Interaction with modems

mgiammarco

Hello,
I have a pfsense box with dual wan.
In each wan there is a modem and pfsense is configured that in each wan it uses dhcp.
The first modem connects to adsl using pppoe, the second using ipoa (rfc1483? ).
Pfsense for first wan shows public wan ip as gateway, for second wan show private ip of modem (that is also GW).

I would like to understand:

• why in first case it discover real wan address and in the second case not;
• who told pfsense to discover public wan address
• what advantages are in first case if any

Thanks in advance for any help,

Mario

johnpoz

Reason pfsense gets any address on it when set to dhcp, is what is returned when it sends out dhcp discover.  It getting a public or private IP address would be what your isp device, modem/gateway is set to do.  Bridge or Nat, etc.

Advantage in the first case is your not double natted.  Double natted can have all kinds of problem with different protocols, PITA to get unsolicited inbound traffic to work - since you have to allow for the taffic on the 1st nat (which may or may not be in your control) and then again on the 2nd nat (pfsense)

mgiammarco

@johnpoz:

Reason pfsense gets any address on it when set to dhcp, is what is returned when it sends out dhcp discover.  It getting a public or private IP address would be what your isp device, modem/gateway is set to do.  Bridge or Nat, etc.

Advantage in the first case is your not double natted.

Ok thanks so I explain better. Also the first modem is configured as dhcp server. So I supposed that pfsense should get a private ip in the range of modem dhcp server. But pfsense seems to cheat and take public ip of modem.
Infact I would like to avoid double nat as you explain.

johnpoz

Well clearly if the 1st modem is suppose to be dhcp server its handing out public IP range then..

mgiammarco

@johnpoz:

Well clearly if the 1st modem is suppose to be dhcp server its handing out public IP range then..

It is not possible because I have configured personally the modem and it has only one static public ip address (they cost too much) and it has internal dhcp with private ip.

johnpoz

here is the thing – if you have pfsense set to dhcp on wan, its just a dhcp client -- it broadcasts a discover, and will take the first dhcp server that offers it an IP address it doesn't care what it is, etc.

You sure you don't have it set in bridge mode?

You could sniff on the wan to see what is happening, or you could look to the lease details that should show the ip of the dhcp server that gave the lease.

edit:

example.. in /var/db you should see file with the interface of your wan do a cat and in there should be the IP of the dhcp server it got its lease from.

cat dhclient.leases.vmx3f0

option dhcp-server-identifier 69.252.202.7;

mgiammarco

@johnpoz:

example.. in /var/db you should see file

Great info for debugging thanks!!
Infact now I see:
lease {
  interface "em1";
  fixed-address 5.x.y.z;
  option subnet-mask 255.255.255.255;
  option routers 192.168.1.1;
  option domain-name-servers 212.97.32.2,94.141.24.92;
  option host-name "host-5-x-y-z";
  option dhcp-lease-time 60;
  option dhcp-message-type 5;
  option dhcp-server-identifier 192.168.1.1;
  renew 2 2014/11/18 21:57:44;
  rebind 2 2014/11/18 21:58:06;
  expire 2 2014/11/18 21:58:14;
}

It is very strange, infact modem is 192.168.1.1 but it is giving external ip as a lease ?!?!?!

johnpoz

This makes now sense to me

fixed-address 5.x.y.z;
  option subnet-mask 255.255.255.255;
  option routers 192.168.1.1;

So you got a public IP, but it says your gateway should be 192.168.1.1 ???  To be honest that is a broken setup - gateway needs to be on the same segment as your address, or how else you suppose to get there?  A windows machine will not even allow you to set that up.  While other OS can allow for it - its broken if you ask me.

phil.davis

If your pfSense LAN is already using something like 192.168.1.0/24 then change your LAN to some other private address space that you can hope your ISP or "modem" does not try to use.
That will make it easier for pfSense to ARP for 192.168.1.1 on em1 and maybe even find it and use it as a gateway - but as Johnpoz says, that is a really weird DHCP lease given there. But if you are lucky it might work.

johnpoz

that lease time of 60 seems pretty broken to me as well.  Can you turn off the dhcp server on that device..  Make it a bridge?  Or clearly need to adjust the dhcp server so that it hands out private IPs, where that 192.168.1.1 would be valid as long as it doesn't conflict with network on your lan side or your other wan connection nat network.

if your going to double nat on your wan connections, you need to make sure they do not overlap each other or your lan network.

mgiammarco

First thanks for all replies.
The strange thing is that this setup is working (apart https).
I have luck that my private lan has another subnet than 192.168.1.0/24 (I never use that!).

Here is an (censord) extract of netstat -r:

default          z.y.x.5.cust UGS        em1
z.y.x.5.cust link#3            UHS        lo0
5.x.y.z/32  link#3            U          em1

As you can see default gateway is the same address of pfsense… but it works!
And, I can reach also 192.168.1.1., probably thanks to default route.

Now I will try to configure modem as bridge or static ip, anyway I would like to understand this thing. It is a dlink dsl320-b