BT infinity with block of 5 static IP addresses – Fibre Modem PPPOE WAN Dynamic
-
BT with block of 5 static IP addresses – Fibre Modem PPPOE WAN Dynamic
Could somebody please help with a definitive solution to my BT woes? :'( I have searched around for it seems like an eternity for the concise answer as to how to do this.
I’m sure this situation is common place for UK BT users. I cannot however find a documented way of achieving it. Some tutorials cover partial methods but no holy grail so to speak. If I could get this working it would make the hardware a lot more efficient in terms connections etc. Cutting down on a piece of hardware. A definitive answer would I'm sure help other small business users get such a great firewall working with the beast that is British Telecom.
Here goes.
Hardware
BT Openreach VDSL2 modem for FTTC (ECI model B-FOCuS V-2FUb/I Rev.B) > PFSense > LAN
The openreach modem connects via WAN PPPOE.
Sure enough the WAN connects via pppoe and the WAN gets a dynamically assigned ip address. This must happen as BT provides you wish a username and password and insist on you getting an initial dynaic IP address.
The lan is 192.168.2.1/32 I have several desktops behind it.
I would ideally like the lan IP to appear as one of the statc fixed ip addresses (81…...2-6) and have the others available for assigning to other devices if the need be. It is this part that I do not have a clue how to achieve. I have installed successfully openvpn and can get this connecting without issue.
I have read numerous tutorials but none of them have worked. If someone could example to me in relatively concise instructions I would be very grateful. If necessary I will donate via paypal to your favourite charity or your coffee funding. It really has got to this point. It would be great to get one of the static ip’s assigned to the lan traffic and also have the openvpn work with this static ip address.
Any help would be appreciated.
Regards
Burger Man
The information below is from my old router.
5 static/fixed ip addresses 81......2 – 81......6
The bt router address 81......1
subnet mask 255.255.255.248
-
So you need the real IP addresses on the internal clients rather than using 1:1 NAT?
Can you link to any tutorials you found and tried that didn't work?
If the subnet is routed to you you should just be able to disable NAT between the WAN and the internal interface you've chosen (LAN probably) and then assign the IPs to the clients either statically or by configuring DHCP appropriately. Use the 81.x.x.1 address for the pfSense interface.
This diagram looks correct though not specifically about pfSense: http://forum.kitz.co.uk/index.php?topic=2179.msg111280#msg111280
Steve
-
BT assigns the WAN address a dynamic IP address every time via pppoe.
Initially I just wish all lan traffic (all pc's behind the lan network) to appear as one of the block ip 81…...2 being the first out of the block. And ideally have this address accessible externally for openvpn so we can vpn in. I'm betting this would be a classic scenario for a small business with BT Openworld Business Accounts.
From piecing together various forum posts the general consensus mentions aliases. Would I be correct in thinking I could create aliases as "Other" using the bt static IP's for routing?. If so I do not have a clue what to do once I have assigned the aliases.
A can assure you various combinations have been tried but my logic chip is a bit fried on this one.
The tutorials I have gone through similar scenarios but do not cover my needs. There are a few links with some elements that I thought would help me. I guess the lightbulb moment hasn't happened yet.
https://business.forums.bt.com/t5/Broadband-and-internet/BT-Infinity-Business-Static-IP-Assignment/m-p/51850#M10482
http://www.tomschaefer.org/pfsense-internet-access-on-opt-interface/
http://blog.martinshouse.com/2012/01/multi-wan-multi-lan-no-nat-routing-with.html
http://www.stephens-blog.co.uk/bt/pfsense-and-bt-business-router-as-modem/
http://www.interspective.net/2012/05/pfsense-initial-configuration-adsl-wan.html
https://davehall.com.au/tags/telstra
http://highsecurity.blogspot.co.uk/2011/08/pfsense-and-tm-unifi.html
https://forum.pfsense.org/index.php?topic=59573.0
https://www.youtube.com/watch?v=zrBr0N0WrTY -
If you want everything to appear as though it's behind one IP then you need to add a virtual IP (IP Alias type covers most functions) and NAT the traffic to that.
You can probably have some combination of NATed and routed atrffic using your public IPs though I've never actually tried that personally.Steve
-
I have since got a little further.
Having just traveled to work and had a play I have got the following
The lan now appears as one of my chosen external ip addresses.
I did this by
Creating an alias using the chosen external IP address within the BT IP Block
Going into Outbound NAT section and disabling automatically created rules.
Editing the automatically created rules and instead of the NAT Address being WAN I changed it to the alias I created.
Having saved after a few seconds I googled my ip address from one of the LAN clients and low and behold the alias IP showed.
–-
Right now I may be going off topic but I have had openvpn working with my old router and pfsense. It worked like a charm.
Since getting changing over to the Fibre Modem I cannot get Openvpn connecting.
I have left the most of the intial Openvpn settings the same. Under the NAT Outbound section I updated the NAT Address to the alias. Similar to my previous steps for the lan NAT.
I then changed the Openvpn automatically rule on WAN so the destination was the alias.
Now trying to connect and it does not respond at all on the windows client.
Is there a vital point I have missed so I can get Openvpn connecting to the first IP alias address.
-
Do you mean OpenDNS or OpenVPN here you seem to be conflating the two perhaps?
