28
edits
Router - PFSense: Difference between revisions
→Addressing: Detailed NTp
m (clean up, typos fixed: etc) → etc.)) |
(→Addressing: Detailed NTp) |
||
| (3 intermediate revisions by 2 users not shown) | |||
|
This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) .
Before you start, it would be wise to read [[IPv6#IPv6 on AAISP Broadband|IPv6 on AAISP]], which explains how IPv6 traffic will be routed to you by AAISP. Key point is that you should expect one /128 address to be assigned to your router, additional subnets will be routed to this address.
= Introduction =
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.
AAISP will supply provider address space. For obvious reasons, this cannot be moved between suppliers. You may wish to consider NTp configuraration, which will allow you to use a private address internally. This will avoid the need to readdress should you move supplies, and will also make multi provider WAN easier to deploy, see [https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6 Multi-WAN for IPv6 on PFSense documentation site]
= Configuration =
[[File:Interface Setup - WAN.png|800px]]
Note that you should not use the prefix delegation configuration; AAISP will issue you a single /128 and then route additional subnets to this address.
Finally, click on the save button.
This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x).
Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set the routable address, apinger is told to use the local link address as the source, meaning you will never get the response...
(This seems to be fixed in 2.3.3, however you will still need to configure the monitoring address to [[Server List|bottomless]]. It's also possible simply to disable monitoring if you do not have multiple IPv6 lines coming into the PFSense box)
So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been added to pfSense (See https://github.com/pfsense/pfsense/pull/1098) so they will make it in a future version but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.
[[Category:
| |||