Pages

Saturday, May 12, 2012

pfSense initial configuration with ADSL WAN

In this post, I'll show you how to configure your pfSense router to connect to the Internet and act as a firewall for your LAN. We will set the firewall up to deny all inbound traffic while preforming Network Address Translation (NAT) for our LAN traffic going out. We will even do some tricky network NATs to route to our modem which will be configured in bridge mode and connected to the WAN port.
First login to your newly installed pfSense router by using a web browser to connect to the IP address configured during initial boot.


Login with the default username / password, 'admin' and 'pfsense'.

If you find yourself looking at a setup wizard, just follow the steps choosing options that relevant for your setup and you will be end up at the main pfSense 'Status: Dashboard'.
The dashboard is great as you can configure it with additional widgets to show you at a glance the status of various network interfaces, traffic throughput and services to name a few. Just click on the + button at the top of the page to add additional widgets. I've added Traffic Graphs, Interfaces and Gateways, however you can add whatever you want. Go ahead and knock yourself out.

What we're interested in at the moment though is configuring the WAN interface so we can get connected to the Internet.
Wave your mouse over the Interface menu and click on WAN from the drop down for the WAN interface configuration page.


Here you need to select type as 'PPPoE' as pfSense will use this interface to control our modem and preform the actual authentication to the ISP.
In the next section down you will need to enter your user name and password for your ISP.


And finally check 'Block private networks' and 'Block bogon networks' as we don't want to accept packets on our WAN interface with a source address belonging to a private / bogon network. Your ISP shouldn't route them to you anyway.


Click 'Save' and 'Apply changes' to save your changes and make them active.
Now with the WAN interface ready to go, we need to configure the old router / modem to run in bridge mode so we can get it all connected and access the Internet.

The first thing you want to do is use a web browser to connect to your old modem / router and set the WAN interface to 'Bridge Mode'. Once you've logged in you will need to find the WAN type. Depending on your modem / router, it may be under 'WAN' or 'Internet' or some such. If you can't find it you will need to refer to your owners manual, which if you don't have, you should be able to find by googling your modem / router model number with the phrase 'user guide'. There will be a user manual PDF on the Internet somewhere.

The second thing is to set a new LAN IP address. Currently the old modem / router will have an IP address from your LAN subnet. Possibly the same address as your new pfSense router. You need to set it to something completely different which will enable us to route to it using pfSense when its all connected. I configured mine with an address of 172.16.15.1 with a subnet mask of 255.255.255.252. That's a 252 on the end. The reason being is that a 252 subnet (expressed as CIDR of /30) contains only 2 usable IPs, one will be used by my modem, the other by pfSense. Why? because we only need two and there should only ever be two devices in this subnet. I've seen people use whole /24's (254 usable IPs) just for two devices! lazy.

Make all these changes to your old modem / router and save. After which you probably wont be able to access your modem unless you change the IP address of the computer your using to access it. You can do this if you really want to double check all your settings have applied and your modem is ready to go. Remember, using my example above your computer's IP will be 172.16.15.2 with a subnet mask of 255.255.255.252 and you could probably set the gateway to 172.16.15.1 with no DNS servers. Open up your web browser and point it to the modem's new IP and you should get a login.

Now that your old modem / router is configured and ready to go, connect it to the WAN port in the pfSense router and power it up. Once the modem has powered up navigate to 'Status' and 'Interfaces' in your pfSense router. You will get a list of interfaces, one of which will be the WAN which will have a connect / disconnect button under it. If the WAN interface hasn't automagically come up, you can click the 'Connect' button to initiate a connection.


Once your PPPoE / WAN connection is up it should look like the above. Without your ISP related IP details greyed out of course :)
If your connection doesn't come up, no matter how many times you click the 'Connect' button, power cycle your modem and then reboot your pfSense router. You can reboot pfSense by navigating to 'Diagnostics' and select 'Reboot'. If everything comes back up and you still have no PPPoE / WAN connection then you will need to check the settings in your modem / router again to ensure they're correct. The most important setting is configuring it to operate in 'Bridge mode'.

If your pfSense router shows that the WAN interface is up and you have a public IP address routed to your connection as above you should be able to access the Internet. However, there are some things to check before we get carried away..
  • Dynamic Host Control Protocol server (DHCP)
  • Network Time Protocol daemon (OpenNTPD)
  • LAN firewall rule
To check your DHCP settings, navigate to 'Services' and 'DHCP Server', then click the LAN tab. First, make sure that the 'Enable DHCP server on LAN interface' option is checked' and then make sure that there is a decent range of IPs to allocate out to connecting machines on the LAN.
My DHCP range from 100 to 199 (default) which is plenty enough for the LAN and leaves IPs at the start and end of the subnet to be statically assigned if needed.


We also need to set the pfSense router's LAN IP address in the 'NTP Servers' field, which you can find by scrolling down and clicking the advanced button.


Click the 'Save' button to save the changes and then navigate to 'Services' and 'OpenNTPD'. All we really want to do here is turn it on for the LAN interface. As below.


