Static IP WAN will not come up unless reboot pfSense



  • Hi all,

    I've been having some trouble with pfSense + Comcast biz class with static IPs.  I had a Netgear modem and they just replaced it with an SMC - already experienced the same issue.  I've searched for some time - the closest thing I can find is an issue with DHCP connections with pfSense + Comcast.  I have 13 static IPs.

    If Comcast service goes down (been a regular occurrence lately) I cannot access the net via pfSense after it comes up.  There is another router directly attached to my modem and it comes up right away.  From the LAN side I cannot ping the modem until I do a reboot of pfSense.

    pfSense logs show the interface Link Up message, and something about ignoring it because it's not a DHCP interface.

    When we replaced the modem today, I was able to jump online from a SOHO Dlink router right away. I just realized that router is set to get a private DHCP address from the modem, NOT a static public IP like pfSense does.

    Any ideas?

    Aaron



  • Some thought and suggestions as I have pfsense installs on MANY Comcast business line setups:

    1. Have you configured your pfsense's WAN address with one of the provided public ip's or are you using one of the default 10.1.10.x ip's and using 10.1.10.1 as your WAN gateway?

    2. When your Comcast service goes out and comes back up, can you at least ping the 10.1.10.1 ip address (this is assuming you haven't changed the default Comcast ip settings of the 10.1.10.x range).

    3. Could your D-Link router that is also connected to the Comcast cable modem/router be causing the isuses?  Can you disconnect that for the time being and see if you can replicate the issues?

    4. Have you been able to access your additional ip address from your setup using ProxyARP or CARP via your pfsense setup?

    One thing to note is that you mention the D-Link works immediately via it grabbing an internal, private ip address.  This is most likely the 10.1.10.x ip I mentioned above.  In this setup, you are running a double-NAT system.  As well, I am sure you're aware of how Comcast lists its available ip address for you first, and the last one is what you use for your gateway.  The example I'll draw up is:

    If your CIDR block of ip's from Comcast was:  70.88.115.16/28

    70.88.115.17 - First usable ip address
    70.88.115.18 - additional ip address
    70.88.115.19 - additional ip address
    70.88.115.20 - additional ip address
    70.88.115.21 - additional ip address
    70.88.115.22 - additional ip address
    70.88.115.23 - additional ip address
    70.88.115.24 - additional ip address
    70.88.115.25 - additional ip address
    70.88.115.26 - additional ip address
    70.88.115.27 - additional ip address
    70.88.115.28 - additional ip address
    70.88.115.29 - additional ip address

    70.88.115.30 - gateway to be used for your WAN setup

    70.88.115.30 is also what your ip address would show up as when surfing the Internet behind the D-Link router performing the double-NAT.  I know some of what I wrote is (hopefully) obvious but I just wanted to make sure you followed and as Comcast does their setup slightly differently.  Is it safe to assume that when you had the Netgear router, you were using it as their residential service with the dynamic ip?  If so, what is the same white colored router that also has wireless service built into it?

    Let us know….



  • Hi Razor, thanks so much for trying to help:

    1. Have you configured your pfsense's WAN address with one of the provided public ip's or are you using one of the default 10.1.10.x ip's and using 10.1.10.1 as your WAN gateway?

    pfSense has a WAN address (the highest numbered IP in my block)

    1. When your Comcast service goes out and comes back up, can you at least ping the 10.1.10.1 ip address (this is assuming you haven't changed the default Comcast ip settings of the 10.1.10.x range).

    The last occurance with the SMC modem: no, I could not ping the modem on 10.1.10.1

    1. Could your D-Link router that is also connected to the Comcast cable modem/router be causing the isuses?  Can you disconnect that for the time being and see if you can replicate the issues?

    I doubt it, is there any logical reason it may be causing the problem?  It is doing double NAT.  I cannot disconnect it unless I can figure out how to allow net access to those other devices thru the pf opt1 interface.  (I haven't tried just because that network can't be messed with.)  I would appreciate the exact settings I would need to do that.

