[SOLVED] AT&T U-verse with Pace/2-Wire 3801HGV: CARP Virtual IPs not working
I am trying to get a /29 block of static IPs from the 3801HGV to pfSense 2.2.2-RELEASE.
I have the WAN interface with the first static IP, and created 4 CARP Virtual IPs (VIPs) for the remaining four static IPs.
All five static IPs will ping -S from each static (V)IP to the 3801HGV which takes the last usable static IP in the /29 block as the default route/gateway. Remember, the all zeros IP address and the all ones IP address are not usable for hosts.
3801HGV > Settings > Broadband > Link Configuration > Supplementary Network Add Additional Network [x] Enable Router Address: last useable static IP in /29 block Subnet Mask: 255.255.255.248 Auto Firewall Open [x]
The 3801HGV lists the pfSense VIPs in Settings > LAN > IP Address Allocation Firewall: Disabled Address Assignment: Static IP - no DHCP WAN IP Mapping: Public Fixed: [one of the /29 static IPs] Cascaded Router: No
… and so on for each VIP and the DHCP address of the host I am using to view the 3801HGV's WebUI.
Unfortunately, only the first Static IP (Port Forwarded to a web server) is accessible from the Internet. Anyone have any ideas how to get the CARP Virtual IPs to work?
Note: This similar configuration works fine with the old ADSL modem in bridge mode. AT&T U-verse modems do not have bridge mode.
Those things are probably the crappiest modems ever built for static IP usage like that. Personally, I switched mine to routed mode for the publics to get away from its stupidity with static IP handling, so it routed my public /29 to the 192.168.x.x WAN IP (actually CARP IP) of the firewall behind it.
If you've ever used those publics on something else before, you have to go in and delete any reference to them that you can find. I thankfully no longer have a 2wire after upgrading my service, so don't recall the screens 100% for sure offhand. Then bring up the CARP VIPs, try to source traffic from them. Then back to the 2wire and disable the firewall for the newly discovered IPs. If anything doesn't go right in that process, which there is a good chance it won't, you might have to reset the 2wire to factory defaults and start the process over. It gets some IPs stuck in it with some other MAC if they've been used before, and sometimes just for no reason at all, to the point it leaves you with no option but factory defaulting the modem.
I upgraded my service to 50 Mb, which required a different modem. They installed a Motorola that's vastly better than the 2wire and I was thrilled to see it go. Every time we have someone show up here with one with static IPs, or support customers, they turn into a real headache.
https://forum.pfsense.org/index.php?topic=31167.msg161320#msg161320 is missing a few steps that needs to occur at the end.
There must be a direct ping from each pfSense CarpVirtualIpAddress to the 3801HGV's IP Address (.70 in my case).
A direct ping can only be achieved from the Command Line / Shell interface on pfSense:
ping -c1 -S CarpVirtualIpAddress ModemIpAddress
-c1 means only ping one time (as opposed to repeating until Ctrl-C)
-S indicates the source IP address to send the ping from
http://192.168.1.254 > Settings > LAN > IP Address Allocation
after each ping from a CarpVirtualIpAddress and you will see it show up. It may take a few refreshes as the modem takes some time to detect/reconfigure itself.
Once all six static IPs are in the list of IP Address Allocation, they should all have the following settings by default:
Device Status: Connected Static IP
Address Assignment: Static IP - no DHCP
WAN IP Mapping: Public Fixed: .65 to .69 or whatever your 5 static IPs are
Cascaded Router: No
There will be a DHCP address with Firewall enabled for the web browser used to view 192.168.1.254. Leave it at defaults as well.
You MUST click the [Save] button at the bottom right of the IP Address Allocation page to write these settings into NVRAM in the 3801HGV modem or you will lose the settings when the power goes out. They do seem to come back after pulling the plug for a few seconds anyway.
The modem requires a direct ping to it's own IP address. Merely passing traffic through it, such as pinging 22.214.171.124, will not register in the IP Address Allocation list. Thus, the modem will block incoming Internet traffic for those CarpVirtualIpAddresses.
I would like to know the same information.