Some ISPs require their customers to use their ISP modem in conjunction with an Optical Network Terminal (ONT) to access their fiber network. AT&T is a prominent example of such a provider. However, in some cases it is possible to bypass the modem and connect a firewall directly.
This guide covers the process of configuring a firewall to enable this type of authentication.
Observation
This guide applies primarily to AT&T's residential fiber network in North America, but can be adapted to any ISP using a similar setup.
Warning
The configuration options used in this guide are only available in version 23.05-RELEASE of the pfSense®Plus software and later.
Case of use¶
The purpose of this setting is to provide authentication for access to the fiber optic network. Some ISP modems offer an "IP-Passthrough" feature that allows end users to assign public IPv4 and IPv6 addresses/blocks directly to the equipment behind it (ie the firewall). However, this has a number of disadvantages:
- Modemgeheungbeperkingen
The fiber optic modem can still monitor status even in IP passthrough mode. Some modems have a hard limit on the number of states they can handle simultaneously and become unstable under significant load.
- IPv6 Implementation Limitations
In IP pass-through mode, the modem typically has an IPv6 prefix (
/60for AT&T, for example), but will only share one/64Largest assignment prefix error via DHCP-PD on the firewall. This means that only one LAN on the firewall can be configured with IPv6 by default. It is possible to request more than one/64networks from the IPv6 prefix block, but this is an ugly solution.- Multiple points of failure
Having an ONT, modem, and firewall that need to be always on and always available presents unnecessary additional points of potential hardware failure that can disrupt connectivity, even if the physical fiber link is good.
Bypassing the ISP equipment and connecting directly to the ONT with a pfSensePlus firewall removes or reduces the above limitations, allowing for greater control and flexibility.
Warning
The best practice to bypass the ISP's modem is to disable the Wi-Fi access point on the ISP's computer. This scenario requires an alternative way to connect Wi-Fi and switch connectivity behind the firewall to ensure compatible connectivity with the all-in-one Wi-Fi solution provided by the ISP.
Requirements¶
To authenticate to the firewall and connect to the provider, the following is required:
A firewall with at leastthreesingle, discrete interfaces: one for the modem, one for the WAN/ONT connection, and one for internal networks.
The modem must be able to control access using 802.1X EAP-TLS authentication. ISP modems using this type of 802.1X authentication have a "recorded" certificate and will initiate authentication when connected to a physical network on the red "ONT" port. This is typically handled during modem startup when it is serial between the ONT and the local computer, and authentication will be retried periodically.
All post-authentication traffic must have an 802.1Q tag on a VLAN
0with Priority Code (PCP) of1. PCP is a way of determining the priority of traffic. a PCP of1it's "Best Effort" and that's how most ISPs, including AT&T, expect traffic to be dialed. Configuring PCP on non-VLAN interface in pfSense Plus marks traffic per VLAN0and record the PCP value.The WAN interface of the pfSense Plus software must have its MAC address spoofed to match the WAN interface of the fiber optic modem. This MAC address can be on a sticker on the modem or can be seen in the modem's web interface.
The pfSense Plus software interface connected to the modem must be configured to operate in an unsupported mode.
The firewall must send all IPv6 DHCP requests with a specified and expected DUID. A DUID is a unique identifier that a device uses when it requests a DHCPv6 lease. Normally, the pfSense software uses an automatically generated random ID, but ISPs like AT&T expect DUID-EN (DUID Business Number)
3561and an identifier associated with the serial number of the modem. The identifier of a modem can be generated usingan open source script.See also
For more information about DUIDs, seeDHCP6 YOU.
The firewall must send a prefix hint when requesting a DHCPv6 prefix assignment. this is typical
/60for AT&T. one/60The prefix allows each of the 16 interfaces to be assigned a unique /64 subnet from this block.
