Best way to connect ISP Router to Pfsense



  • Hi,

    I have my pfsense box ready. Before starting with the setup, I want to configure my ISP router.

    What is the best option? Bridge mode? DMZ for pfsense?. What options in my ISP router I have to setup?.

    Can I use the option "WAN Service" > "Bridge PPPoE Frames Between WAN and Local Ports" for my purpose?

    I want to convert my ISP router in a dumb machine that transforms "ADSL to ethernet", and control everything from pfsense.

    Thanks.



  • Yes, just test it…  ;)

    No NAT, No Firewall on ISP MoDem-router, only plain pass-through all, MTU 1492.

    Then put pfSense WAN PPPoE on the LAN inlet/outlet of the ISP-MoDem(router).
    See [Interfaces: WAN] (IPv4 Configuration Type=PPPoE)



  • I can't testing right now… I have to wait for tomorrow.

    So, just check this option: "WAN Service" > "Bridge PPPoE Frames Between WAN and Local Ports". I have to configure anything else in the ISP router?.

    Thanks! ;)



  • Usually you don't need "Bridge PPPoE Frames Between WAN and Local Ports" checked, unless you want to make use of more than one pppoe connection from your LAN.



  • @gabe:

    Usually you don't need …

    Oh, well then OP could have look in his router "Layer2 Interface" for bridgeing the signal ?



  • Hi guys!

    I am a beginner to the world of networks and pfsense, so I apologize for the possible stupid questions…

    I just connected the ISP Rotuer to the wan interface of pfsense. This is my config:

    • WAN (wan)      -> igb0      -> v4/DHCP4: 192.168.1.2/24

    • LAN (lan)      -> igb1      -> v4: 192.168.2.1/24

    • OPT1 (opt1)    -> igb2      -> v4: 192.168.3.1/24 (access point)

    • OPT2 (opt2)    -> igb3      -> For DMZ… other day

    Everything is working fine, I can access to ISP router using 192.168.1.1, pfsense with 192.168.2.1, I have internet…

    But my ISP router is working normal (wifi, lan, etc). What things I have to change to convert my ISP router in "transparent"? I'm completely lost in this issue.

    My router is NU-GAN5.

    Thanks a lot!



  • @kipTry:


    What things I have to change to convert my ISP router in "transparent"? I'm completely lost in this issue.

    You want your outside public IP on pfSense-WAN by bridgeing or pass-through. That is if your ISP supports it to do as (PPPoA-to)-PPPoE. I have no idea what the MoDem can do for you. Maybe look into "Layer2 Interface" or post that screen here.

    You could use a DrayTek Vigor-120 (ADSL MoDeM-Router (not broadband-cable)) as this will do what you are looking for, if you know/get the ISP-connection protocol to fill in in the DTv-120.



  • WAN (wan)      -> igb0      -> v4/DHCP4: 192.168.1.2/24

    Why DHCP? Set up the WAN IP static (fix) and deactivate DHCP at the ISP router.

    Everything is working fine, I can access to ISP router using 192.168.1.1, pfsense with 192.168.2.1, I have internet…

    Three things would be matching at this point and situation;

    • disable DHCP on the ISP router and set up a static IP address on the WAN interface of the pfSense
    • enable DHCP at the ISP router and set up a static IP address outside of the DHCP range to the WAN port of the pfSense firewall
    • set up the IPS router to the bridge modus and then use this device as a pure modem and set up DHCP
      on the WAN interface of the pfSense

    But my ISP router is working normal (wifi, lan, etc). What things I have to change to convert
    my ISP router in "transparent"? I'm completely lost in this issue.

    Activate in the options menu the "bridge mode" if it is available, then the ISP router is
    acting as a ordinary modem, would be the best for pfSense and VPN from the outside!

    Because if you have coupled two routers you had build up a router cascade with double NAT.



  • Ok, so  bridge or pass-through.

    Some screenshots:

    1 Advanced setup

    2 Layer 2 interface

    3 eth interface

    4 eth interface > add

    5 wan service

    6 wan service > edit

    So, I think just check "WAN Service" > "Bridge PPPoE Frames Between WAN and Local Ports", disable rest of ports and wifi, right?



  • I understand what you say BlueKobold ;) I will change the DHCP, but now I want to put my isp router in bridge mode or "pass-through" and I don't know how to do it.



