Router - PFSense: Difference between revisions

← Older edit

Router - PFSense (view source)

Revision as of 07:13, 23 December 2024

1,139 bytes added , 23 December 2024

m

PPPoE

Adsb

editor

504

edits

Revision as of 21:22, 6 January 2015 (view source) Reedy (talk \| contribs) m (clean up, typos fixed: etc) → etc.)) ← Older edit		Latest revision as of 07:13, 23 December 2024 (view source) Adsb (talk \| contribs) m (PPPoE) Tags: Mobile edit Mobile web edit
(12 intermediate revisions by 3 users not shown)
This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . Before you start, it would be wise to read [[IPv6#IPv6 on AAISP Broadband\|IPv6 on AAISP]], which explains how IPv6 traffic will be routed to you by AAISP. Key point is that you should expect one /128 address to be assigned to your router, additional subnets will be routed to this address. = Introduction = At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some ~~PPoE~~PPPoE config bugs. Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to ~~PPoE~~PPPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router - PFSense (beta 2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest). Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary. As described in the previous version of this document (See [[Router - PFSense (beta 2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too). It should also work similarly well with other ADSL/VDSL modem as long as you can push ~~PPoE~~PPPoE to it (and that it, in turns, pushes it over its own ~~PPoA~~PPPoA connection). On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several. For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN. AAISP will supply provider address space. For obvious reasons, this cannot be moved between suppliers. You may wish to consider NAT configuration, which will allow you to use a private address internally. This will avoid the need to readdress should you move supplies, and will also make multi provider WAN easier to deploy, see [https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 Multi-WAN for IPv6 on PFSense documentation site] = Configuration = The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing). You don't need to enter your A&A username and password there as this will be done in pfSense (when setting ~~PPoE~~PPPoE). Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with). Typically you will be trying to setup the modem in bridge mode so that it receives the ~~PPoE~~PPPoE on the NIC port and then pushes that over the ADSL connection (via ~~PPoA~~PPPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this: == Dlink DSL-320B == I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any ~~PPoE~~PPPoE passthrough option over ~~PPoA~~PPPoA). Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side. Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it. For the IPv4 configuration type select "~~PPoE~~PPPoE". And for the [[IPv6 Configuration]] Type select "DHCP6". Ensure that "Use IPv4 connectivity as parent interface" is selected. In the ~~PPoE~~PPPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0. You should get a configuration screen similar to this: [[File:Interface Setup - WAN.png\|800px]] Note that you should not use the prefix delegation configuration; AAISP will issue you a single /128 and then route additional subnets to this address. Finally, click on the save button. ''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the ~~PPoE~~PPPoE interface assignment. So you often had to manually define the ~~PPoE~~PPPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.'' === Updating the LAN settings === === Enable DHCPv6 === At this stage your ~~PPoE~~PPPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your ~~PPoE~~PPPoE interface get its address from a completely different range. It is just a "hop" to your network). Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-) ''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.'' === Check the firewall rules for outgoing from LAN === === Fix the ~~PPoE~~PPPoE DNS problem === The problem is that the ~~PPoE~~PPPoE stuff is still a bit flaky in 2.1.2, and although the ~~PPoE~~PPPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!). Arghhhh!!!!! [[File:System - General setup.png\|800px]] === Testing internet access === Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown. This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with ~~PPoE~~PPPoE (when it used to be perfectly fine in pfSense 2.0.x). Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set the routable address, apinger is told to use the local link address as the source, meaning you will never get the response... (This seems to be fixed in 2.3.3, however you will still need to configure the monitoring address to [[Server List\|bottomless]]. It's also possible simply to disable monitoring if you do not have multiple IPv6 lines coming into the PFSense box) So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been added to pfSense (See https://github.com/pfsense/pfsense/pull/1098) so they will make it in a future version but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732 Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense. [[Category:~~IPv6]]~~3rd ~~[[Category:Router~~Party Routers\|PFSense]]