New Modem Link To Firewall -- Details, Results So Far, Working On Recipe

Long time IPCop user finally has to make the move to something great and modern and with lots of momentum. Lots of research and here we are at IPFire.

PROBLEM: Figure out connection between Smart RG Gateway SR516ac modem (provided by Canada’s Teksavvy, running on top of Bell Canada infrastructure) to a IPFire firewall running on a separate desktop computer.

PREVIOUS: The same pattern worked like a charm with IPCop previously – what some call “half-bridge” – the log-in is in the modem (which was then a Cellpipe 7130) but the dynamic public IP address ended up on the firewall.

NETWORK LAYOUT: Internet – modem – firewall – switch – clients and devices and access point. RED and GREEN are deployed the usual way on the firewall.

TRIGGER FOR CHANGE – Old modem died, and we now have the new modem. We are now without Internet for over a week :frowning. Configuration to a full firewall (as opposed to some little router) has not gone according to plan.

FIREWALL HARDWARE – Right now it is still 32-bit (I realize that 32-bit IPFire won’t be around much longer), with 2 X Gb NICs, 3 GB RAM and an “old processor”. Will be updated after this emergency.

RESEARCH ON HOW TO CONNECT: Have done a huge amount of reading and testing (including the full modem manual), and have had help from Teksavvy. Tried on Red static, DHCP and PPP dial-up, matched with various configurations of IPFire. Successful access to IPFire via direct monitor or via web page. Partial access to modem sometimes when connected, but mostly connected to laptop for off-line configuration.

PROBLEM: Cannot get 516ac modem management page to show up after configuration and reconnection, on a web page. The modem does show success connecting both DSL and Internet (as indicated by lights)

SUSPICION: The latest thing tried is related to the modem manual’s statement that if you want to turn off NAT (i.e. maybe to avoid double-natting?), then the Internet connection will fail if you do not “add a route on the uplink equipment”. Not sure at all that this is the problem, just the latest thing we are looking at.

WHO MIGHT BE INTERESTED: This seems like it would be a common use case and interesting to a lot of people. Basically, put a full-on firewall on a older or smaller box behind the ISP router – and protect everything a little better.

QUESTION #1: Big picture – what is the best way to do this – static, DHCP or dial-up?

QUESTION #2: Is there a detailed recipe anywhere on how to do the best way? That is relevant to this type of modem?

QUESTION #3: Are there specific gotchas that we should be aware of?

I’m planning on doing our own diary after this which I can share.

Super thanks for any guidance! Go IPFire!

John

Pleased to report success. And specifically configuring Red as “Static” on 192.168.1.2 pointing to the modem gateway interface on 192.168.1.1. So this is where the modem is in “router” configuration. And the NAT is enabled on the modem. PPPoE log in is via modem. This is basically the same configuration as what worked with IPCop and the CellPipe modem. But getting here took much, much longer than required.

Hi @johnh

Welcome to the IPFire community.

Having red as static is fine as long as you know that the modem/router system is providing the same IP to IPFire everytime it restarts, otherwise dhcp would be a safer option.

1 Like

Thanks Adolph. Yes, the modem is now set for permanent 192.168.1.1 interface to the IPFire box.

(The bigger picture is that our Internet address is not static, and if the line goes down or the modem is off at all, we are likely to end up with a new IP WAN address. Thus the need to set up dynamic DNS for any of the usual reasons.)

Update a week or so later – everything working perfectly. One thing that is weird is there is no “connect/disconnect” button or check box on either the modem web page or the IPFire webpage. The combo of IPCop + Alcatel CellPipe 7030, depending on how they were set up, enabled a connect/reconnect/disconnect on either modem or firewall page. (This might be useful if one wants to get qa new IP address periodically.)