    1. Have you been able to access your additional ip address from your setup using ProxyARP or CARP via your pfsense setup?

    I have been able to access my other public IPs - using Virtual IPs and 1:1 NAT.  I haven't quite figgered out proxyARP and CARP.

    One thing to note is that you mention the D-Link works immediately via it grabbing an internal, private ip address.  This is most likely the 10.1.10.x ip I mentioned above.  In this setup, you are running a double-NAT system.

    Yup, it's running double NAT.  It is OKAY for the time being.  I'd like to set that network on the OPT1 intf and give it a public IP as stated above.

    As well, I am sure you're aware of how Comcast lists its available ip address for you first, and the last one is what you use for your gateway.  The example I'll draw up is:

    If your CIDR block of ip's from Comcast was:  70.88.115.16/28

    70.88.115.17 - First usable ip address
    ….
    70.88.115.30 is also what your ip address would show up as when surfing the Internet behind the D-Link router performing the double-NAT.  I know some of what I wrote is (hopefully) obvious but I just wanted to make sure you followed and as Comcast does their setup slightly differently.

    That is correct, the last IP is showing as the public IP for the D-Link.

    Is it safe to assume that when you had the Netgear router, you were using it as their residential service with the dynamic ip?  If so, what is the same white colored router that also has wireless service built into it?

    Nope, The Netgear modem was for biz class on static.  We replaced the netgear cuz it kept locking up and in hopes that it would solve this pfSense WAN issue.

    Thanks for your help and input!
    Aaron



  • I guess I am thinking I may want to try and let pfSense use a DHCP (10.1.10.x) address?  But then how do the public IPs work?  Ugg..

    Aaron



  • Thanks for the feedback Aaron.  This is weird that you're experiencing the issues you've mentioned.  Also good to see you have been able to use the virtual ip settings with 1:1 NAT.  Note that you have to define the ProxyARP settings via the Virtual IP page, so in essense, you have been using that feature ;)

    If you'd like to have the pfsense perform double-nat, you can still access your public ip's.  I have done it several times and it should still work with the newer SMC modems that Comcast is using.  Here's how…

    Give your pfsense WAN nic an ip of 10.1.10.100/24 with a gateway of 10.1.10.1 with your LAN subnet being different.

    Test to make sure you can get online, then log onto your SMC router page by entering in http://10.1.10.1 in your web browser.  Log in with the username/password combination of:

    username:  cusadmin
    password:  highspeed

    Once logged in, on the left-hand side, click on Firewall, then click on DMZ in the top-middle part of the page.  The DMZ listing with be on the left-hand side if you are running the older SMC style router Comcast used to provide.  Once there, enable the check-box for the DMZ host and enter in 10.1.10.100 (or whatever you end up using for your WAN address of your pfsense box) and hit apply.

    With this in place, your pfsense will control what you want to get through.  Now here's the cool part, pfsense should still be able to control all of your Virtual IP, ProxyARP and 1:1 NAT settings you entered.  To test it out, give it a shot and see if your ip on the given machine works as it did before.  In this effect, you've converted to a DMZ'd double-NAT setup for your pfsense that will hopefully resolve your issues.

    Good luck and enjoy! :)



  • Thanks razor, once again!

    What you are suggesting seems like a decent solution, but makes things pretty difficult (read: beyond my abilities) for other parts of my network.  Is there no way the modem can distribute public IPs via DHCP (static mappings of course)? According to Comcast there isn't, but why not? I think that would be the ideal solution.

    My gut feeling thinks that the modem wants some sort of communication to establish whether the connection will be DHCP or else a bridged static IP.  The pfSense log is seeing the "link up" message on the WAN port when it comes up, but it is not taking any action as it is not a DHCP interface (on the pf side).  Perhaps there needs to be some sort of communication from pf when that link does come up?

    Regards,
    Aaron


Locked