|
digitrance
Anon
2014-Nov-28 5:38 pm
[Networking] VZ upgraded ONT box, now no PPPoE WAN IP.Hey guys,
New here, but did my searching before post!
Recently, I had some issues with the ONT battery backup, the tech came out and upgraded the ONT box to the latest one (not sure why, it wasn't needed). Previous to the upgrade my setup was PPPoE and I had my own firewall to be able to VPN into without a VZ router.
After the upgrade, they wanted me to go to DHCP, which is fine, because the Sophos UTM 9 firewall I have does DHCP over the WAN interface. However, I could not get access to the internet, I was able to get a WAN IP on my UTM firewall but not able to get out to the net.
I have confirmed the ONT it is still configured for Ethernet and not coax for the internet; however I am not able to get the same connectivity I was before the upgrade.
What am I missing, does the new ONT's require a VZ router in place?!
Thanks in advance!
DT |
|
|
Actiontec only required if you want them to troubleshoot. You said you had the WAN ip. How do you know you had it? Does sophos utm have a wan ping diagnostic?
If you had an ip, can you drop all protection long enough to ping google.com? |
|
2 recommendations |
to digitrance
I hate to say this, but if your firewall could obtain a DHCP WAN address, but you can't get out to the internet. The problem is in your firewall.
Is the DHCP WAN on the same interface as PPPoE was? If not, did you lock down you WAN access to a single interface (the PPPoE one)?
And no, the newer ONTs do not require the Actiontec router.
The obvious thing to try here is to disconnect the firewall (release its WAN IP address first) and reconnect the Actiontec. If You can get to the internet with the Actiontec but not your firewall, I would start looking at your firewall configuration more closely. |
|
buckinghamDoylstown Pa Premium Member join:2005-07-17 Buckingham, PA
1 recommendation |
said by More Fiber:I hate to say this, but if your firewall could obtain a DHCP WAN address, but you can't get out to the internet. The problem is in your firewall. I agree with this. |
|
|
to More Fiber
I suspected it would be the firewall too, but I am not sure why switching from PPPoE to DHCP would kill the traffic outbound. I put a Linksys router in there (DD-WRT firmware) and switch it to DHCP and got the same results.
The DHCP WAN is on the same interface as PPPoE was, however I changed that interfaces (eth0) configuration to DHCP instead of PPPoE.
With the Actiontec in place, it works just fine. I will turn off all protection on the Sophos UTM9 firewall and troubleshoot again.
If anything I will rebuild it from scratch again.
Thanks for the help guys. |
|
gadgetboyj Premium Member join:2009-08-25 Staten Island, NY |
Did you release the WAN IP from the Actiontec before trying the Linksys? You should be releasing the WAN IP and then quickly disconnecting or powering off the router so it can't get another lease before you put a new one in place |
|
|
digitrance
Anon
2014-Nov-29 10:08 am
Yup, it was properly released. |
|
|
to digitrance
said by digitrance :If anything I will rebuild it from scratch again. This cleans up many problems that are head-scratchers. Hard reset back to factory defaults. What state was the dd-wrt linksys in? default or modified existing config? |
|
|
|
to digitrance
Don't know how the Sohpos works, but most network devices create a virtual PPP interface when doing that protocol. Typically it's a dialer interface or what not, but maybe this device does the same?
If it does create another interface then you have all your rules/nats, etc.. applied to that virtual interface and not the physical Ethernet interface. |
|
sk1939 Premium Member join:2010-10-23 Frederick, MD ARRIS SB8200 Ubiquiti UDM-Pro Juniper SRX320
|
to digitrance
The Sophos UTM creates a series of rules when you use PPPoE in the firewall ruleset (and a couple other places like the NAT section). When you move from PPPoE to DHCP, you have to change these rules to reflect that.
Under "Interfaces" make sure the WAN port type is listed as DHCP (also check your MTU, although I don't think that would be an issue)
Network Protection -> NAT rule still exists
Support -> Tools -> Ping Check (both the IP and do a traceroute outbound) |
|
|
digitrance
Anon
2014-Nov-29 5:49 pm
sk1939,
Thanks for this, this is good to know. I will be doing some troubleshooting tomorrow afternoon and report back.