For something like the OpenVPN service you don't need to worry about NAT in either direction because the servcie is running on the firewall itself. Thus you can setup an IP alias with one of your public IPs and have the OpenVPN service bind to that instead of the WAN address. The packets are still coming into the firewall on the WAN interface though so you need to allow that with a firewall rule on the WAN interface.
For a client behind the firewall you can change the NAT settings as you have done so that traffic from that cleint leaving the firewall appears to come from the IP Alias public address. If you want incoming connection on that address to connect to the client you need to setup port forwarding (for individual ports) or 1:1 NAT.
Both the above result in your LAN still using a private subnet and pfSense translating it to your public addresses. This means you can use all 6 available addresses. The alternative is to use the public IPs directly on the LAN clients and 1 as the LAN address.
Steve
-
Great News I found the solution. Openvpn is now connecting and I have access to the LAN clients. Wow what and achievement.
So Just to re-cap I will take a BT Business Owner through how to set ip the static IP addressing with pfsense. You can then do away with any old boxes such as the hgv type modems. No more wondering if the static IP addressing is going t hold inside the BT box. Pfsense handles everything and with lighting speed. I will try and document my findings below for someone in a similar situation.
Scenario
BT assign it's business clients blocks of IP addresses such as below.
5 static/fixed ip addresses 81…...2 – 81......6
The bt router address 81......1
subnet mask 255.255.255.248
My requirements so far as a minimum for small to medium business.
-
Wishing to use one of the 5 /29 subnet IP addresses provided by BT for my lan traffic.
-
Wishing to have Openvpn connect and use the same address as per above for external access. The vpn allows for remote access to our lan machine for RDP etc.
The two points above are important for us and may well be for your business. Please find below exact details on what I did. I will not cover the setting up of openvpn this is beyonf the scope of my post. There is however and excellent youtube video here
https://www.youtube.com/watch?v=ekl8rwHomRs
Right for step 1 above you must.
Firewall > Aliases > IP - Go into the alias section and add your BT ip address you wish to use on the LAN. I called mine BTStatic you can call is something meaningful.
Firewall > NAT > Outbound - If you have a pretty stock system like me then to clean up your NAT and get only the relevant options I would firstly. Click the Manual Outbound NAT rule and save. Now select all the rules and delete them. Now enable the Automatic outbound NAT again and save. Now Click the Manual Outbound NAT rule again and you will have only the relevant options relating to your interfaces and network settings. Now you must edit each rule and where you have the traslation section change it to Host Alias in my case BTStatic(). Do this for all the NAT entries. Now when your LAN resolves it will appear as the alias address. If you wish to change the external IP address to one of the other BT IP addresses then simply update the alias.
Step 2 the OpenVPN
Firewall > Virtual IPs - Add a virtual ip by doing the following. Click the plus and add the same IP address you did for the alias. The subnet mask will be 29. My description was 81…...2. This part si very important or the IP will now work change the interface tab to LAN not WAN. Strange I know but it works.
VPN > OpenVPN > Server Edit - Now the crucial part go to the interface tab and select the Virtual IP address. If you do not make the part above this will not display in the interface tab.
One last thing then you should be good to go.
Edit the WAN rule and under the automatically create openvpn rule change the destination to you alias you created in step 1. Make sure you are saving and applying all of the above steps. Reboot, wait a few moments and the pppoe will connect. Get a dynamic IP address. The lan wil appear as your static IP address and from an external openvpn client you should be able to access remotely the Step 2 virtual IP address. You should then be able to ping the lan clients and access other internal LAN services.
Hopefully this will help someone in the future.
I have other things to achieve but for today this will do. :)
Many thanks to stephen for offering assistance.
-
-
Thanks for that write up. There's a couple of things there I would have attempted differently but it seems like you're up and running. Interesting that you couldn't put the virtual IP on WAN. I'm guessing that;s because it's a PPP connection with a /32 subnet mask. You might try putting the VIP on localhost rather than LAN though.
Also I'm still not sure where opendns come into this it looks like you just meant to write openvpn there.Perhaps I should upgrade to static IPs and have play around with this. ;)
Steve
-
Opendns was a slip by myself. Sorry for the confusion. I have updated the previous offending post.
You mentioned localhost rather than lan could you explain Stephen.
-
Really for this sort of setup you want the VIP on the WAN interface since that's where the routed traffic is arriving. If you had a DHCP WAN that's where you would put it. Since it appears you can't do that putting it on localhost would be me next preferred option. Putting it on LAN means that you will end up with a lot of traffic from the wrong subnet on LAN might cause issues in the future. Are you seeing anything for the broadcast address of that subnet being propagated to the whole LAN network for instance?
It does surprise me that it won't work on WAN to be honest. What was the result when you tried it? Since the WAN is ppp it's probably a /32 in which case you should set the VIP on WAN as /32 also, did you?@https://doc.pfsense.org/index.php/What_is_the_different_between_Proxy_ARP:
Subnet mask should match the interface IP, or be /32.
Steve
-
I think you may be right Stephen. I will try out the localhost tomorrow.
Yes it makes more sense not to have it on the LAN. I have no excuse other than it being the weekend and limited unpaid time working on a test machine.
I will get there in the end. ;)
When I get to a happy conclusion I will amend my previous posts.
