something like pfSense blocks connections on the WAN interface by default.  I may be wrong on that but if not is that the case?

    Thank you again for all you help.  There was essentially zero probability of me figuring this out in any reasonable amount of time on my own.



  • Success.  I searched the forum and found a post on the same issue and the recommendation was to delete the LAN Gateway which I did.  I rebooted pfSense and can now connect to the internet.

    Many kudos to trunix for the help.

    Onto the VPN setup.



  • There is a much more difficult way to get it to work so that pfsense is the main connection instead of setting up pfsense as a DMZ host IP on the actiontek.  You have to reconfigure the bridging on the actiontek.  I have been using a similar setup for about 8 years to the article below.  This is much more complicated and requires you to re-enable the Broadband Connection Ethernet port if it looses power.  The advantage is that connections do not go through the actiontek NATing so you are not double NATing and then restricted by the Actiontek NATing limits.

    http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

    You basically reconfigure the Actiontek so that the LAN becomes the WAN and setup a static private IP to manage it (Ethernet bridged to Broadband Connection Coax)  and then setup the Ethernet WAN port to function as the LAN for the actiontek and the coax DVRs (Coax bridged to the Broadband Connection Ethernet) which you plug into the LAN of your pfsense so that the DVRs can get a DHCP lease and connectivity.  The Broadband Connection Ethernet is usually disabled and requires manually enabling it after every power up.  As long as you put a UPS on it you rarely need to re-enable it.  If the router looses power or reboots you have to connect a PC up to the LAN of the actiontek which is really the WAN now to login to the static IP you gave it to re-enable the Broadband Connection Ethernet port.



  • Or could configure pfSense to spoof the Actiontec MAC and impersonate the DHCP client request.  Configure both routers to service only specific ports for the services served by each and drop all others.  And connect them to the WAN in parallel.

    I did this for a while with Verizon FiOS.  But my current ISP setup provides 2 DHCP addresses.  So one for their TV equipment and services and one for my pfSense network for the computers.

    http://www.dslreports.com/faq/16949



  • The easiest solution for this kind of scenario is to simply put the Actiontec router behind pfSense.  Simply configure the Actiontec's WAN port to aquire and address automatically (if it isn't set up that way already) and connect the WAN port to the general network.  This way the Actiontec will have the internet access it needs to get the channel information and there will be no double NAT'ing with pfSense since it will have a direct connection to the internet.  The worst that will happen is that if you have a dynamic  address from FiOS, it will take a while for them to accept your new MAC or you may have to call them to have them release it.



  • Thank you for the suggestions

    @adam65535, I read about that configuration on dlsreports.com but felt it was a little too complicated for me and I was concerned that it wouldn't survive a reboot.  I didn't want to get irate phone calls from my wife if the power flickered and she couldn't get online.

    @NOYB, is MAC spoofing as simple s copying the Actiontec's MAC address into the appropriate field in pfSense?  It seemed too easy hence my uneasyness.

    @Swordforthelord, putting the Actiontec after pfSense would have been my first choice except that my ONT is connected via coax and I would have to call VZ to have them roll a truck to run ethernet and activate it.  I've heard mixed things about VZ's willingness to activate that port for people who run their own ethernet.



  • Spoofing the MAC is that easy.  But to run them in parallel pfSense DCHP client must also be configured to impersonate the Actiontec DHCP request.  This is the more difficult part of the setup.  But should become much easier with the addition of DHCP advanced options in release 2.2.

    Think I've made some posts in one of these forums a few years ago with details of impersonating the Verizon FiOS Actiontec MI424-WR.



  • NYOB's post about impersonating the actiontec: https://forum.pfsense.org/index.php?topic=39963.0


Log in to reply