pfSense 2nd WAN behind LTE modem DMZ

rcoleman-netgate

@siwyboy said in pfSense 2nd WAN behind LTE modem DMZ:

The EdgeRouter 12 worked in the same configuration and was always showing me the actual public IP address of the LTE connection on the WAN 2 port.
Unfortunately, pfSense is only able to show the gateway IP from TP-Link:

If you can set up bridging you should do that but it will likely result in a CGNAT address, not a public routable IP.

Public IPs for mobile devices are often a cost-tier that can be prohibitively expensive. I've seen some services, even, use the round-robin routing for outbound data so any IP that fits in their /16 will get the traffic going out rendering DDNS useless.

siwyboy

@rcoleman-netgate thanks for the suggestion, but I don't think this is related to my LTE ISP. I've been using their extra paid public IP service for over a year now. I can even order a static public IP for my SIM and it's not that expensive.

Right now I'm trying to find a USB LTE modem that is compatible with pfSense based on this article:
https://docs.netgate.com/pfsense/en/latest/cellular/hardware.html

Maybe it will be a better solution than a second router.

rcoleman-netgate

@siwyboy said in pfSense 2nd WAN behind LTE modem DMZ:

Right now I'm trying to find a USB LTE modem that is compatible with pfSense based on this article:
https://docs.netgate.com/pfsense/en/latest/cellular/hardware.html

Good luck.

The LTE modem you're using has to assign the public IP to the pf. If it is assigning it to something else that is plugged in you can tell the interface to ignore IPs from a specific DHCP server but that is only going to work if the upstream is giving it one.

If your LTE has the public IP then you just need to DMZ the pfSense IP in the LTE device.

Comparing the EdgeRouter to pfSense in this regard is like saying you don't like that your scooter isn't a coupe.

So why isn't DDNS working? Dunno, the logs would tell you.

Gblenn

@siwyboy Are you sure DDNS doesn't work, have you tested? I have a similar setup although I have it set up towards my WAN Group. It works because it doesn't bother with the WAN IP, rather it goes to what you have defined under Services > Dynamic DNS under Check IP tab.

Mine reads http://checkip.dyndns.org which I think is default.

siwyboy

@gblenn I think there is something wrong with the TP-Link DMZ.

I connected a device to pfsense and gave it an IP: 10.1.1.67
Used the http://checkip.dyndns.org service to check the default WAN 1 IP and it's correct.

Then I created a rule to route the device through WAN 2:
Screenshot - 23.01.2023 , 18_26_35.png

Again used the http://checkip.dyndns.org service and I can see the public IP:
Screenshot - 23.01.2023 , 18_30_56.png

but I'm also able to open the TP-Link admin panel from this device. Probably it's because pfsense sees the router gateway 192.168.1.1

I checked the DMZ and it looks to be correct:
Screenshot - 23.01.2023 , 18_28_53.png

I can't see the linux machine on the DHCP list, so it's bypassing the tp-link router:
Screenshot - 23.01.2023 , 18_29_29.png

I also have the paid DynDNS Pro service so I created a dummy entry:
Screenshot - 23.01.2023 , 18_30_21.png
but still nothing.

I'm still trying to figure this out :/

Gblenn

@siwyboy pfsense should pick up the right IP with or without DMZ. Provided it detects a private IP on WAN, it will accesses the web site just like you did and read the IP from that row.

And yes you should be able to reach the TP-Link from inside your pfsense, since pfsense is aware of it (the IP settings for pfsense WAN includes the gateway IP).

When you say

I also have the paid DynDNS Pro service so I created a dummy entry:

but still nothing.

Did you click Save and Force Update??

I think you need to check the settings for that DDNS entry, like type, user/pw or token and Update URL. It should update regardless of which IP pfsense thinks it should set (192.168.1.101) or your public IP from http://checkip.dyndns.org...

I made a test just now and it worked perfectly fine...

siwyboy

@gblenn I'm trying to figure this out for the last 4 hours hehehe
I checked, changed, reconfigured all possible settings that I'm aware of and still nothing...

Screenshot - 23.01.2023 , 20_31_09.png

It must be something with the second router

siwyboy

@gblenn I performed the final test.
On tplink I disabled DMZ, configured dyndns and opened port 80
Screenshot - 23.01.2023 , 20_57_09.png

I was able to access the router without any issues.

