Hi all-
Hope you are well. I just got ATT 1gig fiber installed. I’ve set the ATT modem to ip passthrough mode and plugged it in to my wan pfSense box…All is working fine, just want help clarifying few things…
Should I be able to access the ATT modem’s web landing page once it is connected to pfsnese? If not, should a firewall rule be created in pfSense to block access to the ATT router landing page? Blocking the modem’s device ip address?
Should pfsense WAN be getting a public ip address? Is the 107.XXX.XXX.XXX ip range consider a public ip? I have limited knowledge on ip addressing, but I believe this will fall into a class A Public IP Range: 1.0.0.0 to 127.0.0.0. Correct?
I would appreciate any advice you can provide. Have a great weekend! Thank you!
Yes you will be able to access the att modem web page. Don’t forget to turn off the att firewall, all traffic shaping and anything else crazy that box likes to do. If you have the BGW210 box then you would be able to extract the certs and get rid of the modem in the connection path all together. I do this with mine and my att modem sits in the closet. The Pfsense Negotiates everything and gets it’s public up without issue.
Tom, thanks for replying…I appreciate it.
I believe I’ve set up the modem behind pfsense the correct way, and all is working properly the same way it was when I had internet service from a cable isp. The only concern I have is that I am able to access the modem’s web interface on any pc on my local network. Maybe I am overthinking this, and it really is nothing to worry about, but one of the videos I watched about ip passthrough, mentioned that I should not be able to access the modem’s web interface once it is connected to pfsense, that the only way to access the modem’s web interface should be by directly connecting a cable from a pc or laptop to one of the ports on the modem.
I am considering adding a firewall rule blocking access to the modem’s web interface on my LAN and all my VLANS…does this make sense to you? Thanks and have a good weekend!
Thanks for your reply @elvisimprsntr and clarifying my question. I appreciate it.
I looked up my pfsense system/routing/static routes and nothing is showing there…
Do you have a link you can share I can reference? I may have missed a step while changing the att modem to passthrough mode. Below is what i did…
disabled the packet filter
disabled wi-fi
disabled the firewall
allocation mode: passthrough
passthrough mode: DHCPS-fixed
manually enter pfsense wan mac address
changed the modem’s web interface local ip to avoid any ip conflicts in my local network.
Thanks for your reply @elvisimprsntr. I visited the links you provided. Some of this might be a little bit over my skill level…ie. the need for a static route?, but I will take the time figuring it out. Thank you!
I have 500M AT&T fiber myself. The easiest way I found to get the pfSense box on the public IP is to set the WAN to DHCP and attach it to the router’s LAN. Once it has an address, go to this setting on the router and pick the MAC address from the drop down list. Done. I did this and didn’t need to change anything else whatsoever, and my PFS is online with a public IP.
For the cabling after doing this setting, Router LAN to PFS WAN, PFS LAN to rest of home network. Now everything goes through the PFS. I did turn off the router’s WiFi and used a WAP for wifi so it goes through the PFS as well. YMMV.
Many of these ISP devices have the capability of creating a DMZ. You will usually find this somewhere near the firewall or advanced firewall settings inthe ISP device. You simply make sure pfSense is plugged into the LAN of the ISP device then go into the ISP device settings and enable the DMZ and add pfSense to the DMZ (usually by means of a something like a dropdown list of clients). This puts pfSense outside of the firewall but leaves the firewall on to protect the ISP device (very important!). That should be all you need to do but these things vary a lot and sometimes you need to add a static route in pfSense to access the ISP device from your pfSense network.
While you are in your ISP device it would be a good idea to make sure uPnP is turned off, remote administration is turned off, and NTP is turned on, then take a long look at QoS. In regard to QoS, sometimes it’s really easy to hit a couple of buttons to optimize your connection (you will mostly want to prioritize real time voice and video traffic) but if not dont worry about it. You can manage QoS from pfSense too but just keep in mind that it isnt going to give you more bandwidth, it’s just going to prioritize what drops first when the pipe is full which is less of a problem the more bandwidth you have. Unless you have a large network (enterprise, not home) this only really applies to traffic leaving your network.
I have this exact same setup and what you’ve done is pretty much what I’ve done, but I didn’t manually assign a specific MAC address as part of the process since I was migrating from my old Cisco ASA 5506 firewall to a new pfsense box. My pfsense WAN gets a public address, and I can still access the BGW320-500 gateway via its 192.168.1.254 address - no static routing needed, since the default route pfsense gets as part of the WAN DHCP process takes care of that. Also, I just now verified that even though the BGW gateway uses an RFC1918 management address you don’t have to clear the pfsense interface option to block incoming Private Address traffic because when you access the BGW all the traffic coming back is return traffic so pfsense recognizes it as part of an existing connection and forwards it appropriately. I do use a different IP network on my LAN though, so there’s no possibility of conflict in that regard. I’ve also noticed that pfsense works more reliably with IPv6 Prefix Delegation than my old Cisco ASA did, but so far I’m only delegating a single IPv6 network to my LAN and haven’t had to do the extra config file work needed to get multiple IPv6 prefixes for any additional internal LAN (or VLAN) segments (that’s one of my upcoming projects).
In short, I think what you’ve done so far should be all you need to do, but one of the wonderful things about pfsense is you can do more if you choose to, so it’s a great learning platform as well as a nice firewall.
Thanks for your reply @djdawson, I really appreciate it. I feel much better now about the fiber modem to pfsense connection, thanks to all the good feedback I got in this post. Thanks for your advice. Have a good week!
