TLDR
With pfSense 23.01, VLAN 0 is supported in FreeBSD 14. ISP Residential Router(RG) can be bypassed by connect ONT and RG on pfSense switch with WAN using dhcpclient VLAN priority tagging.
Setup
Device
- pfSense Netgate 1100 version 23.01-RC on Feb 02 2023
- AT&T U-verse Pace 5268AC
Connection
[AT&T ONT]| {Netgate 1100}
|-----------[WAN]
[LAN]-----------[Switch]
[OPT]-----------[5268AC ONT]
Configuration
Interfaces -> Assignments:
- Select 'mvneta0' for OPT interface
- Save
Interfaces -> OPT:
- Navigate to 'General Configuration'
- Fill 'MAC Address' with RG MAC
- Save
Interfaces -> WAN:
- Navigate to 'DHCP Client Configuration'
- Check 'Enable dhcpclient VLAN Priority tagging'
- Select 'Network Control (NC, 7)'
- Save & Apply
Interfaces -> Switches -> Ports:
- Navigate to '1100 Switch Ports'
- Click on '4092' and change to '4090' for OPT
- Save
Interfaces -> Switches -> VLANs:
- Navigate to '1100 Switch 802.1Q VLANs'
- Modify VLAN group 3 w/ tag 4092 to remove member 3 and Save
- Modify VLAN group 1 w/ tag 4090 to add member 3 and Save
- Save & Reboot
Test
After pfSense reboot, LAN device is able to connect to internet with ping is better than original RG (Fiber 300 mbps plan)
Thoughts
- VLAN 0 is not supported until pfSense 23.01, the long waited feature
- The first part of configuration is to spoof RG MAC with VLAN tagging
- The second part is to create dummy switch connect RG and ONT, allowing 802.1X EAP authentication
- Both pfSense and RG is able to reach internet using same MAC, however, without sessions/states, unrecognized package are dropped by both devices
- This is just a bare minimum setup. Further optimization on RG firewall to reject all TCP/UDP to avoid interference with pfSense
No comments:
Post a Comment