pfSense Gold Subscription

Author Topic: pfSense with ARRIS MODEM and Linksys E900 DDWRT  (Read 263 times)

0 Members and 1 Guest are viewing this topic.

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
pfSense with ARRIS MODEM and Linksys E900 DDWRT
« on: September 12, 2017, 04:47:23 pm »
Good day to all,

Having a bit of an issue here which has caused me after much trial and error and troubleshooting, I can't figure with my limited knowledge.

Recently completed CompTIA Network+ and Security+ passing both exam and due to lack of jobs, I decided to create my own little networking environment to further apply my knowledge for fun as well as experience till a job comes.

My test environment is at my church and I am the I.T admin. I chose there because some things,I would like to try out and learn how to configure (like internet access control, network monitoring, captive portal, the fun stuff), the numbers of individuals on the network is of a fair size.

My situation is this:
Before the firewall, all was pretty much simply, wireless router flashed with ddwrt for internet access control along with some security cameras accessible over the internet through DDNS. All of which worked fine. For some reason, my public ip changed (whats my ip on google) and as a result, the DDNS service got thrown off. The manufacturer of the security cameras offers the DDNS service which I am using. Since there is now a new public ip, I can't access the cameras outside church, like I use to before. After investigating, I could not trace the IP to a device on my network, so the only thing that I can think of is NAT.

https://www.youtube.com/watch?v=Rhxl1_tiBQM&t=43s In the early setup of the cameras, I followed this video to set the modem to bridged mode cause I had problems in getting the DDNS service to work properly.

So, after researching (lots of it), I saw someone mentioning that it is more secure to setup access of cameras over the internet through a VPN versus DDNS since with DDNS the entire internet has access to it and with VPN, only those who you want can access. This I understood and liked and again, for the experience, I learnt how to setup OpenVPN and got things working.

Soon after (couple of weeks into a month), i started having issues, couldn't access the network through VPN anymore thus no more cameras. Since I needed to get it available for other individuals, had to abandon the VPN since I couldn't fix it. Went back to the DDNS method which worked but then my public IP changed again. This is my issue.

My public IP before was my firewall IP but it changed to another IP. I did something pretty, unusual where i connected a cable from the modem to the WAN port on the router (desperate to get the thing on) so that way it can be available, which worked. Port forwarding was giving problem on pfsense so I used the router WAN port with the Upnp service (couldn't figure it out on pfsense) which got the cameras up.

BUT again, my public IP changed, messing up my DDNS service aka no more cameras. I factory reset everything, router, modem and firewall to no avail.

Sorry for the long statement but wanted to be detailed with all I have done and with all that has happened. So my question and request is this:

1) How do I get my public IP to reflect my firewall's WAN IP (and/or router IP)?
2) What is making my public IP change?

Thanks and I do eagerly await your response.

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #1 on: September 12, 2017, 05:05:57 pm »
Quote
1) How do I get my public IP to reflect my firewall's WAN IP (and/or router IP)?

You need to make sure your modem is properly set to bridge mode. Plug your pfsense router's WAN into the modem and it should acquire your public DNS via DHCP. For your modem to properly be in bridge mode, you need to make sure:

—It's set to bridge mode
—DHCP server is disabled
—Wireless is disabled
—Firewall is disabled

I think this is all covered in the the video you linked. In pfSense the WAN interface configuration for IPV4 should be set to DHCP.

Basically, you are setting the modem to act only as a modem. It won't get an IP address. Your pfSense box will acquire the IP address from your cable provider through the modem.

Quote
2) What is making my public IP change?

It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #2 on: September 12, 2017, 05:12:58 pm »
Quote
You need to make sure your modem is properly set to bridge mode. Plug your pfsense router's WAN into the modem and it should acquire your public DNS via DHCP. For your modem to properly be in bridge mode, you need to make sure:

—It's set to bridge mode
—DHCP server is disabled
—Wireless is disabled
—Firewall is disabled

Yes, as per the video, all of this is done

Quote
It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

Was more referring to what makes my public IP change, not really the DDNS. Before it was fixed with either, my modem IP, router IP or firewall IP. Now it is popping up this new IP. Want it back how it was. Example, a while ago i factory reset the modem and my public IP was the WAN IP of the modem. Did another reset and now it is showing that other IP which I am referring to.

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #3 on: September 12, 2017, 05:28:32 pm »
Quote
It is dynamically assigned. It is expected that it will change periodically. DDNS = Dynamic DNS. The purpose of it is to map a static host name to a dynamic IP address. To do this, the DDNS service needs to be told what your IP address is when it changes. pfSense includes a DDNS client (Services => Dynamic DNS) that you configure to update your DDNS provider whenever your IP address changes.

I think I misunderstood you. So you're saying sometimes pfSense has your public IP and sometimes it has another IP? What is that other IP? Are you sure the DHCP server in the modem is disabled?

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #4 on: September 12, 2017, 05:32:31 pm »
Quote
I think I misunderstood you. So you're saying sometimes pfSense has your public IP and sometimes it has another IP?

IP on pfSense is constant doesn't change. When you go google "whats my ip" to find out your public IP, that's the IP that changes.

Quote
Are you sure the DHCP server in the modem is disabled?

Yes, on the modem, DHCP on the WAN is disabled but as I go through the video, the modem wants me to set a static WAN IP. When I do, DHCP is disabled. If I disable the static, it re-enables the WAN DHCP. Think the modem in the video is a model earlier than what I have.

