WAN issues with pfSense on fiber internet in our office
I'm working as a web developer in a small Dutch company and I'm also reponsible for organizing and maintaining our office's network and internet access.
I've recently discovered pfSense and watched some videos. I liked the web interface and came up with the idea that we could replace our standard routers by one machine running pfSense. In the past few days I've downloaded the most recent build of the 2.3 version. I figured it's pretty much near-stable since it's approaching release. We're still in a testing phase with regards to this upgrade anyway, so I thought it wouldn't hurt to pick the 2.3 version also because of the better looking web interface.
Our current situation is as follows:
We have fiber internet from a Dutch ISP called Fiber. We are in an office building that is available for rent to multiple small businesses. At the moment though, we're the only business in here, and the ground floor is currently empty and available for rent. Because of this setup, and the fact that we have only one fiber connection, the owner has requested multiple public IP-addresses from the ISP so that each business can have its own IP-address.
The fiber cable is connected to a fiber-modem in our office building.
From there, an ethernet cable runs to the WAN1 port of our gateway/router which is a DrayTek Vigor2925 which we got along with the fiber internet subscription. It serves as the gateway for the whole building.
From the LAN1 port of the DrayTek another ethernet cable runs to our own router, which is an ASUS RT-N66U. This one serves as a router for only our devices through a number of unmanaged switches including a 24-port switch that is connected to a patchpanel that leads to the wall mounts on our floor.
As said, we have multiple public IP-addresses and the one we use is configured in our ASUS router as a static IP (WAN):
WAN IP: 178.xxx.yyy.181 (middle part censored for privacy)
Subnet mask: 255.255.255.248
The WAN IP is also the one we see when we browse a What's my IP? website. We obviously want to keep it that way, because we've been whitelisted on that IP by several of our customers for access to their servers.
In our LAN we have a typical 192.168.1.1/24 range with a section reserved for DHCP (192.168.1.128 up to and including 192.168.1.254) and a few static addresses for a few servers. One of them is port forwarded (HTTP) in the ASUS router so that we can reach it from outside the company using our public IP-address.
The gateway address leads to the web interface of our DrayTek router. This is where it gets a little bit tricky for me.
The DrayTek router uses DHCP to get a WAN IP-address from our ISP, but it's a different one than our public IP-address. Here's what it got:
WAN IP: 217.aaa.bbb.15 (middle part censored for privacy)
Subnet Mask: 255.255.255.0
The WAN IP here also leads to the web interface of our DrayTek router.
PPPoE, PPTP/L2TP and IPv6 are disabled.
WAN 1 General setup
Physical Mode: Ethernet
Physical Type: Auto negotiation
VLAN Tag insertion: Enable
Tag value: 128
Tag priority: 0
Active Mode: Always On ("Load Balance" checkbox is checked)
WAN Connection Detection
Mode: ARP Detect
MTU: 1496 (1500 would be fine accoording to our ISP, but for some reason we can't set higher than 1496 here.)
WAN IP Network Settings
WAN1 IP Alias ( Multi-NAT ):
Aux. WAN IP: 217.aaa.bbb.15 ("Join NAT IP Pool" checkbox is checked)
"RIP Protocol" is disabled.
"Router Name" and "Domain Name" (required for some ISPs) are both empty.
Enabled only on channel 1 with WAN Type: Ethernet(WAN1) and VLAN Tag: 128. (This seems to only be a replication of the "VLAN Tag insertion" setting above)
On the LAN configuration it says it uses an "IP Routed Subnet" which is displayed below the LAN ports. In here it has the same settings as defined as static IP in our ASUS router (The addresses starting with 178).
Everything else in the LAN section (Static Route, VLAN) is disabled.
What we want to establish:
We want the pfSense machine we've built, to replace both the DrayTek and the ASUS router. We want one device where we can manage both the internet connection as well as the different subnets and public IP-addresses for the different businesses in our building. Ideally, I'd like to be able to create a LAN subnet (192.168.1.1/24 for us, 192.168.2.1/24, 192.168.3.1/24, etc. for different businesses) and link each of these to their own public IP-address. So 192.168.1.1/24 is linked to 178.xxx.yyy.181, 192.168.2.1/24 linked to 178.xxx.yyy.182, etc.
Problems I'm running into:
After setting up the pfSense box, I've connected the ethernet cable coming from our fiber modem to the "igb0" interface which is set as the WAN. The other interface "em0" is set as LAN and I've connected it to our 24-port switch. This effectively replaces the DrayTek and ASUS routers which is the setup we want to achieve.
The LAN works nicely. I can reach the web interface from my workstation and I can remote desktop to our local servers.
