I know how to do what you asked for but not sure if by doing so it will work as you wished. Anyway, system - reset configuration and tick No default configuration.
This clears all your config on the router including firewall and NAT, you can then access it by MAC address from Winbox. This is the easiest way of doing it.
then start create 1 bridge and add all Ethernet port to it.
I’ve been doing this when I need to use the router as a switch, not sure if you can then dial PPPoE from the bridge though.
what I would try first, however, is to remove the masquerade rule, doing source-nat using WAN IP available to you, in-interface would be one of the interface, this way trafficing from this interface will have this IP as source IP.
PPPoE client has to be on the bridge, not interfaces if it is already part of the bridge.
this is the part I am not sure, if the bridge is the PPPoE client, how it would pass IP address to your devices, may be they just have to be on static IP?
my suggestion of source nat is before reset configuration, when you still have all your nat , WAN, LAN side. This way, your WAN bridge is the PPPoE client, then you have NAT between WAN and LAN, then src-nat applys .
PPPoE client uses whatever device (I’ve got mine running on VLAN device) and creates it’s own interface. Then you can make that interface part of bridge (not clever) or roure between it and bridge. Bridge itself can have imternal address, DHCP server and whatnot.
The only reason I wouldn’t make physical interface connecting towards WAN (modem, fibre converter, …) member of internal LAN bridge is concern about that gadget being hacked opening way of hackjng my LAN.
Hi mkx, you are right. PPPoE client will create a dynamic interface. then bridge this with anything would not be stable, in the case of link goes down.
So do you think my original solution with src-nat will work? keep NAT, WAN interface dials PPPoE and add default route, then use src-nat to assign public IPs to internal IP / Interface as needed.
I don’t have slightest idea about what OP is trying to do. I just know that mixing WAN and LAN addresses on same bridge doesn’t sound right to me. At all.
The LAN and WAN are ALL WAN addresses making xxx.xxx.xxx.xxx/28 available on all ports.
2 pfSense firewalls can then have their own IP address - xxx.xxx.xxx.225/28 and xxx.xxx.xxx.226/28 with a gateway of xxx.xxx.xxx.230/28 (PPPoe Connection)
This can be achived by using a VDSL modem - PPPoe Device (no NAT) and Switch
I am trying to use a VDSL modem and 5 port Mikrotik to make the PPPoe connection.
I have been able to use Billion ADSL/VDSL 4 port modems in the past (No NAT) but I thought I would try MikroTik before looking at Billion or other alternatives.
If I understand your situation right, you would like to use 3 ethernet ports of your RB for WAN (1 to connect to VDSL modem and 2 to connect to two PFsense hosts). In addition to that you would like to use 3 or more ethernet ports for LAN side (2 to connect LAN side of PFsense hosts and at least 1 ethernet port to connect other LAN devices). Due to lack of physical ports on RB you’d like to use single ethernet port for both WAN and LAN “side” of each PFsense host.
Well, this might work (as well as pigs might fly), but I still think this is bad.
You either need a (dumb) ethernet switch to connect LAN side (including PFsense) so that you actually only need 1 ethernet port on RB for LAN (but you indicated that you’d like to get rid of ethernet switch).
Or you can configure PFsense hosts to use two VLANs, one for their WAN and other for their LAN connections … and configure VLANs on RB (two trunk ports, one per PFsense host, and 3 access ports, one for WAN to connect to VDSL modem and two for LAN to connect other LAN hosts). On RB create two VLAN interfaces, run PPPoE client on WAN VLAN interface and run whatever services RB needs to provide to LAN on LAN VLAN interface.
This way you can probably (depends on particular RB model) have all ethernet ports on single bridge and use VLAN tags to separate WAN and LAN traffic flows.
It is bad if you do not use the correct device between the WAN and the LAN the pfSense firewall performs that function.
Port 1 is PPPoe to ISP VDSL modem.
Port 2-5 is WAN IP with only 2 pfSense devices connected.
I have made a pre sales enqiury with Billion regarding a VDSL modem which will enable me to turn off the firewall and NAT - this will enable the WAN IP to be presented at the 4 off 10/100 LAN ports. They did sell them in the past.
I continue to not have slightest idea about what you’re trying to do and where RB fits. I don’t know about others, but for me it would help if you could post a diagram of network set-up you’re trying to create.
Where on the picture is Mikrotik? If there are two (boxes just south of VDSL modems), what are their intended functionality? Bridge between PPPoE and pfSense WAN interfaces?
If that’s indeed so … are those two addresses xxx.xxx.xxx.126/28 routable addresses and your ISP is sending you traffic with destination set to those addresses? If yes, add pppoe interface to same bridge with ether2 to ether5 while keeping ether1 (the interface used to connect VDSL modem) separated.
If you need management connection, you need to assign address to the bridge (not to individual ether interface) if you’ll connect through pfSense. If you want to manage MT directly from your LAN, then you’ll need to dedicate one ether interface for LAN connection (e.g. ether5), but you need to remove it from bridge first. Then configure LAN IP address directly on ether5.
[edit] Damn, it seems like you can’t add pppoe interface to a bridge.You’ll need to assign one xxx.xxx.xxx.112/28 address to bridge and configure pfSense hosts to use that address as their default route gateway. MT will do the routing for you.
Sorry missed the text box on my final edit - Yes the 2 boxes south of the ISP VDSL Modem are MikroTiks.
The PPPoe interface is assigned xxx.xxx.xxx.230/28 (ISP 1) and xxx.xxx.xxx.130/28 (ISP 2) and there are 5 routable address - 225 - 229 and 125 - 129.
I know I cannot add the PPPoe interface to the bridge - I am trying to use the PPPoe Interface address as the gateway with no specific IP addresses assigned to the bridge ports.
Do you know how I can route all xxx.xxx.xxx.225/28 traffic to the PPPoe Interface xxx.xxx.xxx.230/28 and vici versa?
Ok, 5 routable addresses means you’re getting subnet xxx.xxx.xxx.224/29 from ISP1 and … ugh, no subnet matches the addresses you mentioned by routable addresses from ISP2.
Since bridging between PPPoE and ether ports is not possible, you’ll have to configure RB for routing. For that you’ll need to configure one IP address to bridge (spanning ether ports towards pfSense).
You don’t have to add anything to routing table: pppoe will add default route to internet and pfSense hosts will be accessible directly through bridge1-attached ethernet.
You will have to configure pfSense machines to use xxx.yyy.zzz.229 as default gateway (the network connection towards ISP1).
Since pfSense is doing FW, you don’t need to filter anything in forward chain. You do have to establish filters on input chain as RB will be fully exposed to internet.
Then you do similar for MT en route to ISP2. It will be more complicated if routable addresses really don’t belong to single /29 subnet.
[edit] In this case you can dedicate ethernet ports one per pfSense host without creating bridge on top of them. Then use /32 addresses for point-to-point connectivity as discussed in this topic.