BT FTTC Configuration with 5 static IP's using CISCO 887VA as modem

[sparticle]

Hi I have a BT FTTC VDSL Connection with 5 Public IP's and I am looking to connect my OPNSense machine to a CISCO 887VA in bridge mode acting as a modem.

I can get a PPPOE connection but cannot figure out how to configure the WAN interface or my Public IP's. When connected the BT service provides an IP address that I do not recognise and creates a new gateway interface. It is in a totally different IP range to my public IP's.

Currently I use the cisco in router mode and essentially lose 1 ip that I have to assign to the OPNSense WAN interface. Then I set the gateway as the Dialer 0 (BVI) interface of the Cisco. All works perfectly. But wasted resources as I do nothing on the cisco other than connect it and configure the dialer interface with my Public IP range. I simply want it to act as a dumb bridge and once it has negotiated a physical connection I want the OPNSense box to do everything else PPPOE IP addressing etc.

I tried setting the OPNSense WAN interface to the address I would normally assign to the Cisco but it shows as down and the address the OPNSense gets from the PPPOE connection is a completely different IP range.  Plus it creates a new WAN Gateway  which is where I get a bit stuck.

Just looking for anyone else that has managed to config OPNSense with BT PPPOE connection and static IP's. Have now reverted back to my working config but would really like to sort this and reclaim one of my wasted public IP's as I should be able to give the OPNSense WAN Gateway the same address as I give the cisco essentially the gateway address as advised by BT.

Any help appreciated. Below is the config for the cisco bridge. Which did work as I could see an assigned IPV4 and IPV6 address to new Gateways that it automatically configured.

Code Select Expand


!
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname ***********
!
boot-start-marker
boot system flash c880data-universalk9-mz.154-3.M9.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret **********************
enable password ***********************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone GMT 0 0
!         
no ip source-route
no ip routing
no ip domain lookup
no ip cef
no ipv6 cef
!         
license udi pid *****************
license accept end user agreement
license boot module c880-data level advsecurity
!         
username *********************************************
!         
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_38k1_B_38h_24g1.bin
modem ukfeature
!         
bridge irb
!         
interface Ethernet0
no ip address
no ip route-cache
!         
interface Ethernet0.101
encapsulation dot1Q 101
no ip route-cache
bridge-group 1
!         
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!         
interface FastEthernet0
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet1
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet2
no ip address
duplex full
speed 100
load-interval 30
!         
interface FastEthernet3
switchport access vlan 3
no ip address
duplex full
speed 100
load-interval 30
!         
interface Vlan1
no ip address
ip virtual-reassembly in
no ip route-cache
load-interval 30
bridge-group 1
!
! Configure a vlan access port so I can get to the cisco from a connected laptop for config.       
interface Vlan3
ip address 192.168.x.x 255.255.255.0
no ip route-cache
!         
ip forward-protocol nd
no ip http server
no ip http secure-server
!         
logging trap debugging
!         
bridge 1 protocol ieee
!         
!         
!         
end       



Any help appreciated.
Cheers
Spart

[marjohn56]

Here's a config for Plusnet, same as BT. https://westwood.me.uk/2017/07/29/putting-a-cisco-887va-into-bridge-mode-on-plusnet-vdsl/, it's just going to become a vdsll modem, albeit using vlan 101, but you don't need to worry about that, it's set in the config.


You might want to consider just getting hold of a bog standard BT Openreach modem, lots on Ebay, just get one that matches your DSLAM i.e Huawei or ECI. When it comes to adding the extra addresses, you just add them as Virtual IPs. Just add a virtual IP, give it the IP address and mask, a description and that's it. Don't add anything else, gateways or otherwise, just the IP, mask and description.

[sparticle]

Yes the cisco config is essentially the one I used for testing and it works fine. However when I connect via the WAN PPPOE connection BT assigns an IP that is not in my public IP range and there is no connectivity and I cannot use the public IP's BT assigned and the VIP's I have already configured for my 5 ip's. Also I cannot configure the gateway from my /29 network on the WAN interface.

It seems I really need to be able to set a static ip and subnet e.g. 217.x.x.102/32 on the PPPOE connection but there is no option to do that therefore BT assigns an address that is not in my Public IP range 81.x.x.x and not one of my 217.x.x.96 to 217.x.x.102 with 217.x.x.97-101 (5 Static) as usable addresses and 217.x.x.102 as the gateway address. BT via the PPPOE connection assigns an address in the 81.x.x.x range!

If I look at the cisco config that does PPPOE that is exactly what it does. It configures a PPPOE connection then assigns my static/29 gateway IP 217.x.x.102 to the cisco wan interface. 

I cannot get this to work. With the cisco in bridge mode and OPNSense doing the rest. I am fairly sure that this is not an issue with the cisco bridge config as I do get a connection but cannot get internet access as the address ranges are different and the address bt is assigning seems to change when I reboot and it comes up again.

It seems I really do need to config a static address on the PPPOE connection type.

Cheers
Spart

[marjohn56]

Sounds like BT have a problem with their config. PPPoE should give you the same address as your allocated range. In the WAN config, in the PPPoE conf section at the bottom of that is the advanced and MLPPP, click on the 'click here' text. You'll see there you have an option to enter a static address and gateway try that.

[sparticle]

Well switching back to the normal cisco config all is back again. I will try the advanced dialog to see if the solves the problem.

