Menu
What's new
By:
Filters Better Search

Cable Modem through a switch?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

S

sqawireless

New Around Here
Hopefully this is the correct forum.

Where I work has a very flaky DSL WAN and no other connections are available. But, at an employees residence there is cable 'net access.

In order to alleviate possible NAT issues, I wanted to give the PFsense box a static public IP from the cable modem over a wireless connection to a VLAN.

The plan is to have the PFsense box act as the Router/DHCP server and assign IP addresses to both locations.

My worry is having the cable modem exposed to the private network, if this contraption even works. I was hoping some of the resident experts could give me a bit of input.

Interface layout.

rl0 - WAN1 = DSL pppoe connection, Static IP
rl1.0 - WAN2 = Cable Modem, Static IP (VLAN)
rl1.1 = LAN / DHCP server (VLAN)
ppp0 - WAN3 = 3G USB, Dynamic IP

thinger.jpg
 
Why mess around with VLANing? Just stick another NIC in the PFSense box and hang the bridge off of it and double NAT. You can't just dump the CM onto the home user's internal network.

I'm assuming you're not running a bunch of internet accessible servers on-premise.

Double NATing isn't an issue. For many years I ran stacked routers to provide a DMZ:

CM
|
Router1
|
DMZ (192.168.42.x)
|
Router2
|
Internal (192.168.69.x)

I would set a DHCP reservation on Router1 for Router2's WAN interface so that ISP DNS server updates would propagate. In your case if Router1 supports DNS Proxying, you can use statics... set both default gw and DNS on Router2 to Router1. In this case the "DMZ" would be the employee's home network. This would insulate your business network from possible malicious intent originating from the employee's home network. As far as everything on the Internal network is concerned Router2 is the router connected to the CM.

You can even port forward through both routers if you want.

-Pyrroc
 
Last edited:
Was wanting the failover connection to function at the employees house as well. My biggest concern is having the cable modem exposed to the internal network.
 
You can't set it up the way you want unless everything between the CM and PFSense supports VLANs. You have to Double NAT.

CM
|
Linksys (has CM's public IP)
|
Home User's Network (192.168.42.0)
|
Bridge AP
|
Bridge AP
|
| (192.168.42.x)
PFSense
|
Business Internal Network

As far as PFSense is concerned the Home User's Linksys router is an ISP router... it doesn't care (and it doesn't provide services on the Home User's network either).

-Pyrroc
 
So this setup would not work then?

CM
|
Linksys (AP mode, DCHP comes from PFsense)
|
Bridge AP
|
Bridge AP
|
Switch
|| <-- (2 connections from PFsense box)
PFsense (Static IP from CM on one NIC, LAN/DHCP server on another NIC)
 
Not unless the Linksys, both Bridge APs and the switch all do VLANs or VLAN tagging. Also, why would you connect the bridge to your business network's internal switch rather than directly to a PFSense NIC?

I'm confused as to why you're insistent on PFSense directly connecting to the CM and providing all services for the home user.

If you must have your own public IP, you could always pay the difference to the home user of getting business-class internet with 2 static IPs, put the CM into a switch and have the home network router as well as the bridge to PFSense off of that switch. 1 IP goes to the home user, 1 IP goes to PFSense.

-Pyrroc
 
Not just any employee, it's the bosses house. He want's all services to be available from the office in his home along with the redundancy.

This location is way out in the boonies, so the price on everything is jacked up. Next to impossible getting the boss to spend more on anything. Most of the additional phone lines we use are magicjacks, to give you a small idea of what goes on around here.

I suppose the bridge could go to in an internal NIC with dual addresses/functions (one aspect of vlan, I thought) instead of the switch.
 
Do the bridging APs (SSID: Link) support VLAN tagging (802.1Q)? If not, they may strip out any VLAN tagging.

If they do support VLAN tagging, you could put a small smart-switch like the NetGear GS-108T in your bosses house, set it up and connect it like so:

Port:
1 - VLAN A: Cable Modem
2 - VLAN A & VLAN B: Bridge AP - Tagged traffic back to PFSense
3-8 - VLAN B - Boss's Linksys wireless hooked up via LAN port w/ DHCP turned off plus some additional wired ports available

Then hook the second Bridge AP directly to a PFSense port with both VLANs on it. You would get a Dynamic IP from the CM in PFSense (VLAN A).

Don't forget that your boss's internet traffic is going to be laggy. It has to travel from his house wirelessly to PFSense, then wirelessly back to the CM. A decent internet connection may even saturate your wireless link as all incoming traffic from the internet has to traverse the wireless link at least once... and if your boss's kid likes to use BitTorrent... yikes.

Oh, your boss doesn't get his phone service through VoIP via cable does he?

-Pyrroc
 
Thanks for all the input and ideas, Pyrroc. Going to test the vlans over the bridge with a few dd-wrt boxen. If that works, gonna grab a few of those netgear switches. If not, back to the ol' drawing board.

The outdoor ap's are TL-WA5210G, a quick google search didn't yield anything related to vlan or 802.1Q. Just have to keep my fingers crossed on that one.

As a proof of concept, there is already a wireless link to the boss' house with a couple of dd-wrt routers set next to windows. If the weather is clear the connection isn't that bad, ~4 ms and about 6 mbps. Have been using it as the failover for a few weeks already. But if a bumblebee so much as flys by and farts, it wrecks the connection. I figure the outdoor APs should create a much more stable link.

Boss plans on switching his house phone to magicjack, of course!
 
You know, you don't have to have an outdoor AP. If your dd-wrt routers support removable antennas, you can get directional antennas... even outdoor directional antennas that you could cable back into the house/business.

.... and if the DD-WRT routers support an AP bridge mode with VLAN tagging, you might be set...

-Pyrroc
 
sqawireless said:
2 static IP's from CM and a VPN link to PFsense from the router at bosses house might be the way to go instead.
Click to expand...

That's just it, CMs hand out ISP IP addresses, you have to get with the ISP to give you 2 static IPs and they don't generally do that without it being business class service.

-Pyrroc
 
My biggest concern is having the cable modem exposed to the internal network.

why? Could people have physical access to it? Cause i'd just plug my laptop into it and do whatever and in 3 minutes be gone....
 
You must log in or register to reply here.

Similar threads

D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
1K
awediohead
A
T
Setting up Router and Bridge with with a Cable Modem
Replies
18
Views
538
Transer
T
J
Access to device on a different subnet, but same switch
Replies
4
Views
478
ColinTaylor
C
MattBoothDev
Curious packet loss when connecting my modem to a switch
Replies
11
Views
612
Crimliar
Crimliar
H
ASUS vs UDM Pro Routing Performance?
Replies
2
Views
415
hyelton
H
Similar threads
Thread starter Title Forum Replies Date
T PoE does not work over self-built CAT5E cable Switches, NICs and cabling 6
M In need of good video(s) for Cat 6a cable stripping and punch down practices Switches, NICs and cabling 8
T Can this coax cable be used for internet? Switches, NICs and cabling 30

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 652 (members: 13, guests: 639)
Top