Regards,
DT |
|
digitrance
1 recommendation |
digitrance
Anon
2014-Nov-30 2:20 pm
Hey guys,
I ended up fixing it with a complete rebuild, but during the rebuild I noticed, that Masquerading NAT rules were not in place on my old Sophos UTM configuration when switch from PPPoE to DHCP.
This seemed to have change when I configured the WAN interface from PPPoE to DHCP.
This is a no brainier, but I totally over looked this.
Everything works now!
Thanks for the input!
Regards,
DT |
|
sk1939 Premium Member join:2010-10-23 Frederick, MD ARRIS SB8200 Ubiquiti UDM-Pro Juniper SRX320
3 edits |
sk1939
Premium Member
2014-Dec-5 1:52 am
I just had the same problem myself, but apparently Verizon was doing in internal hardware migration or change, as I moved from PPPoE to DHCP, and from the 172 IP add range to the 100 IP add range. Very strange, and very annoying since I was in the middle of a download when everything dropped off. TV and phone still worked (watched White Collar instead), but no WAN. -Edit- Bonus features: -Back to non-Symmetric speeds -Switching between PPPoE authentication and DHCP is possible, although DHCP seems to be the one that resolves fastest. Also note, my IP address does not change switching between the two, although I do momentarily lose my internet connection. -Speedtest.net thinks I'm in Kansas now, saying the closest (!) Speedtest.net site is Wichita, KS (KsFiberNet). Something is up with Verizon's routing.
Geographically Closest in real life
What in blazes is going on?!
|
|
|
anon poser
Anon
2014-Dec-6 8:40 pm
said by sk1939:I just had the same problem myself, but apparently Verizon was doing in internal hardware migration or change, as I moved from PPPoE to DHCP, and from the 172 IP add range to the 100 IP add range. Very strange, and very annoying since I was in the middle of a download when everything dropped off. TV and phone still worked (watched White Collar instead), but no WAN.
-Edit-
Bonus features: -Back to non-Symmetric speeds -Switching between PPPoE authentication and DHCP is possible, although DHCP seems to be the one that resolves fastest. Also note, my IP address does not change switching between the two, although I do momentarily lose my internet connection. -Speedtest.net thinks I'm in Kansas now, saying the closest (!) Speedtest.net site is Wichita, KS (KsFiberNet). Something is up with Verizon's routing.
Geographically Closest in real life
What in blazes is going on?! Not sure, but perhaps it has something to deal with Carrier Grade Network Address Translation (CGN or Carrier Grade NAT). To opt-out. You must be signed in and go to » www.verizon.com/support/ ··· 3897.htm^^ |
|
sk1939 Premium Member join:2010-10-23 Frederick, MD |
sk1939
Premium Member
2014-Dec-6 10:27 pm
Which would make sense, except this is FIOS and I can still connect via VPN which CGN would break. |
|
|
to anon poser
said by anon poser :perhaps it has something to deal with Carrier Grade Network Address Translation FIOS has never used CGN. |
|
dianac Premium Member join:2014-06-13 Demarest, NJ
1 recommendation |
to sk1939
said by sk1939:What in blazes is going on?! I saw something similar when they migrated us from PPPOE to DHCP (in our case, we "moved" from New Jersey to Virginia). It should sort itself out in a few days. |
|
sk1939 Premium Member join:2010-10-23 Frederick, MD |
sk1939
Premium Member
2014-Dec-9 3:31 pm
I personally preferred being on PPPoE. I don't mind the overhead (additional bandwidth was allotted for it anyways) and it was tunneled traffic (slightly more security) besides. |
|
sk1939 |
sk1939
Premium Member
2014-Dec-13 1:21 am
The geo-location has sorted itself out, however the IP and Speedtest issues (non-symmetric speeds) have not sorted themselves out.
|
|