The NTP server will allow hosts on the LAN to retrieve the current time from the pfSense router ensuring that all the hosts on the LAN have the correct time set when they boot up. We've already configured the NTP DHCP option to point connecting clients at the pfSense router, so once the above is enabled, click the 'Save' button to save changes and then navigate to 'Firewall' and 'Rules'.
By default pfSense has a 'Deny all' policy for all interfaces except the LAN.
Click on the 'LAN' tab (WAN is displayed by default) and just make sure that an allow access from LAN to all rule exists (replicating the function of the old modem / router). This will allow hosts on the LAN access to the Internet and anything else the pfSense router can route to.


Your pfSense router should already have this, however if it doesn't, you can add it by clicking the + button on the right and selecting the following options.


Enter 'Default allow LAN to any rule' for the description and click 'Save' and then 'Apply changes'. You should now be able to access the Internet from a computer on the LAN.

The last thing to do is to configure the pfSense router to be able to access the bridge modem so it can be administered without having to unplug and connect it up to a PC every time. To do this we need to add another interface. Navigate to 'Interfaces' and '(assign)', then click on the + button on the bottom right which will add another line to the interface list. The new line will be named 'OPT1' or something similar. You need to click the drop down menu associated with the new interface and select 'vr0' from the list. This should be the same as the current WAN interface which will be listed above. The WAN interface will have a PPPOE0(vr0) followed by your ISP login name. You need to set the new interface just added to the same hardware port that's listed in the brackets - vr0.
So in effect, we're using the same physical interface for two different functions.

Now navigate to 'Interfaces' and 'OPT1'. Click on the enable check box and rename the interface form 'OPT1' to 'MOD' (for Modem). Set the type to 'Static' and enter the second IP address from the /30 range we configured the old modem / router to use before. Following on from the example above this would be 172.16.15.2/30.


At the 'Gateway' section, click 'add a new one' and enter 'MODEM, 172.16.15.1 and Bridged ADSL Modem' for 'Gateway Name, Gateway IP and Description' respectively. Click 'Save Gateway'. Ensure that both Block private and bogon networks are checked and click save.

To make sure pfSense NATs our LAN traffic with the correct source IP (172.16.15.2) for traffic destined to the modem, we need to configure the outbound NAT. Navigate to 'Firewall' and 'NAT' and then click on the 'Outbound' tab. First you will need to check the 'Manual Outbound NAT rule generation' option and click 'Save'. This should populate the table below with outbound NAT rules. Make sure that there is a rule for the 'MOD' interface like in the following screenshot.


If there isn't, click the button on the far right and enter the following options.


Enter 'NAT LAN traffic to Bridge modem /30' or something similar for the description and click 'Save'. You will be taken back to the main NAT list and you will see the new rule at the bottom. You will probably want to move the new NAT rule to the top of the list, to do so, click the check box associated with the new rule and then click the < button on the right of the very top rule. Once the rule has been moved, click 'Apply changes' and everything is done.

You should now be able to access your old modem / router by navigating to http://172.16.15.1 (following my example). If you've set a domain name during the initial setup of pfSense ('System' and 'General setup') you can add in a static DNS entry for the modem by navigating to 'Services' and 'DNS Forwarder'. Scroll down and add a new entry under 'Host overrides' with the following options.


Make sure that the DNS Forwarder option is enabled and click 'Save', then 'Apply Changes' and you should be able to access your modem via http://modem.example.com using the above example. You can do this with other static hosts that you setup and configure on your LAN which will be much easier to remember than a bunch of IP addresses! Think print servers, media centres, other hosts etc.  You may also find it handy to turn on 'Register DHCP leases in DNS forwarder' too. This will allow you to access devices registering via DHCP by their host names instead of their IP addresses.

Enjoy accessing the Internet with your pfSense router and be sure to check back soon for my post on how to configure pfSense as a wireless access point. 

Further Reading

Check out this handy IPv4 Subnetting Cheat Sheet [PDF] from packetlife.net

5 comments:

  1. hi this is the one and most document about the pppeo in pfsense and I have doubt do I need to enable pppoe server from service ?

    ReplyDelete
  2. Hi Rakesh, no you don't need to enable the PPPoE server, just select PPPoE when setting up the interface. In this instance, you're using the PPPoE client, not the server.

    Josh

    ReplyDelete
  3. Your tutorial on how to access the modem via Lan was the best i found, I was struggling with this! Thank you!

    ReplyDelete
  4. I have spent hours on my one and it always fails with

    [wan_link0] LCP: not converging
    [wan_link0] LCP: parameter negotiation failed
    [wan_link0] LCP: state change Ack-Sent --> Stopped
    [wan_link0] LCP: LayerFinish

    i have tried 2 modems too

    :(

    ReplyDelete
    Replies
    1. Hi Petr,

      A couple of things you can try. First ensure that your modem is getting Sync to your ISP. Does it have a CD light, or an 'Internet' light on - to indicate sync? Also, you may be able to login to your modem and check the sync details, probably under status menu. Does your modem report that it has an UP and DOWN speed to your ISP? Thats the first step - making sure your DSL is up. Some modems have a number of different settings for 'Bridge Mode'. Sometimes its called RFC1483. If your modem has a number of different bridge settings, it may pay to test each one.

      You also may need to restart your pfSense router. Once your modem has sync, reboot your pfSense router and check your interface status once it has booted back up. You may find it will successfully connect on reboot.

      Josh.

      Delete