Modem Bypass Configuration¶
Authentication Bridge Wiring Schematic¶
natural connections¶
Set up the physical connections as shownAuthentication Bridge Wiring Schematic:
Connect the LAN/modem port of the ONT device to the NIC on the firewall to be usedPALEkoppel
Connect the ONT/WAN port of the ISP modem (may be highlighted in red) to the NIC on the firewall that it supportsMODEMkoppel
Connect the NIC to the firewall that supports itLANinterconnection with a switch or other means of local connectivity
Configuring firewall interfaces¶
The next step is to configure the interfaces in the GUI of the pfSense Plus software.
modem interface¶
Assign and configure a new interface for the ISP modem:
navigate toInterfaces > Tareas
SerieAvailable network portson the physical interface connected to the ISP modem
click
AdditionNote the name of the new interface (eg.OPT1)
Go to the newly added OPT interface using theInterfacesmenu (eg.Interfaces > OPT1)
Set the interface options as follows:
- enable interface
squared
- Description
MODEM- IPv4 Configuration Type
No
- IPv6 Configuration Type
No
- Inappropriate function activation
squared
clickBlush
clickApply changes
AdditionThe interface is now available atInterfaces > MODand appears as an option of that name in various interface fields in the GUI.
WAN/ONT interface¶
Now configure the WAN interface to send traffic that the ONT and ISP accept:
Navigate to the interface associated with the ONT (eg.Interfaces > WAN)
Set the options as follows:
- enable interface
squared
- Description
PALEor another similar descriptive name- IPv4 Configuration Type
DHCP
- IPv6 Configuration Type
DHCP6
- MAC address
Enter the MAC address of the WAN interface inISP-modem
- priority label
1- DHCPv6 Prefix Delegate Size
Set it to match the value provided by the ISP, e.g.
60for AT&T- Send IPv6 Prefix Suggestion
squared
- You don't wait in the AR
squared
clickBlush
clickApply changes
Interface LAN¶
Finally, configure the LAN and other local interfaces:
navigate toInterfaces > LANor the equivalent
Set the options as follows:
- enable interface
squared
- Description
LANor another similar descriptive name- IPv4 Configuration Type
static IPv4using the private LAN subnet that already exists.
- IPv6 Configuration Type
tracking interface
- Follow the IPv6 interface
- IPv6 interface
PALEor any interface connected to the ONT
- IPv6 prefix identifier
1
clickBlush
clickApply changes
Repeat for all remaining internal interfaces. For each additional interface, increase itIPv6 prefix identifiervalue through1inhexademico. To AT&T or other carriers that have a/60prefix size, which is the maximum value of the identifiercomer. Help text belowIPv6 prefix identifierThe field automatically adjusts to show the minimum and maximum values allowed for the identifier.
Configure IPv6 ID¶
Set up your custom DUID to send to your ISP:
navigate toSystem > Advanced,Networksear
Set the options on the page as follows, leaving other unlisted options at their current values:
- DHCP6 YOU
ID-EN: Assigned by the supplier based on the company number
- INDICATE
- IANA Private Company Number
3561- ID
Enter the DUID value generated by thegen-duid.sh script
clickBlush
Configure pass-through authentication¶
In order for authentication traffic to pass between the modem and the ISP, two Ethernet lines are needed to match the proper traffic.
Enable Ethernet rules¶
The Ethernet rules feature is disabled by default and must be manually enabled before use:
navigate toSystem > Advanced,Firewall a NATear
accountEnable Ethernet filteringin itAdvanced OptionsUnit
clickBlush
See also
Ethernet rules (layer 2).
Add WAN modem bridging rule¶
Add a rule to connect 802.1X authentication traffic from the WAN/ONT to the MODEM interface:
navigate toFirewall > Rules,ethernetear
click
AdditionConfigure the rule as follows:
- Action
paso
- Quickly
squared
- A bath
PALEor any interface connected to the ONT
- Address
in
- Protocol
IEEE 802.1X
- bron
elk
- Destiny
elk
clickadvanced showAnd establish:
- bridge to
MODEM
clickBlush
AdditionAdd modem WAN bridging rule¶
Add a line to override anything sent by the ISP modem on the WAN interface:
navigate toFirewall > Rules,ethernetear
click
AdditionConfigure the rule as follows:
- Action
paso
- Quickly
squared
- A bath
MODEM
- Address
in
- Protocol
Elk
- bron
elk
- Destiny
elk
clickadvanced showAnd establish:
- bridge to
PALEor any interface connected to the ONT
clickBlush
clickApply changes
Matar¶
The modem bypass configuration is now complete. Restart the firewall to make sure the settings are fully applied. During the startup sequence, the modem should detect the connection change and start sending 802.1X authentication requests through the Layer 2 filter to the WAN interface, and the WAN interface should be able to lease DHCP and DHCPv6 for acquisition.
