pfSense Support Subscription

Author Topic: Cisco BT Signal Booster behind pfSense  (Read 115 times)

0 Members and 1 Guest are viewing this topic.

Offline andy_enuff

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Cisco BT Signal Booster behind pfSense
« on: November 04, 2017, 08:56:10 am »
Hi all

New to the forum so apologies if I am asking something that is already answered - I have had a look through but as I don't necessarily know the right terminology for the issue i have I may have missed something. Thanks for any help in advance!

I have pfSense running on an old HP desktop which has a dual port Intel NIC and an onboard NIC.  The intel NICs are connected as LAN and WAN and the onboard device is connected now to just a BT Cisco Signal Booster. The signal booster creates a VPN back to the mobile provider - well... it is supposed to. Unfortunately (after many tries) I have been unable to allow it to create the VPN. I believe it is failing because it does not have NAT-T enabled (that the box itself is freaking out because the packets it gets back are not what it expects?) - but I don't have any options i can change on the booster itself.

I've tried a number of different things on pfSense such as enabling/disabling automatic outbound NAT for that specific interface, changing the MTU clamping, adding forward NAT rules for ISAKAMP for udp/4500 but TNA. Can anyone offer any advice as to how I might be able to get this device to work?

At the moment i can see all traffic passing to and from the box OK, apart from when the box tries to initiate the VPN using outbound ISAKAMP tcp/4500 requests. It retries every 5 mins and I've included a paste bin link to the bit I think is failing from a TCP dump of the specific interface on pfSense.  https://pastebin.com/1URs1sqw

At the moment the config is as follows:

Interface address 10.42.0.1
DHCP address of Boost box  10.42.0.2
WAN interface connected to cable modem in "modem mode"
Port mapping rule for UDP/4500 on WAN interface -> 10.42.0.2:UDP/4500
Manual outbound NAT configured - only a rule for * -> WAN address configured for the 10.42.0.0/30 subnet
Currently an additional rule for UDP/any going to WAN interface


Any help much appreciated - I have tried all sorts of combinations and not succeeded so far - is it even possible?  I'd just like to be able to allow this to connect as per the usual cable modem NAT set-up (it works when I plug directly into the cable modem with the CM in router mode.


EDIT: I can see from the packet traces that the devices gets an IP via DHCP, connects to the time service via pool.ntp.org and then downloads a config file via HTTPS (cannot tell if that is successful) however the device then attempts to initiate the VPN every time every 5 mins.
« Last Edit: November 04, 2017, 09:46:00 am by andy_enuff »