Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to cable modem admin UI needs to come from same subnet

    Scheduled Pinned Locked Moved NAT
    4 Posts 4 Posters 565 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jhg
      last edited by

      Hitron CODA-56 modem (which is working very well)

      It has an admin UI at 192.168.100.1, so I thought all I needed to do was add a static route to it. This didn't work, and I discovered that traffic to that address must also have a source IP in the same /24. So I attempted to create an outgoing NAT rule as follows:

      Outbound NAT Mode: Hybrid

      Rule

      • Interface: WAN
      • Source: LAN Subnets
      • Source Port: *
      • Destination: 192.168.100.0/24
      • Destination Port: *
      • NAT Address: 192.168.100.2/32
      • NAT Port: *

      But this also doesn't work.

      With packet capture I can see the traffic exiting the WAN interface, with the correct source and destination addresses, but I don't see any response:

      Running packet capture:
/usr/sbin/tcpdump -ni re1 -c '1000' -U -w - '((net 192.168.100.0/24)) and ((not vlan))'

01:25:43.122880 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0
01:25:46.863886 IP 192.168.100.2.38110 > 192.168.100.1.80: tcp 0
01:25:47.131851 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0
01:25:54.875554 IP 192.168.100.2.38110 > 192.168.100.1.80: tcp 0
01:25:55.144524 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0

      I know the modem's UI works because I could access the UI when I was using a Linux-based router, before I replaced it with pfSense.

      Is there anything obvious I need to fix so I can see the response traffic?

      pfSense CE on Beelink EQ12 (N100 CPU, dual 2.5Gbe Intel NICs)
      Hitron CODA56 - Comcast 2.5Gb cable

      johnpozJ S 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @jhg
        last edited by johnpoz

        @jhg I ran into the same sort of problem that had me scratching my head for awhile..

        I hear good things about that modem by the way ;)

        Anyhoo.. Here is my setup. Sounds exactly what your trying to do, etc..

        modem.jpg

        The disable auto generated reply-to allows it to work..

        I was also blocking outbound rfc1918, to keep any noise I might generated by typos in rfc1918 addresses, etc from going out my connection I had a work laptop for one that was generating lots of traffic to "work" Ip ranges, etc. The block rfc1918 rule is just below that allow rule with the disable reply-to set, prob should of grabbed it in the screenshot.

        edit: trying to remember the thread where we found this.. I will have to see if I can find that thread.

        edit2: here it is https://forum.netgate.com/topic/181715/solved-problems-with-understanding-advanced-egress-filtering

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 1
        • M
          mer
          last edited by

          Different cable modem, but I had similar issues.
          I did the exact same as @johnpoz and make sure you don't forget the disable reply to step. That bit me once or twice.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @jhg
            last edited by

            TL,DR ;) but it looks like there are some suggestions. Netgate has a recipe page for this : https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

            I’ve never had to do anything for AT&T or Comcast modems, it “just works.”

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.