PfSense-on-a-stick Unacceptable MAC Address Issues



  • Having issues with my ISP's ONT box and Cable Modem binding to the physical MAC of the switch vs. the VLAN MAC address coming from pfSense. Switch is Cisco SG300-10/28 (have tried both).

    As an unacceptable solution, if we lose power or alternatively, three times now the ISP has had outages which released/purged the MAC address; I have been booting to Ubuntu Live CD via USB thumb drive, plugging in the WANs each to the pfSense interface with the correct MAC address, powering down the Ubuntu Live CD and restarting pfSense. Things then work but this is a 30-minute process. I'd like to be able to push the pfSense MAC address out to my ISP in a way that the ISP never sees the switch's MAC. I know that the ISP's are seeing the switch's MAC because they tell me that they see my public IPs binding to the switch's MAC address.

    Is there a workaround or a setting in pfSense that would force the VLAN to override the switch MAC address? The SG300 series is a fairly low-level Cisco SMB switch (rebranded Linksys) and I've had no luck trying to tweak settings on the switch.

    Thanks for any advice or help.


  • Netgate

    It's your switch's fault.  Is it in layer 3 mode?



  • Your switch has to talk to your ISP in order for them to sees those MAC address. Simple routing doesn't do that.
    Did you turn on DHCP snooping accidentally or is/are the switches IP address(es) requested by DHCP? Make all of them static.



  • Why is your switch in L3 mode if it only has one IP?



  • The modem is probably seeing STP traffic from the switch and taking that source MAC as its authorized MAC. Not sure what features that switch has, but maybe you can disable STP entirely, or at least on the port your modem is plugged into.



  • SG300 switches usually have RSTP enabled by default. Awesome idea, Chris!



  • I think I can follow you but I don't see if that could be a problem. It's late over here…
    Try disabling STP/RSTP/MSTP on the "WAN" ports as per cmb's advise and test it.



  • It's sufficient to disable it on the ports that represent your WAN to the modem.