Looking through the config screens I can find the PPP options screen where  I can set PPPOE connection type again and config a static IP although options are confusing. Asks me to configure a Local IP ( wan ) with a subnet. And then a gateway IP. Are we saying that I would configure the 217.x.x.102/29 subnet and the gateway as the 217.x.x.102



Cheers
Spart

[marjohn56]

To be honest I doubt very much that the gateway and your subnet are in the same range. For example, I have a static 8 /29 address block with Zen, one address is broadcast, one address is  the primary router address, the lowest of the block is the network address but the gateway is in a totally different range. The gateway is variable and will sometimes change depending on the BNG and radius settings. What gateway address is the Cisco reporting?

[fruit]

Not sure I fully understand your problem.

I am on a BT ADSL line, though not with BT, and I have a /28. All those /28 addresses sit within my network, the lowest of which is OPNsense itself ie. none of those /28 are used for my WAN address

My WAN address is set by PPPoE/DHCP and is an address given by my ISP, possibly liable to change, but is not within my /28 block. (My OPNsense does PPPoE negotiation thought a bridged Vigor 120)

[sparticle]

Its difficult to see what happens currently with the cisco connection with the 887VA acting in router mode and presenting the WAN interface on a 217.x.x.102 address which is the top of the range of our 5 ip's and from the BT email is designated as the gateway address.

That is how it is currently configured in the Cisco. The BVI Interface is assigned the /29 subnet and passed to the Dialer and that is bridged to the vlan1 interface and connected to the WAN port of the OPNSense FW. It presents on 217.x..x.102 and all is well.

I can see a 81.x.x.x directly connected to the Dialer interface; See below:

Code Select Expand

sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0
      81.0.0.0/32 is subnetted, 1 subnets
C        81.x.x.x is directly connected, Dialer0
      217.x.x.0/24 is variably subnetted, 2 subnets, 2 masks
C        217.x.x.96/29 is directly connected, BVI1
L        217.x.x.102/32 is directly connected, BVI1


this config has been running since 2018 when we finally got FTTC from the ADSL Max befoire it with the same router using an ADSL config.

I am not sure how this is recreated in the OPNSense but when I tried it simply attached the 81.x.x.x to a new WAN Gateway it created leaving my existing WANGW orphaned and I could get no output.

I really want to max out every last Mb of connection and taking away overhead on the Cisco and offloading that the 4 x Xeon X5650 CPU's seemed like a good idea and of course i learn things. Win win.

Cheers
Stephen

[sparticle]

Just updating this as I have now got my connection working (sort of). It is working but I do not understand why its working. And I have weird behaviour on PF's using recently configured Virtual IP's. The ones from before work perfectly the new ones do not. They look identically configured in the GUI's just with a different destination IP etc. The services are available internally.

When connected in a normal way with the CISCO doing all of the PPPOE work I get an IP address of 217.x.x.102 on the cisco ethernet interface. I then pass this through to the WAN connection as the default gateway address and assign one of my 5 usable public IP's to the OPNSense WAN interface. I then configure the rest of my public IP's .97 .98 .99 .100 as virtual IP's off my wan interface.

All is well I can PF to internal systems I can even log in to the CISCO on the 217.x.x.102 address.

But when I try to config the cisco as a simple bridge and use OPNSense to do the PPPOE stuff things get weird. I tried to replicate the config of the cisco when it was doing the PPPOE but that does not work. I cannot assign the .102 address to the pppoe connection. It gets assigned a 81.x.x.x address no matter what I do. I also cannot seem to disable IP6.

What I want to do is assign the PPPOE connection the public ip gateway address for my /29 then config the virtual IP's etc. as before.  I have tried the advanced settings when I select PPPOE as the connection type. But that creates a separate ppp connection that does the negotiation and gets assigned the 81.x.x.x address 81.x.x.x dns servers etc. It also does not seem to remember its settings when you go back to edit the PPP connection. And my router address has now changed to
81.x.x.x as far as the outside world is concerned and not 217.x.x.x which is my Public IP range.

The whole point of this is to recover a wasted Public IP that I had to assign to my OPNSense WAn interface when the cisco was doing all of the PPPOE.

Feels like I am close but missing something possibly crucial and maybe obvious. Just not seeing it.


This is what I see in the Wan Overview Tab

IPv4 address   81.x.x.x / 32
217.x.x.100 / 32
217.x.x..99 / 32
217.x.x..98 / 32
217.x.x..97 / 32
217.x.x..101 / 32
Gateway IPv4   WANGW 217.x.x.102

The WANGW shows as offline in the gateway monitor. The automatically added Gateways of WAN_GW which is IP6 shows online and active and the WAN_PPPOE gateway shows online and active.

Is there a support option where one of the experts can assist either remotely or via video call etc.

Cheers
Spart

Just updating as had to go the the boat (zero tier remote client) as my Zero Tier LAN clients cannot access remote zero tier systems and the remote ones cannot access the local lan zero tier clients. Weirdly this worked perfectly when the cisco was doing the PPPOE and I had to waste a Public IP on the OPENSense WAN interface. Just about to abandon this attempt even though I feel I am close. Have until Tuesday to get this right or revert so any help appreciated. 

Cheers
Spart

[malilaluck99]

Wow... many information here.
I'm here for reading. เล่นคาสิโนเว็บไหนดี

[sparticle]

Ok after a reboot zero-tier clients are now working perfectly.

I am sure that certain type of config requires a reboot to be effective even though the GUI makes it seem like that is not required!

Still working on the other issues.

Cheers
Spart