After configuring WireGuard VPN I can no longer log in to my modem
-
Hi folks, let me start by saying that I am trying to read all I can digest about networking and pfSense in particular, but starting from zero has proven remarkably difficult. That is to say, I am trying to find an answer in the forum before I ask questions that might already have been answered. I still have a very limited grasp of how pfSense works, so please show some indulgence : )
Ok, here is my setup:
Netgear MR6550 hotspot that I am using as wireless modem in passthrough mode. It is connected to a SG-5100, which in turn is connected to a Netgear RS700 running in AP mode.
My issue is - before I had configured the VPN client (IVPN), I was able to log into my modem @192.168.3.1. After I set up the WireGuard VPN and started passing traffic through it, I am unable to reach my modem on my LAN. I get "This webpage took too long to respond" message. I suspect the VPN has something to do with it, but am unsure what.
Any pointers would be greatly appreciated!
Thank you! -
@sarrasine Are you rooting all traffic through the Wireguard tunnel? If so, there's your answer.
-
@Jarhead
Hi, thanks for replying, I believe I am, but don't know how to make an exception for logging into the modem. -
As much as I searched, I could find nothing related to my issue, it is as if this particular scenario has never been encountered!
-
Yup that. Add a static route to the modem IP address via the WAN gateway in System > Routing > Static Routes.
https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route
Steve
-
An alternative solution here would be to add a VIP on the WAN inside the modem subnet. Some modems require that if they don't have route back. You probably don't since it was working before you added the VPN. But just for reference:
https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html -
S stephenw10 moved this topic from Firewalling on
-
@stephenw10
Like this?
Unfortunately, I still can't connect.
Not sure if additional firewall rules are needed and what they would look like. The Netgate documentation mentions them, but does not specify what they should be. -
@stephenw10
I added a firewall LAN rule (no idea if it is correct):
,
but seems like there is a NAT issue as well. -
If you have policy routing rule for the VPN on LAN you need to put that rule above it.
If it worked before you added the VPN it should work now without additional NAT rules or VIPs.
-
@stephenw10
Thank you!
Now instead of timing out, the 192.168.3.1 gives me a "Connection refused" error. -
192.168.3.1 is the modem management IP correct?
Before you added the VPN you were able to access it from the LAN by just entering that directly in a browser?
I can't see what mode you have the outbound NAT it. Normally in auto mode traffic for the modem IP would just be translated to the WAN address like any other traffic.
-
@stephenw10
Never mind, it worked!
But I needed these:
Sorry, the picture didn't show it, but I am using manual NAT.
Funny thing, I can access 192.168.3.1 (yes, this is the modem's login page) only from one of two Chrome based browsers. But that is fine : )I don't know how to thank you, Stephen, very much obliged!
-
Cool.
You almost certainly only need one of those rules. You wouldn't need static source ports for that connection.
If you removed those rules deliberately to prevent traffic 'leaking' past the VPN (a lot of VPN setup guides will have you do that) then you might want to tighten it to only apply to traffic with modem as destination.
-
This post is deleted! -
@sarrasine said in After configuring WireGuard VPN I can no longer log in to my modem:
Do I need any of the 500 (ISAKMP) rules?
You only need them if you are connecting an IPSec VPN through the firewall. So probably not. But it doesn't hurt to leave them either.
-
@stephenw10
Thank you, Stephen, appreciate it!
