Trouble connecting to PPoE WAN

[endurium]

Hi all,
I've created a WAN interface associated with a PPoE device that's connecting to an FTTC service that's provided by a modem and connected to my N100-based mini-pc installed with OPNSense in a Proxmox VM to replace my Asus router, but it doesn't work despite the status showing as green in the interfaces overview page, as I'm unable to browse the web via the LAN.  I know the WAN is connecting okay because successful authentication is confirmed in the logs, but the IP address shown isn't the correct static IP address that should be assigned by my ISP. What setting for getting the IP address should I get specifying in the WAN interface itself?

My Asus router uses the following WAN settings to successfully connect:
Connection type: PPoE
Enable NAT: Yes
NAT type: Symmetric
Get the WAN IP automatically: Yes

There is no VLAN requirement from my ISP to connect.

[viragomann]

I know the WAN is connecting okay because successful authentication is confirmed in the logs, but the IP address shown isn't the correct static IP address that should be assigned by my ISP.

The IP assignment is part of the PPPoE handshake. You can as well see in the log, which IP is offered to you by the ISP.
So what does the log show regarding the IP?

And which IP do you get in fact? Is it a public one?

[Patrick M. Hausen]

If you do not get the IP address you expect per your contract, only your ISP can fix that.

[endurium]

Here are some screenshots from my config, first the WAN interface config, do I need to specify an MTU figure?
You cannot view this attachment.

The PPoE device settings - I'm guessing I only need to specify the underlying adaptor vtnet1 and not the wan interface?
You cannot view this attachment.

The interfaces overview shows my ISP-assigned static IP for the WAN and gateway address 195.166.130.254, the latter which I've never seen before but looking it up shows the following info which does seem to make sense considering my ISP is Plusnet which uses BT infrastructure:

Code Select Expand

Hostname:254.core.plus.net
ASN:6871
ISP:British Telecommunications Plc
You cannot view this attachment.

Finally here are the logs showing the WAN address binding-related messages.
You cannot view this attachment.

With my Asus router connected back to the WAN (OPNSense router unplugged from WAN), I checked it's logs and found entries for "local  IP address 80.229.251.220" and "remote IP address 195.166.130.255", the latter which is in the same subnet as the earlier-mentioned gateway address 195.166.130.254 so I'm guessing that's expected?

Otherwise, what could be causing clients connected to my OPNSense router to not be able to connect to the internet?

[endurium]

I know the WAN is connecting okay because successful authentication is confirmed in the logs, but the IP address shown isn't the correct static IP address that should be assigned by my ISP.

The IP assignment is part of the PPPoE handshake. You can as well see in the log, which IP is offered to you by the ISP.
So what does the log show regarding the IP?

And which IP do you get in fact? Is it a public one?

The System: Gateways: Configuration page shows WAN_PPOE bound to the WAN interface with an IP Address of 195.166.130.254 and a Monitor IP of the same, with the status icon showing that it's down. If I edit the gateway entry and tick the box Disable Gateway Monitoring then the gateway shows as being UP
If I look at the terminal screen showing the current interfaces details and the menu options, I see that the correct public static IP of 80.229.251.220 is being picked up.

[Patrick M. Hausen]

Can you ping e.g. the ISP gateway or 8.8.8.8 from the OPNsense itself?

[endurium]

If you do not get the IP address you expect per your contract, only your ISP can fix that.

It appears that the IP address 195.166.130.254 is a remote IP address for my ISP which returns a local IP address of 80.229.251.220 which is what I'd expect.

[endurium]

Can you ping e.g. the ISP gateway or 8.8.8.8 from the OPNsense itself?

I didn't try pinging the ISP gateway but pinging 8.8.8.8 or any other well-known public IP fails

[Patrick M. Hausen]

So

- PPPoE authentication and IP address assignment works
- ICMP echo (ping) does not

Of course there can be a dozen more things amiss that would prohibit your clients from accessing the Internet but before your OPNsense can ping 8.8.8.8 it does not make sense to look any further.

I'd open a ticket with your ISP. You also wrote you did not receive your assigned fixed IP address, correct? So something is wrong.

[endurium]

So

- PPPoE authentication and IP address assignment works
- ICMP echo (ping) does not

Of course there can be a dozen more things amiss that would prohibit your clients from accessing the Internet but before your OPNsense can ping 8.8.8.8 it does not make sense to look any further.

I'd open a ticket with your ISP. You also wrote you did not receive your assigned fixed IP address, correct? So something is wrong.

Connecting my Asus router to the modem instead of the OPNSense router works fine, so I'm not sure it's worth raising a ticket with my ISP.  The correct (static) IP is returned, according to the logs which state "treating 195.166.130.254 as far gateway for 80.229.251.220/32"

What would I need to look for to see if the firewall is blocking outbound requests from LAN interface clients?

[meyergru]

Some ISPs detect a router change and give you a temporary non-routable network in which you can register your new hardware. Some do this for ONTs only, others even want to know when the router changes. Ask them, they must know.

Maybe your WAN IP is now something like 10.x.x.x, which would give an indication.

[Patrick M. Hausen]

A newly installed OPNsense is not blocking anything from LAN and comes with NAT enabled on WAN. Also it does not block anything outbound from the firewall itself.

Looking closer at your screen shots - why do you have routes for 8.8.8.8 and 9.9.9.9 to your loopback interface? With these active it's natural you cannot ping e.g. 8.8.8.8.

The logfile entries look good.

[Patrick M. Hausen]

Maybe your WAN IP is now something like 10.x.x.x, which would give an indication.

Nope. Look at their screen shots above. But the routes on lo0 are suspicious.

[endurium]

A newly installed OPNsense is not blocking anything from LAN and comes with NAT enabled on WAN. Also it does not block anything outbound from the firewall itself.

Looking closer at your screen shots - why do you have routes for 8.8.8.8 and 9.9.9.9 to your loopback interface? With these active it's natural you cannot ping e.g. 8.8.8.8.

The logfile entries look good.

Those entries are the DNS servers I specified in the general config, I didn't add them to my loopback interface.  Should I remove them?  I have tried pinging 1.1.1.1 and amazon.com to no avail.

[endurium]

Some ISPs detect a router change and give you a temporary non-routable network in which you can register your new hardware. Some do this for ONTs only, others even want to know when the router changes. Ask them, they must know.

Maybe your WAN IP is now something like 10.x.x.x, which would give an indication.

The WAN is an FTTC connection via a fibre modem whose output is connected to my router, whether it's my Asus router or my OPNSense router (which I'm clearly struggling to get working) and the Asus router connects just fine to the WAN and I can surf the web from any connected clients.