BT Infinity, PPPoE, Static IPs, IPSEC VPN

  • For those of you in the UK looking for help configuring pfSense with your BT Infinity account with PPPoE and static IPs but having trouble with the way BT assigns you a dynamic IP first, I have detailed below how I have managed to get this working.

    We have a block of five static IP addresses with BT, which we are using with devices on the local network, and the pfSense machine its self.

    Physical connection:


    Once you've got pfSense installed, create a PPPoE connection on the WAN interface. (You'll notice here there's nowhere to specify your static IP).  The BT Infinity modem will dynamically assign an IP address (which isn't part of your static block) to this virtual interface.

    What pfSense does here is create a virtual interface for the PPPoE connection with the same name as the physical interface you are creating the connection on, and moves physical interface to the pool of available ports to create an interface with.

    The trick here, is to re-create the physical interface (that you already created during installation) for the WAN card/port (via Interfaces > Assign) then assign your static IP to this interface using the "Static IPv4" configuration type (BT call this the "router IP" in their provisioning email).

    With that set up, you now need to create virtual ip's of "alias" types for each of your five static IP addresses, via Firewall > Virtual IPS.

    You can now create 1:1 NAT bindings for any devices on your LAN you want to assign these IP's, for example a web server, or a particular workstation.

    For any services running on the actual pfSense machine its self that you wish to assign a static IP and not the dynamic IP BT gives the PPPoE connection (e.g. IPSEC site-to-site VPN Tunnel), you can select the physical WAN interface (the one you re-created) when you configure theses services.

    Its worth mentioning that I didn't make any changes to the configuration of the BT modem, I understand from BT that the configuration is locked.

    I hope this helps someone.

    All the best.

  • Dave

    Any chance of sending me a config of your BT box minus the external addresses for your privacy. I never did get the huwai bt box working directly with pfsense. I have a block of 5 ip addresses but struggle with getting it to work with vpn etc. I don't wish to use 1:1 NAT but for the lan to use one of the five IP addresses for NAT. I would be intrigued as to how your NAT is configured. That is of course unless you are not using a dedicated IP for the LAN traffic.



  • I just had this exact same setup. I will say mine did not work correctly right away. I was trying to use one of my Static IPs for the IPsec VPN tunnel. The tunnel established just fine, but would not pass any traffic. I backed out some of the config and tried again and now it's working, so there might be a order of configuration in order for this to work correctly.

    This is just to clarify what was said above.

    1. Assign physical interface that PPPoE interface is on. Put the ip address and subnet that the BT Calls the "Router/Hub/Gateway IP"
    2. Create a virtual IP with your BT assigned IP and the correct subnet mask as an IP Alias. Select the interface you just created in step one.
    3. Add firewall rules, ect.
    4. In the local IPSEC Configuration choose the interface you created in Step 1.
    5. in the remote IPSEC Configuration the remote gateway IP is the Virtual IP you created in Step 2.

    Again this was only for IPsec configuration and it doesn't work the first time, try to rework some of the steps.

  • I came across this thread while working through a similar issue with CenturyLink DSL in the US. I found this thread The instructions worked well for me in the last thread.

  • Thanks for this, I would have never figured it out.

    I've kind of got there with this, the problem I currently have is that outbound traffic is still going through the dynamic IP rather than one of the statics. could anyone advise me on how to make it use the static please.

Log in to reply