The WAN interface on the other hand is not operating properly at all. The link is displayed as UP, but there's no IP-address (black in the physical console, 0.0.0.0 on the web interface). I've configured it to use DHCP IPv4 but it takes a minute or two to change these settings, as if it's timing out on the DHCP requests or something. When booting, the "Configuring WAN interfaces" takes a minute to complete as well.
I've tried creating a VLAN with tag 128, then assigning it to a new interface auto-named "igb0_vlan128", which I then set as WAN interface. Again, same results. No IP-address. I've also contacted the ISP to have them release the MAC so that a new device other than the DrayTek was allowed to connect. Again, no IP-address.
I'm simply not able to replicate the DrayTek settings into pfSense because everything is in a different section and settings have different names. Also, we depend on the internet for our VoIP lines which are in use regularly during office hours, so I only have an opportunity to work on this setup after office hours so that we don't miss any incoming calls from customers.
If you could help me, I'd appreciate it a lot. If you need any more settings or want me to do something, let me know.
Your best bet would be calling a technician from your ISP (someone that isnt saying that its not possible to use a different modem/router on your fiber line).
From what i saw on another forums thread is that u need to use the following VLANS on ur pfSense setup for passing traffic else it would fail.
VLAN 2 = Internet
VLAN 4 = VOIP
VLAN 6 = IPTV
Another approach is to search that other dutch tech forum (Tweakers) for related issues and/or open a new topic there, since this basically is not a pfSense issue.
We were on the phone with our ISP several times (also because we had to tell them to release the MAC restriction so that we could connect a new device). We told them we were using pfSense, hoping that someone knew something about it, but they cannot help us, they said.
I'm still pretty sure that it's a pfSense configuration issue, since the old setup is still working flawlessly when we put it back in place.
You can just clone your MAC from the draytek configuration, so you dont have to worry about that. Your draytek has specific (vlan?) configuration on it. Try to find it in the webconfig and adjust it on your pfsense setup. Also i would just suggest to just clone the MAC and set it on pfsense to bypass the MAC discussion.
Yeah, I've tried cloning the MAC-address too. For the VLAN I tried to put it on the WAN interface (igb0_vlan128) but still no luck. :(
I'm going to try to put it just after the DrayTek and see if I get an internet connection that way, to ensure it's not a hardware issue.
What are you doing on the WAN interface for internet access ?
The manual here: http://www.draytek.com.tw/ftp/Vigor2925/Manual/DrayTek_UG_Vigor2925_V4.1.pdf
Gives you a number of options: None, PPPOE, static or dynamic ip, PpTP/L2TP
If it it static or dynamic, can you confirm it is the screen at page 180 in the manual ?
Most (consumer) fiber providers in Nl use PPPOE, but the company named fiber could do it differently off course.
The multi vlan feature is also described on page 203, but that seems to be more bridging than routing.
So this almost seems that on wan side you have base connection subnet directly on interface, and a subinterface 128 with you public subnet which is bridged from wan to lan interface on your vigor.
This also makes sense if RIP protocol is disabled. (Normally you route between 2 public ranges and not NAT, but for connected subnets you would not need routing protocol either..)
Yes, it's that screen. The PPPoE tab says it's disabled. The Static or Dynamic IP is enabled.
The "Obtain an IP address automatically" option is enabled, but both "Router Name" and "Domain Name" input fields are empty.
I might have different firmware too, because the MTU setting doesn't go above 1496 and the "Bridge Mode" section from the manual image isn't there at all.
The rest is the same as in the image.
If the mtu is 4 byte smaller it most likely has to do with the vlan128 you have on the wan.
This will be the vlan tag: Two bytes are used for the tag protocol identifier (TPID), the other two bytes for tag control information (TCI)
So this indicates you will have a subinterface 128 on your wan, and the default gateway is .178.
I would expect this at the provider side, but you wrote you hit the webinterface of the vigor at that address.
The subnet you have with 255.255.255.248 mask has network address 178.x.y.176 and usable adresses are .177 to .182
Normally a default gateway woud be first usable address. (.177)
Can you find a static route to 0.0.0.0/0 in the vigor pointing to 178.x.y.177 ?
The ip addres the vigor gets via dhcp might only be for fiber to manage the device through..
What you could try with pfsense is to make the wan ip address .178 with subnet mask 255.255.255.248 (in the subinterface 128)
You than would need to make aliasses for the public adresses on the wan side, and nat your internal ranges to these aliasses.
192.168.1.0/24 to .181
192.168.2.0/24 to .180
192.168.3.0/24 to .179
I think you not need that dhcp stuff at all, as the vigor is not longer used.