Project - Bridging Vodafone Siro Broadband + pfSense

wesfox

Hello everybody,
I'm looking for some help with a mini project for study/college.

I'm trying to bridge my Vodafone router so I can use pfSense as my firewall in my home.

The setup will be a bridge from Vodafone to a virtualised pfSense. I've spent a few days following various guides online but can't get pfSense to see my static Vodafone IP so I'm thinking I must doing something very wrong.

I have 2 routers available to test, my current HG659 and my older HG658c

I would prefer to get the HG658c doing the bridging and keep my Live router as backup until the pfSense is fully working e.g. do my testing on the 658 at night and the plug the 659 back in for normal daily family household access.

Where to start ??

To get the Vodafone router to bridge and then test if it's actually bridging, this is hard for me to verify as I don't have an alternative router to PPPoE to? e.g. a Linksy or Netgear type device.

So leave pfSense to the side for now ...

How can I bridge my 658/659 and how can I test it's bridging??

Looking forward to your help.

ED E

1. Why the hell are you bridging a GPON service? (Ethernet interface)
2. The 658 is 10/100, slower than the minimum 150Mb package, using that should be a crime

Give your host box a 2nd nic if not already present, pass that directly to the PF guest, make sure the driver gives you VLAN controls (it will), connect to ONT and connect. Use whatever you like for wifi after that.


I don't know VFs auth setup on SIRO but I'm sure somebody has posted it.

wesfox

1. I thought that's what I had to do??
2. Only using it in a lab/test environment until perfected, I realise it's slow. It's so I don't disrupt the family .. testing at night.

So basically .. new nic bridged to pf -
can I use a powerline to carry the ONT to the 2nd nic ? Siro installation - my office .. other side of the house !!

I think the auth is serial@vfieftth.ie pw broadband but thats for the bridged setup ??

edit

as proof of concept could I ...

powerline ONT to NIC - bridge NIC to pf VM and run PPPoE setup on pf ?? set up DHCP and test connectivity on another linux VM

wesfox

Proof of concept achieved .. using ONT with powerline did not work

Bridged router and used powerline, pfSense WAN up with PPPoE settings .. speed test 83Mb/sec .. Happy

I have a Afga card .. could I provide an AP via pfSense?

Dero

I've done this (for somebody else, no Siro here ). As Ed E said, you don't need any bridged modem. I used Shorewall on a Linux VM (CentOS 7) rather then pfSense, but there is really no difference for something like this.

It should be just a matter of adding a VLAN with ID 10 to the NIC connected to the ONT and running the PPPoE session on that.

As noted, PPP credentials are "<serial>@vfieftth.ie" and "broadband".

My setup above does 150/20 with <5ms ping no bother.

ED E

Dero wrote: »

Linux VM (CentOS 7) rather then pfSense, but there is really no difference for something like this

BSD is always superior

Dero wrote: »

It should be just a matter of adding a VLAN with ID 10 to the NIC connected to the ONT and running the PPPoE session on that.

Yes, the 658C above is just acting as a VLAN tag stripper. Thats it. Configuring that on the host makes it redundant.

I have a Afga card .. could I provide an AP via pfSense?

Possible, but IMO it's usually best to use real gear unless you only want to cover a single room.

wesfox

So by adding VLAN 10 in device manager on the card I should be able on connect the ONT directly. Perfect.

From doing a little research, there is not great support on pfsence for wifi cards, most recommend either a Unifi AP or reusing the Vodafone router as an AP so I'll go with re-using the VF router, I have a few switches (managed and unmanaged) to get that working.

Marlow

Yes.

Configure vlan10.

Set up pppoe session.

Use the serial number from Vodafones router as username.

Use ANY password.

Job done. Don't leave a c**p Huawei device inbetween there. Seriously!!.

/M

wesfox

Having issues connecting direct ??
Changed NIC to VLAN 10 but did not receive traffic to pfsense via PPPoE

Bridged router to pfsense (same setting less the vlan setting) works and I’m getting full speed 135-140 Mb so it’s okay. I would prefer direct but I’m not wasting anymore time on it, it’s working and routing and I won’t gain much minus the huawei .. I’m using the HG659 for the bridge not the HG658c.

So project as it stands ..

PfSense on Hyper V

Bridge via Huawei HG659 using PPPoE
WAN on pfSense has my Static IP

LAN 2nd NIC connected to unmanaged GB switch.

OPT 3rd NIC connected to unmanaged GB switch 2

WiFi AP (huawei 658c) on Isolated network via switch 2 all outbound to net no access to LAN.

Nmap scan no open ports (a first, usually 1 or 2 Huawei vuln ports)

Speeds

LAN - 135 to 140 Mbps
AP - 20 to 45 (range dependent, work in progress, new AC access point)

Happy with the progress so far ..

To do

pfBlocker
New AP, AC or MIMO ??
Rebuild Nextcloud on Hyper V
Possibly try Sophos Home UTM as inside/outside firewall (maybe) it looks very good.

Any advice or further suggestions??

Marlow

I'm not sure, what you mean with changing NIC to Vlan10.

You might only have changed the setting for what's the native vlan for your NIC.

It's important, that the traffic you send your PPPoE session out on is tagged with VLan 10. So you need to check, if your interface is configured to tag the traffic.

/M

ED E

He's using the HG659 to strip/add .11Q tags.

Marlow

ED E wrote: »

He's using the HG659 to strip/add .11Q tags.

Yes .. but he's doing that, because he couldn't get it work with the board directly on the ONT.

The reason it didn't work directly is probably because what he changed, so for example setting the native vlan to vlan10 opposed to creating a tagged interface, which would have been right way to do it.

One less point of failure then and one less device to power.

/M

wesfox

I went to device manager to my network interface and changed it to vlan10?
I will do more research and troubleshooting this evening !! I understand vlan on Cisco but limited experience outside of that.

You say single point of failure ?? I say I’ve always had a SPF haha the original router 😂 remember it’s only a project .. a proof of concept

Since last message .. Nextcloud is now up and running an secured . Accessible from outside and split dns inside

NTop and pfBlocker this week