I will try to get a different router this week and maybe a USB LTE modem. Will update this post once I find a solution or workaround.

Gblenn

Wierd that pfsense can't get the IP address when you can do it from inside pfsense, via that exact same service. Why would pfsense be any different?

Have you rebooted the TP-Link? Restarted the WAN2 interface? Restarted the DDNS service on pfsense?

One way of fooling pfsense into picking up the IP is to set the network (and pfsense IP) on your TP-Link to a public IP instead. That way pfsense will accept it as ok and directly try to reach out and update dyndns... Doesn't solve your problem but at least you can test that pfsense can get through to the service.

Also, wrt to DMZ, have you tried setting the pfsense IP as static in the TP-link router instead?? If I read things correctly you set that in pfsense WAN2 interface settings??

I always set static IP's in the router and never in a device. But sometimes when testing... I can't say for sure but I have a vague memory of something being off when doing it that way with the TP-Link.

siwyboy

@gblenn I found a very old Huawei E169 (3G) and a newer one ZTE MF833U1 (LTE).
The first one is on the supported list, but the ZTE is marked as:
Modems reported to work as Ethernet devices - whatever that means...

I will test them today evening.

On Friday, my colleague will lend me a couple of his LTE routers and modems. I will update this post once I connect and test them.

@gblenn said in pfSense 2nd WAN behind LTE modem DMZ:

Have you rebooted the TP-Link? Restarted the WAN2 interface? Restarted the DDNS service on pfsense?

One way of fooling pfsense into picking up the IP is to set the network (and pfsense IP) on your TP-Link to a public IP instead. That way pfsense will accept it as ok and directly try to reach out and update dyndns... Doesn't solve your problem but at least you can test that pfsense can get through to the service.

Also, wrt to DMZ, have you tried setting the pfsense IP as static in the TP-link router instead?? If I read things correctly you set that in pfsense WAN2 interface settings??

I always set static IP's in the router and never in a device. But sometimes when testing... I can't say for sure but I have a vague memory of something being off when doing it that way with the TP-Link.

Thanks for the hints! I will test them today evening.

Gblenn

@siwyboy said in pfSense 2nd WAN behind LTE modem DMZ:

I found a very old Huawei E169 (3G) and a newer one ZTE MF833U1 (LTE).
The first one is on the supported list, but the ZTE is marked as:
Modems reported to work as Ethernet devices - whatever that means...
I will test them today evening.
On Friday, my colleague will lend me a couple of his LTE routers and modems. I will update this post once I connect and test them.

I guess modems like that could work. But they are more of a temporary solution for mobile use, often with quite limited functionality. Might not even support DMZ or port forwarding...

But I still don't understand why pfsense can't access http://checkip.dyndns.org when you can do it from a device inside your network. It should not matter one bit if pfsense is actually in the DMZ or not! It's just simple web access through port 80, which clearly is working for devices inside the network.

BTW, do you have any firewall rules or tools (like suricata, pfBlocker) which may be interfering here?

siwyboy

@gblenn Kill me now...

Yesterday a new update pop up so I decided to install it.
2.7.0-DEVELOPMENT (amd64)
built on Tue Jan 24 06:07:01 UTC 2023
FreeBSD 14.0-CURRENT

After the install, DDNS started to work and is now showing the correct public IP...

Screenshot - 25.01.2023 , 20_06_50.png

Right now, I need to figure out why it's still showing the TP-Link router login page even though I set up DMZ, changed the management port and management IP.
I think it might have something to do with the way how TP-Link is handling DMZ.

PS
I don't use any tools like suricata, pfBlocker. I have very basic setup when it comes to packages.
Screenshot - 24.01.2023 , 17_27_10.png

I decided to use pfSense because it's much easier to setup vlans and firewall rules than on UI Edgemax routers.

Gblenn

First of all, great that it started working!!

Right now, I need to figure out why it's still showing the TP-Link router login page even though I set up DMZ, changed the management port and management IP.
I think it might have something to do with the way how TP-Link is handling DMZ.

I don't see why it shouldn't... DMZ means all ports are open, not that the TP-Link "dissapears". It is still the gateway that pfSense "sees" and it's still doing NAT.