FAQs
How to configure WAN IP on pfSense? ›
- Browse to Interfaces | WAN.
- Check Enable Interface.
- Choose an address configuration Type.
- Leave MAC address blank. Manually entering a MAC address here is known as "spoofing". ...
- Leave MTU, MSS, Hostname, and Alias IP address blank.
- Check Block private networks. ...
- Check Block bogon networks. ...
- Save changes.
- Browse to Interfaces | LAN.
- Check Enable Interface.
- Choose an address configuration Type.
- Enter an IP address and subnet mask. Leave Gateway set to None.
- Ensure Block private networks and Block bogon networks are unchecked.
- Save the changes.
In a default two-interface LAN and WAN configuration, pfSense software utilizes default deny on the WAN and default allow on the LAN. Everything inbound from the Internet is denied, and everything out to the Internet from the LAN is permitted.
How to configure pfSense for Internet access? ›- Unpack the box and take out the router.
- Connect the network cables. ...
- Connect the power adapter. ...
- APU board is booting. ...
- Connect to the web interface. ...
- Use a different NordVPN server.
- Open the Google Home app .
- Tap Wi-Fi Settings. Advanced networking.
- Tap WAN.
- Choose DHCP, Static or PPPoE.
- Make any changes, then tap Save .
Short for Wide Area Network, WAN is the untrusted public network outside of the firewall. In other words, the WAN interface is the firewall's connection to the Internet or other upstream network.
How to configure pfSense firewall step by step? ›- Download the pfSense installation image from the official website. ...
- Burn the image to a CD or USB drive using your preferred method. ...
- Boot from the CD or USB drive and follow the on-screen instructions. ...
- Once the installation is complete, reboot your computer.
- Navigate to Interfaces > Assignments to view the interface list.
- Click the VLANs tab.
- Click Add to add a new VLAN.
- Configure the VLAN as shown in Figure Edit VLAN. ...
- Click Save to return to the VLAN list, which now includes the newly added VLAN 10 .
The multiple WAN (multi-WAN) capabilities in pfSense® software allow a firewall to utilize multiple Internet connections to achieve more reliable connectivity and greater throughput capacity. Before proceeding with a multi-WAN configuration, the firewall must have a functional two interface (LAN and WAN) configuration.
What are the 6 elements of a typical firewall rule in pfSense configuration interface? ›- Action. This option specifies whether the rule will pass, block, or reject traffic. ...
- Disabled. To disable a rule without removing it from the rule list, check this box. ...
- Interface. ...
- TCP/IP Version. ...
- Protocol. ...
- ICMP Type. ...
- Destination. ...
- Log.
What routing protocol does pfSense use? ›
Three routing protocols are supported in pfSense® software using the FRR package: BGP (Border Gateway Protocol) OSPF (Open Shortest Path First v2, for IPv4). OSPF6 (Open Shortest Path First v3, for IPv6).
What is the default IP for pfSense? ›By default, the LAN IP address of a new installation of pfSense software is 192.168. 1.1 with a /24 mask ( 255.255. 255.0 ), and there is also a DHCP server running. If a client computer is set to use DHCP, it should obtain an address in the LAN subnet automatically.
Can PFsense be used as a router? › pfSense® software is primarily used as a router and firewall software and is frequently set up as a DHCP server, DNS server, WiFi access point, and VPN server, all on the same physical device.
How do I use my router as an access point with PFsense? ›- Turning a wireless router into an access point. Disable the DHCP server. Change the LAN IP address. Plug in the LAN interface.
- Bridging wireless to the LAN.
- Bridging wireless to an OPT interface.
- Routed segment on an OPT interface.
- From the PFsense DHCP server, navigate to Services -> DHCP Server.
- Now scroll down to Network booting -> Display Advanced.
- Under TFTP server and the Next server, provide the IP address of the OS Deployers' PXE services.
- For the Default BIOS file name field, enter boot/pxeboot.n12.
- Automatic IP.
- Static IP.
- PPPoE.
- PPTP.
- L2TP.
The commonly known connection types for wireless WAN are 3G, 4G, LTE, and 5G. It is the services offered by local ISP to provide wireless internet access to mobile devices via cellular sites. It uses specific frequencies to provide wider coverage and stronger signal to customers.
What WAN connection type should I use? ›WAN > Connection Type. A Dynamic type of connection is the most common. If you use a cable modem, then most likely you will have a dynamic connection. If you have a cable modem or you are not sure of your connection type, use this.
