PPPoE with Modem before opnSense not working

[Mr.Lukas]

Hey guys, I hope you can help me with the following issue:

I got a Fritz!Box 7530ax from my ISP that was my modem, router, access point and switch. Now I only want it to be my modem. OPNSense is working fine with my Fritzbox plugged to my WAN port of course. But I have double NAT, from the fritzbox and the opnsense. And also the firewall on both. Thats not good - I dont want that.
So I got the PPPoE credentials from my ISP ("drei" in austria). I tried it on my fritzbox - works fine. Then I tried it on my opnsense - not working.
I checked "connected network devices may also establish their own internet connection." on the FritzBox (translated from german).

Please take a look at my screenshots. First one is the Fritzbox. Second and third are the config of the WAN on opnsense. Last one are the logs from opnsense.

Thanks for helping me!!

Edit: Solution in last post

[Mr.Lukas]

(the screenshots need to be opened in a sapered tab - dont know why)

[Patrick M. Hausen]

Stock AVM Fritzbox devices without any provider specific modifications do not support modem mode. The PPPoE passthrough you activated permits a device internal to the Fritzbox to establish an additional PPPoE connection. But the provider needs to support that and probably doesn't.

You need to buy a true modem by e.g. Zyxel or Draytek. Check with your provider for suitable models.

[Mr.Lukas]

Many thanks to your fast reply. I understand what you mean, so I ordered a real modem.

In the meanwhile I tried something else: On my FritzBox I selected as ISP "Drei" (as it usually was) and it automatically set the PPPoE credentials. But username and pw I got from my ISP (via email) is something slightly different - I set up the PPPoE connection on the opnsense with that(from mail) and voilá it is working. (Internet access through opnsense) - ping and speed is great.

Now my question: Do I still use the NAT and firewall from my fritzbox? Or JUST from my opnsense now? Can I check that?

[Mr.Lukas]

this is in the opnsense. same ip, except the last number

[Patrick M. Hausen]

So your ISP does support a second PPPoE connection. Great. If your OPNsense dashboard shows a public IP address for WAN, you are probably good to go without double NAT.

A definitive answer will be one from your ISP or maybe there is a "DSL help" forum for Austria? No way for me to know what exactly they are doing. All of this is ISP specific.

Screenshots look good, though.

[Mr.Lukas]

Great, I will check with my ISP.

Thank you so much!

[netnut]

I got a Fritz!Box 7530ax from my ISP that was my modem, router, access point and switch. Now I only want it to be my modem. OPNSense is working fine with my Fritzbox plugged to my WAN port of course. But I have double NAT, from the fritzbox and the opnsense. And also the firewall on both. Thats not good - I dont want that.

You're using a Fritz!Box, one of the most open CPE's out there. Just create a static route for your local network on this box via the OPNsense WAN interface downstream, there shouldn't be any reason for "Double NAT".

Just to be sure to _un_check the "Block Private Networks" on this OPNsense WAN interface.

[Mr.Lukas]

What do I have to change with an external Modem (Asus DSL-N16) instead the FritzBox on the opnSense? Do I need the PPPoE credentials just on the opnSense and thats it? Or are there any settings to change on the modem as well?

[Patrick M. Hausen]

If your ISP requires a VLAN tag you can configure that either on your modem or on your OPNsense.

1. do they require one?
2. where do you want to manage that setting? - just a personal preference, I like to keep that on the modems

But as far as I read your setup is working now with the Fritzbox and a second PPPoE connection and public IP address for your OPNsense. So why change?

[schnipp]

The PPPoE passthrough you activated permits a device internal to the Fritzbox to establish an additional PPPoE connection. But the provider needs to support that and probably doesn't.

The PPPoE passthrough functionality of the Fritzbox does not require an already configured PPPoE connection in the Fritzbox. You can configure the WAN port to raw IP with a pseudo IPv4 address. Then you can establish your first PPPoE connection from Opnsense. Additionaly, you can still use the Fritzbox services by configuring a static route and DNS back to Opnsense. I used this scenario for several years in the past (Fritzbox 7490 and 7560).

One should keep in mind that this scenario can have security implications when trusting the Fritzbox like an internal network.

[Taunt9930]

The PPPoE passthrough you activated permits a device internal to the Fritzbox to establish an additional PPPoE connection. But the provider needs to support that and probably doesn't.

Additionaly, you can still use the Fritzbox services by configuring a static route and DNS back to Opnsense. I used this scenario for several years in the past (Fritzbox 7490 and 7560).

One should keep in mind that this scenario can have security implications when trusting the Fritzbox like an internal network.

I'm interested to know how you configured this. I have tried in the past, and couldn't get it to work. Are there some simple steps you.might be willing to share? The aim being to offload the PPPoE 'processing' to the Fritzbox and present a Ethernet WAN connection to the OPNSense without double NAT so Suratica (for example) could be used on the OPNSense WAN. (Where it can't with PPPoE).

[Mr.Lukas]

The internet connection with PPPoE on the FritzBox AND the opnSense is working fine. I get a public IP directly on the WAN interface of the pfsense.

I tried to set the FritzBox just to PPPoE passthrough *without* login credentials on the fritzbox. But there were just error messages on the opnsense (see first post). I hate the fritzbox btw. I want to configure my router and my internet connection like I want.

So the problem I am facing now is that port forwarding is not working and I am afraid that the FritzBox (..current modem) is the reason. (see screenshot for my port forward settings - should be fine - but not working).

Should I set up a separate modem instead of the fritzbox? How do I configure that? With PPPoE or just "bridge mode". opnSense stays as it is right now?

Thanks for helping me.

[Patrick M. Hausen]

The port forward rule on WAN - is the " Filter rule association" field set to "Pass"?

[schnipp]

I'm interested to know how you configured this. I have tried in the past, and couldn't get it to work. Are there some simple steps you.might be willing to share? The aim being to offload the PPPoE 'processing' to the Fritzbox and present a Ethernet WAN connection to the OPNSense without double NAT so Suratica (for example) could be used on the OPNSense WAN. (Where it can't with PPPoE).

Small correction: Internet must be set to "Bridged (Routed Bridge Encapsulation)" instead of "Raw IP". Details can be found here (german):