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #5 on: September 12, 2017, 05:53:19 pm »
Quote
IP on pfSense is constant doesn't change. When you go google "whats my ip" to find out your public IP, that's the IP that changes.

OK that was my original understanding. This is going to happen and there is not a whole lot you can do to control it. If you want a static IP (as opposed to a dynamic IP) you will have to pay your ISP for that as an additional feature (if this is a business account, this is easy but if it's a consumer account you may be out of luck).

Quote
Yes, on the modem, DHCP on the WAN is disabled but as I go through the video, the modem wants me to set a static WAN IP. When I do, DHCP is disabled. If I disable the static, it re-enables the WAN DHCP. Think the modem in the video is a model earlier than what I have.

I'm referring to the LAN DHCP server. This needs to be disabled (see picture) Sounds like pfSense is getting an IP address from your modem (presumably a 192.168.x.x address). You want pfSense to be acquiring the WAN address.

As for the WAN DHCP, I believe you should be able to disable WAN DHCP and just ignore the settings for static IP. You then need to reboot the cable modem. Afterwards, pfSense should be able to acquire the WAN address. Once you have pfSense getting the WAN address you can then setup the DDNS client on pfSense to update your DDNS provider whenever your IP address changes.

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #6 on: September 12, 2017, 06:05:02 pm »
Quote
I'm referring to the LAN DHCP server. This needs to be disabled (see picture)

It is disabled.

Quote
You want pfSense to be acquiring the WAN address

It is acquiring a WAN address.

Quote
As for the WAN DHCP, I believe you should be able to disable WAN DHCP and just ignore the settings for static IP

WAN DHCP is disabled through setting a static WAN IP; can't ignore it.

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #7 on: September 12, 2017, 07:33:54 pm »
Quote
It is acquiring a WAN address.

Is it acquiring this address from your ISP?

If I understood you correctly, you said pfSense had an IP that never changed but you said your WAN IP changes. I'm having trouble understanding this. What is the WAN IP on pfSense? Is it static or is pfSense set to DHCP?

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #8 on: September 12, 2017, 08:56:33 pm »
Quote
If I understood you correctly, you said pfSense had an IP that never changed but you said your WAN IP changes.

pfSense successfully obtains a WAN IP when connected to the modem. That IP does not change. As far as before, whenever I use to check my public IP through google, it would show the pfSense WAN IP as my public IP. Before setting pfSense, it would show my modem's WAN IP as the public IP. When I set up the linksys, it would be the Linksys WAN IP as the public. For some reason, it stopped and show an entirely different WAN IP for my public IP, which does not match pfsense.

That's the IP that changes. It looks like NAT but I am not sure how to adjust it.

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #9 on: September 12, 2017, 09:32:44 pm »
This behavior indeed seems strange.

Is the WAN interface on pfSense set to DHCP?

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #10 on: September 12, 2017, 09:58:47 pm »
Quote
This behavior indeed seems strange

Yes it is and annoying. But I just decided to use what I have rather than trying to re-establish what was there before. I port forwarded with the public ip and it works now. Thanks a bunch. Would like for it to be how it was but time is a factor. :) But now i have another problem. Will start a separate post for that one x.x

Offline nycfly

  • Jr. Member
  • **
  • Posts: 40
  • Karma: +1/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #11 on: September 13, 2017, 07:48:58 am »
DDNS clients that run on Windows/Mac/Linux client machines will use an external website to verify your public IP (there may also be such a client available as a package for pfSense as I don't think the built-in client does this). You could use one of those to update your DDNS so that your cameras or VPN can be used if your public IP changes, even if it doesn't change on pfSense.

Offline virgiliomi

  • Sr. Member
  • ****
  • Posts: 533
  • Karma: +70/-4
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #12 on: September 13, 2017, 09:25:14 am »
Some ISPs require that you use their gateway (modem + router in one) in order to get a static public IP address. They run a routing protocol on their router that communicates with their upstream routers, telling them to route data for your static IP address to your gateway. They don't allow third-party devices to run the same routing protocol because there is significant potential for abuse by giving out the key(s) needed for the routing protocol to function.

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #13 on: September 13, 2017, 11:47:30 am »
Quote
Some ISPs require that you use their gateway (modem + router in one) in order to get a static public IP address. They run a routing protocol on their router that communicates with their upstream routers, telling them to route data for your static IP address to your gateway. They don't allow third-party devices to run the same routing protocol because there is significant potential for abuse by giving out the key(s) needed for the routing protocol to function.

So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

Ahhhhh, ok. Thanks for the info. Things is now that I have opened the required ports, and have access to the cameras, I don't have access from a remote location. I think when I go there for the weekend, I will reset the modem back to default and see what I can do.

My VPN don't work remotely either. On site, all is well, offsite no connection

Offline AnointedOne

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: pfSense with ARRIS MODEM and Linksys E900 DDWRT
« Reply #14 on: September 13, 2017, 12:29:08 pm »
Quote
So if you were using your "modem" (in quotes because I'm guessing that it's really a gateway) as a router before, and you had a static IP address before, then that's why you're not getting a static IP address anymore. You've changed your "modem" so that it is strictly operating as a modem (bridge mode), so it's not running that routing protocol anymore and isn't able to accommodate a static IP address as a result.

Quick update
Ok, here is another thing now. I got the same modem home (think it should be the same model, ISP change the models some time) and the modem in bridged and my public IP is the same as my router WAN IP.