How many interfaces can pfSense have? ›Should a particular environment require more than 128 interfaces, consider alternate designs that do not involve using all of the interfaces on the firewall directly. If the firewall must handle large numbers of interfaces, be wary of potential performance and GUI concerns.
How do I access my WAN router interface? ›Access the router from the Internet
Open a browser, input https://[the router's WAN IP] in the address bar, and hit Enter. You should see the login page of the router's Web-based UI. (NOTE: If you changed the router's HTTPS port, specify the port number after the IP address.)
What is the difference between WAN and VPN? ›
Some of the major differences between the two options include: Network Architecture: SD-WAN solutions act as gateways to a fully-connected network of SD-WAN appliances, while VPNs implement point-to-point connectivity.
What are the 5 steps to configure a simple firewall? ›- Secure the Firewall. ...
- Establish Firewall Zones and an IP Address Structure. ...
- Configure Access Control Lists (ACLs) ...
- Configure Other Firewall Services and Logging. ...
- Test the Firewall Configuration. ...
- Manage Firewall Continually.
- Navigate to VPN > IPsec, Mobile Clients tab in the pfSense software GUI.
- Configure the settings as follows: Enable IPsec Mobile Client Support. Checked. User Authentication. Local Database (Not used, but the option must have something selected) Provide a virtual IP address to clients. Unchecked. ...
- Click Save.
VLAN-enabled ports are generally categorized in one of two ways, tagged or untagged. These may also be referred to as "trunk" or "access" respectively. The purpose of a tagged or "trunked" port is to pass traffic for multiple VLAN's, whereas an untagged or "access" port accepts traffic for only a single VLAN.
What is the default VLAN tag in pfSense? ›Because VLAN 1 is the default (“native”) VLAN, it may be used in unexpected ways by the switch. It is similar to using a default-allow policy on firewall rules instead of default deny and selecting what is needed.
How does VLAN tagging work? ›The process of using VLAN tagging starts by creating separate segments of the network, often called VLANs. With most networks now using WiFi, IT admins simply create the VLANs in their wireless access point (WAP) management system. Each VLAN is given an identifier tag, which will be used later in VLAN monitoring.
How many ports do you need for pfSense? ›The hardware requirements for using pfSense is relatively simple, you need two network ports (the community prefers Intel I-450s, but there are many, MANY more that fit the bill).
Is pfSense a router and firewall? ›pfSense is a firewall/router computer software distribution based on FreeBSD. The open source pfSense Community Edition (CE) and pfSense Plus is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network.
What are the 4 access controls used by firewalls? ›Explanation. The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.
What are the three types of firewall configuration? ›There are three types of firewalls based on how you decide to deploy them: hardware, software, and cloud-based firewalls.
What are the 3 types of routing protocols? ›
- Routing information protocol (RIP) ...
- Interior gateway protocol (IGRP) ...
- Enhanced interior gateway routing protocol (EIGRP) ...
- Open shortest path first (OSPF) ...
- Exterior Gateway Protocol (EGP) ...
- Border gateway protocol (BGP) ...
- Immediate system-to-immediate system (IS-IS)
Instead, Pfsense is a layer 3 firewall based on addresses and ports that is more difficult to block services like Facebook.
What type of firewall is pfSense? ›pfSense software is a stateful firewall, which means it remembers information about connections flowing through the firewall so that it can automatically allow reply traffic.
What is the default SSH access for pfSense? ›By default only admin and root have SSH access. Additional users with limited access may be granted the User - System - Shell account access privilege to login via SSH.
What is the default IP address of Palo? ›By default, the firewall has an IP address of 192.168. 1.1 and a username/password of admin/admin. For security reasons, you must change these settings before continuing with other firewall configuration tasks.
Does pfSense have IDS and IPS? ›pfSense® software can act in an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) role with add-on packages like Snort and Suricata.
What are the disadvantages of pfSense? ›Disadvantages. One potential disadvantage of using PfSense is that it can be complex to configure, particularly if you're not familiar with firewall configuration. Additionally, while PfSense offers a wide range of features, some users may find the interface to be overwhelming or confusing.
Can pfSense be used as VPN? ›pfSense® software offers several VPN options: IPsec, OpenVPN, WireGuard and L2TP. This section provides an overview of VPN usage, the pros and cons of each type of VPN, and how to decide which is the best fit for a particular environment.
