Having issues with my pfsense router/firewall. When it’s up and running, it’s fine. If I lose power or have to cold boot it’s a pain to get going again. It fails to get an IP from my modem. In the pfsense dashboard I see “n/a” where I should have an IP on the WAN interface. Sometimes I’ll see 0.0.0.0.
Pfsense system:
Asus p9di motherboard
Xeon E3 1240L v3
Onboard dual I210AT NICs
2x 4gb ecc memory
Some random Toshiba 120gb ssd
My isp is Comcast fwiw.
I have tried rebooting the Arris modem many, many times. So many power cycles. The modem manual suggests resetting factory defaults. Strangely the reset factory defaults button is nowhere to be found in the modems interface at 192.168.100.1. So I just keep power cycling.
Ive tried every permutation of booting pfsense box first, then modem. Modem then pfsense. Simultaneously. Boot the modem and wait 15mins then pfsense. I’ve tried it all. The most successful seems to be pfsense box first, so it gets through bios and then the modem. I have all uefi network capabilities disabled. Pxe boot is disabled. So I really don’t think the bios is interfering with the modem/router handshake but maybe I’m wrong. Each nic interface has its own Mac obviously. But the bios also has its own separate Mac address, which shouldnt matter if all the uefi networking is disabled. So there’s 3 mac addresses for two ports… Maybe the modem is seeing that Mac address first?
I just did a fresh install of pfsense and the WAN interface is blank when looking at the monitor on the pfsense system. The web gui dashboard shows 0.0.0.0.
So what is the range of the DHCP addresses that your modem is handing out? Can you limit this range? In other words, if the modem is handing out 192.168.100.10 through 192.168.100.200, then just give your pf box a fixed address on this network, but outside of the DHCP range, such as 192.168.100.2, or 192.168.100. 201. That way, you don’t have to worry about the modem’s DHCP server going wonky.
Should I just configure the WAN interface to reject addresses from 192.168.100.1? I think the modems range goes up to 192.168.100.32 or something like that. I manually set the Mac addresses for wan and Lan interface. Reboot everything a few more times and finally snagged my wan IP. I noticed my public ipv4 address from the modem hasn’t changed in probably a year. Could I just set wan ipv4 to static?
The reason this happens is because the DHCP server knows about your lease. Leases usually last anywhere from several hours to a few days. If your device drops off the network in the middle of this lease and comes back, the DHCP server will reassign the same IP address, because the lease is already there. It’s super convenient. If your device is online at the end of the DHCP lease and requests a new lease, the DHCP server assigns the same IP address. It’s also super convenient.
However, if your device is not requesting a new IP address by the time the lease expires, the DHCP server is going to forget about that lease entirely, and that IP address will open up for someone else to grab.
So, if you set your IP address manually, your pfSense box will not request a new IP address, and the DHCP server will think that IP is just fine to dish out to someone else. Hilarity ensues.
Back to the original problem. For funsies you might put in a firewall rule that allows communication on the WAN interface, UDP port 68.
You should tell the WAN interface to reject leases from 192.168.100.1. That is what that field is for.
You pretty much never want to obtain that sort of address from a cable modem service. You always want to obtain the public address or nothing+keep trying.
Set that (Reject leases from 192.168.100.1), unplug the cable modem from WAN, reboot the cable modem, plug it back in. No reason to restart or reboot pfSense.
If that does not work you will probably need to run a packet capture on the WAN interface for port 67 and see what’s really happening out there.
Got it. Thanks for great suggestions everyone. I’ll tinker with it again later when I get a chance. For now everything is behaving now that I’ve rejected addresses from the modem and manually set the Mac addresses for the interfaces.
pfSense does not block it. It is passed by default when an interface is set for DHCP.
Example:
allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 tracker 1000001591 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 tracker 1000001592 label “allow dhcp client out WAN”
Maybe if you must double-NAT. But, in general, you want to receive the proper public address on WAN from the ISP while rejecting anything from the modem in times of loss of ISP connectivity.
Cable modems have a nasty habit of giving an RFC1918 address via DHCP if they cannot reach the ISP’s DHCP server.
I know I know. Thread Necro. But my comments are very pertinent to this particular situation.
I experienced the same exact issue this morning. I also have a similar setup including Comcast, Arris 6141, pfsense box (not exactly the same hardware.)
I have had this issue for years now and no matter what pfSense version I’m using, it appears to occur on my box after power loss to both pieces of hardware. Now I unfortunately don’t know what is actually causing the issue, however, these are the steps I took to get back up and running:
Powerdown and disconnect pfSense box from power.
Disconnect Arris Modem from power and ****disconnect the Ethernet cord from the back of the unit. (****Disconnecting the ethernet cable seems to be the key here.)
Reconnect pfSense to power and boot all the way to the options console. (No WAN IP listed at this point)
Connect power cable to modem and allow to boot all the way until you have Green, Blue, Blue, Green Solid LEDS from Top to bottom.
Finally, plug in the ethernet that attaches to your router into the back of the modem and wait for a few seconds to see the last LED (pulse wave logo) on the modem illuminate and start blinking blue.
Refresh the pfSense console by just pressing enter with no options input.
I’m going to go ahead and necro the thread necro. I think my main issue was the dumb way Asus handles remote management. There’s only two Intel I210AT ports. But three MAC addresses. The port for remote management is the third MAC and it’s somehow virtual? Handled by the BMC? Even with network boot and all BIOS network/remote management features disabled, the remote management virtual port would still grab the IP address from the modem no matter what, almost every time. I got a separate single port, Intel I210AT GbE PCIe card and use that for my WAN port. All issues immediately resolved.