  • So, I think just check "WAN Service" > "Bridge PPPoE Frames Between WAN and Local Ports", disable
    rest of ports and wifi, right?

    Yes if the router is in the bridge mode it is not acting any more likes a router, but is acting as a pure modem.
    So also SPI firewall and NAT should be disabled.

    I understand what you say BlueKobold ;) I will change the DHCP, but now I want to put my isp router in bridge mode or "pass-through" and I don't know how to do it.

    Would be really fine to know the exactly model you have in this game.

    Edit:# I found the router manual, but only seen it in Spanish language that I am not speaking and reading.



  • The router is a NuCom NU-GAN5.



  • Unless someone on here has experience of that device, you'll need to hunt down some instructions online to guide you through putting the device into bridge mode, but even if its in bridge mode, make sure the wifi is shut off as this can still be a way onto the device in some cases.



  • @kipTry:

    The router is a NuCom NU-GAN5.

    Well, did you test as you intended ? Result ?

    Considering an exchange of "your router"-type with the versatile DrayTek V-120 ?



  • Hda, yes, I'd forgotten to post a possible solution… My memory tricks me sometimes. :)
    KipTry, considering you have a proper already set up and working ATM link in the "Layer 2" menu, you can try going to the "Wan service" option, remove the ppp0 connection you already have and add a new one. At this time, check if you can create a new one in "Bridging" and attached to your atm0 connection.
    If you are able to do it, a connection called br_0_0, br0 or something like it, will be created. Make sure you have your router not providing a DHCP as said before by our fellows.
    Now, maybe everything is ok and you'll be able to create a pppoe connection in your pfSense box and have your public IP, provided by your ISP, facing the PPP connection. Whether is that what you want.
    In the end, it's just a guess, ok? :)
    I hope this helps.



  • Thanks guys! I'll test it tonight.

    hda, I'm not thinking in DrayTek V-120 because I'm going to change to optical fiber in September. I understand with optical fiber I just need to connect the ONT to Pfsense.



  • Well, I guess it is working:
    1. I disabled WiFi, DHCP
    2. In wan services: check "Bridge PPPoE Frames Between WAN and Local Ports" and uncheck NAT and Firewall.

    Pfsense is working well (I configured ppoe user and password), with connectivity and internet. But I can't access to the ISP router - 192.168.1.1 (even connecting directly pc-isp router), why? is it normal?. Anyway I don't mind.

    In Status > Interfaces, I see: IPv4 address 47.X.X.X and Gateway IPv4 87.X.X.X. ipv4 address is my pulbic IP, but Gateway ipv4?

    Could you help me to understand this output of tracert command?

    
     tracert www.pfsense.org
      1    <1 ms    <1 ms    <1 ms  pfSense.MyDomain [192.168.2.1]
      2    13 ms    12 ms    12 ms  static-xx-xx-....ipcom.comunitel.net [87.x.x.x]
      3    13 ms    13 ms    13 ms  172.29.8.110
      4    12 ms    12 ms    13 ms  172.29.8.109
      5     *        *        *     Timeout
      6     *       13 ms    13 ms  195.10.44.1
      7    32 ms    32 ms    32 ms  ae7-xcr2.prp.cw.net [195.2.31.245]
      8    32 ms    32 ms    32 ms  ae24-xcr1.ptl.cw.net [195.2.24.154]
      ...
      18   147 ms   147 ms   146 ms  www2.atx.pfmechanics.com [208.123.73.69]
    
    

    I don't undrestand the line 2, and 3-4 are private IPs?.

    I'm going to keep this setup and start to play with pfsense. In september I'll change to optical fiber, so I'll focus on setup the ONT properly.

    Thanks!



  • Congratulations. Yes line 2 is gateway of your ISP as next hop from pfSense-box. Indeed you cannot simply connect to MoDem anymore. If you want WLAN then buy/install an AP onto your switchbox on the pfSense-LAN.



  • 192.168.1.1 (even connecting directly pc-isp router), why? is it normal?.

    Yes it is normal, there are modems sorted with two LAN Ports one is a ordinary one likes
    yours and the second one is often a RJ45 console port to surround this matter.

    But anyway you should be happy now, all is running, if you want to use WiFi you should be
    likes suggested before buy an external WLAN AP.



  • Ok. Yes, I have an AP connected and it's working ;).
    Thanks guys!