Is pfSense just a firewall? ›The pfSense project is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.
Can pfSense do Wi-Fi? ›pfSense supports Wi-Fi standards up to 802.11na (2.4Ghz and 5Ghz), if you have an adapter that works well. Some 802.11n adapters are detected as 802.11g and won't work at full speed. In addition, some cards will work only as a client, while you want to use them as an access point.
Do I need a router with pfSense? ›
Where Should A Router Be Deployed? If you want to connect your home or business LAN to another network or the Internet, you will need at least one router. To scale your network, multiple routers will be required to communicate between various networks.
Can I use an access point instead of a router? ›While a wireless router can be considered a wireless AP -- in the sense that it contains AP capabilities -- a wireless AP cannot be a wireless router. That's why an environment with multiple standalone APs also needs a separate router to act as the gateway between the LAN and internet.
Can pfSense act as DNS server? ›When acting as a resolver or forwarder, pfSense software will performs DNS resolution directly or hand off queries to an upstream DNS forwarding server.
Can pfSense act as a DHCP server? ›Dynamic Host Configuration Protocol (DHCP), allows a device such as pfSense® software to dynamically allocate IP addresses to clients from a predefined pool of addresses.
Does pfSense have a DHCP server? ›The DHCP Server in pfSense will hand out addresses to DHCP clients, and automatically configure them for network access. By default, the DHCP server is enabled on the LAN interface.
How to enable WAN ping in pfSense? ›- Firstly, log in to pfSense.
- Then open Firewall >> Rules.
- To add a new rule, click [+].
- Now on the “Edit Firewall rule” page, verify the details as follows to allow ping on pfSense: Action: Pass. Protocol: ICMP. ...
- Then click the Save button.
- Finally, click Apply changes.
- In the pfSense Console, Enable Secure Shell (sshd)
- Add firewall rule for port 22: easyrule pass wan tcp any any 22.
- Connect via SSH: ssh -L 4443:<$LAN_IP>:443 root@<$WAN_IP>
- Navigate to System > Advanced, Firewall & NAT tab.
- Configure the following options in the Network Address Translation section of the page: NAT Reflection mode for port forwards. Pure NAT. ...
- Click Save.
If you have two different WAN internet connections and you're using pfSense, setting them up as either load-balanced or as a primary/backup for automatic failover is a great option.
How do I access my WAN interface? ›- Open your Web browser. Go to the ShowMyIPAddress, WhatIsMyIP or MyWANIP website (see Resources).
- View your WAN IP on the page when it opens. Your address is automatically detected and shown on the page.
- Record your address. Close the Web page.
Can you access pfSense remotely? ›
The default configuration of pfSense software allows management access from any machine on the LAN and denies it to anything outside of the local network. There is also an anti-lockout rule enabled by default that prevents firewall rules from being configured in a way that will lock the user out of the web interface.
What is the default IP and port for pfSense? ›By default, the LAN IP address of a new installation of pfSense software is 192.168. 1.1 with a /24 mask ( 255.255. 255.0 ), and there is also a DHCP server running. If a client computer is set to use DHCP, it should obtain an address in the LAN subnet automatically.
What is the default access port for pfSense? ›By default the GUI uses HTTPS on port 443 with a redirect from port 80 for the best compatibility and ease of initial configuration.
How many ports does pfSense have? ›The hardware requirements for using pfSense is relatively simple, you need two network ports (the community prefers Intel I-450s, but there are many, MANY more that fit the bill).
What is the source port range for pfSense? ›It is also safe to define a source port as a range from 1024 to 65535 .
Can LAN and WAN have same IP address? ›At a minimum, hosts on the LAN will be able to reach either the WAN subnet, or hosts on the LAN which are in the WAN range. (you could try adding a static route, for example.) But never both. Also, WAN hosts will not be able to reach LAN hosts in the same IP range.
Can a port be both WAN and LAN? ›No, the WAN port can only be used to connect the router to the modem. If you need more LAN ports then you need to buy a switch and connect the switch to one of the LAN ports on the modem.
How do I assign an IP address to my WAN link? ›Tap the Network Management box. Tap the Network Settings + button to expand the card, then tap the WAN Settings link. Tap the WAN IP Configuration link. Tap Static and enter the static IP addresses details in the fields.