Return to Level1Techs.com

Pfsense failing to get WAN IP on cold boot


#1

Having issues with my pfsense router/firewall. When it’s up and running, it’s fine. If I lose power or have to cold boot it’s a pain to get going again. It fails to get an IP from my modem. In the pfsense dashboard I see “n/a” where I should have an IP on the WAN interface. Sometimes I’ll see 0.0.0.0.

Ive already made a thread on Arstechnica.com and got some good advice but none of it seemed to really solve my issue. https://arstechnica.com/civis/viewtopic.php?f=10&t=1391565

Here are my hardware specifications.

Modem: Motorola Arris Sb6141

Pfsense system:
Asus p9di motherboard
Xeon E3 1240L v3
Onboard dual I210AT NICs
2x 4gb ecc memory
Some random Toshiba 120gb ssd

My isp is Comcast fwiw.

I have tried rebooting the Arris modem many, many times. So many power cycles. The modem manual suggests resetting factory defaults. Strangely the reset factory defaults button is nowhere to be found in the modems interface at 192.168.100.1. So I just keep power cycling.

Ive tried every permutation of booting pfsense box first, then modem. Modem then pfsense. Simultaneously. Boot the modem and wait 15mins then pfsense. I’ve tried it all. The most successful seems to be pfsense box first, so it gets through bios and then the modem. I have all uefi network capabilities disabled. Pxe boot is disabled. So I really don’t think the bios is interfering with the modem/router handshake but maybe I’m wrong. Each nic interface has its own Mac obviously. But the bios also has its own separate Mac address, which shouldnt matter if all the uefi networking is disabled. So there’s 3 mac addresses for two ports… Maybe the modem is seeing that Mac address first?

I just did a fresh install of pfsense and the WAN interface is blank when looking at the monitor on the pfsense system. The web gui dashboard shows 0.0.0.0.


#2

So what is the range of the DHCP addresses that your modem is handing out? Can you limit this range? In other words, if the modem is handing out 192.168.100.10 through 192.168.100.200, then just give your pf box a fixed address on this network, but outside of the DHCP range, such as 192.168.100.2, or 192.168.100. 201. That way, you don’t have to worry about the modem’s DHCP server going wonky.


#3

Should I just configure the WAN interface to reject addresses from 192.168.100.1? I think the modems range goes up to 192.168.100.32 or something like that. I manually set the Mac addresses for wan and Lan interface. Reboot everything a few more times and finally snagged my wan IP. I noticed my public ipv4 address from the modem hasn’t changed in probably a year. Could I just set wan ipv4 to static?


#4

The reason this happens is because the DHCP server knows about your lease. Leases usually last anywhere from several hours to a few days. If your device drops off the network in the middle of this lease and comes back, the DHCP server will reassign the same IP address, because the lease is already there. It’s super convenient. If your device is online at the end of the DHCP lease and requests a new lease, the DHCP server assigns the same IP address. It’s also super convenient.

However, if your device is not requesting a new IP address by the time the lease expires, the DHCP server is going to forget about that lease entirely, and that IP address will open up for someone else to grab.

So, if you set your IP address manually, your pfSense box will not request a new IP address, and the DHCP server will think that IP is just fine to dish out to someone else. Hilarity ensues.

Back to the original problem. For funsies you might put in a firewall rule that allows communication on the WAN interface, UDP port 68.


#5

You should tell the WAN interface to reject leases from 192.168.100.1. That is what that field is for.

You pretty much never want to obtain that sort of address from a cable modem service. You always want to obtain the public address or nothing+keep trying.

Set that (Reject leases from 192.168.100.1), unplug the cable modem from WAN, reboot the cable modem, plug it back in. No reason to restart or reboot pfSense.

If that does not work you will probably need to run a packet capture on the WAN interface for port 67 and see what’s really happening out there.


#6

Got it. Thanks for great suggestions everyone. I’ll tinker with it again later when I get a chance. For now everything is behaving now that I’ve rejected addresses from the modem and manually set the Mac addresses for the interfaces.


#7

No, just manually configure a static IP address on your pf box’s WAN port , which is outside of the modem’s DHCP address pool.

If the DHCP pool stops at 192.168.100.32, you can choose anything between 192.168.100.33 and 192.168.100.254.


#8

why would pfsense block that?

thats used for contacting the broadcast address.


#9

pfSense does not block it. It is passed by default when an interface is set for DHCP.

Example:

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 tracker 1000001591 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 tracker 1000001592 label “allow dhcp client out WAN”


#10

I disabled the DHCP on my modem, so it gets WAN IPv4 straight from ISP.

The extra NAT layer was causing performance issues.


#11

Maybe if you must double-NAT. But, in general, you want to receive the proper public address on WAN from the ISP while rejecting anything from the modem in times of loss of ISP connectivity.

Cable modems have a nasty habit of giving an RFC1918 address via DHCP if they cannot reach the ISP’s DHCP server.


#12

Not disagreeing, it would be fabulous if my pfbox had a public address, but that’s not always possible when dealing with a modem.


#13

I know I know. Thread Necro. But my comments are very pertinent to this particular situation.

I experienced the same exact issue this morning. I also have a similar setup including Comcast, Arris 6141, pfsense box (not exactly the same hardware.)

I have had this issue for years now and no matter what pfSense version I’m using, it appears to occur on my box after power loss to both pieces of hardware. Now I unfortunately don’t know what is actually causing the issue, however, these are the steps I took to get back up and running:

  1. Powerdown and disconnect pfSense box from power.
  2. Disconnect Arris Modem from power and ****disconnect the Ethernet cord from the back of the unit. (****Disconnecting the ethernet cable seems to be the key here.)
  3. Reconnect pfSense to power and boot all the way to the options console. (No WAN IP listed at this point)
  4. Connect power cable to modem and allow to boot all the way until you have Green, Blue, Blue, Green Solid LEDS from Top to bottom.
  5. Finally, plug in the ethernet that attaches to your router into the back of the modem and wait for a few seconds to see the last LED (pulse wave logo) on the modem illuminate and start blinking blue.
  6. Refresh the pfSense console by just pressing enter with no options input.

Did you get a WAN IP?