Access Modem GUI Behind Firewall

JonathanLee

@Globaltrader312 ACL (Access Control List) your pass or block rules are ACLs. If you’re using more than one interface you need to approve ICMP on both interfaces for them to ping each other. What port is used for GUI access on your modem? Check on ARP page also to get the IP address assigned to the modem. It should show the MAC and the IP being used. You show WAN2 and Vigor? Is that is a different interface? What happened to WAN you show WAN2 I noticed if that’s the case what is your gateway set as WAN or WAN2, also have you looked at your outbound NAT rules if you are using multiple WAN interfaces? Can you ping it from the firewall ping page?

Globaltrader312

@JonathanLee the instructions say yesConfigure a new Interface

A PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port.

Navigate to Interfaces > Assignments
Set Available network ports: to the physical network card for the PPPoE WAN

For example, if the WAN is PPPOE0(ix3), choose ix3.

Click fa-plus Add to assign this port as a new OPT interface
Navigate to Interfaces > (new OPT interface)
Configure the settings as follows:

Enable
:
Checked
Description VIGOR BGE 0 the same as PPOE only a new interface
:
ModemAccess or a similar useful name.
IPv4 Configuration Type
:
Static
IPv4 Address
:
Configure an IP address in the same subnet as the modem, such as 192.168.1.5/24. in my case I have configured 192.168.5.2/24
IPv4 Upstream Gateway
:
None

Do not set a gateway. I have not set one
Click Save
Click Apply Changes

To add the NAT:

Navigate to Firewall > NAT, Outbound tab.
Switch to Hybrid Outbound NAT and click Save
Click fa-plus to add a new Outbound NAT rule
Configure the settings as follows:
Interface
:
ModemAccess
Source
:
Network, enter the LAN subnet there I have 192.168.1.0/24
Destination
:
The IP subnet of the modem
Translation and here 192.168.5.0/24
:
Interface Address here I have entered the INtefrace address 192.168.5.1/24
Click Save

unfortunately there is no connection for the GUI

JonathanLee

@Globaltrader312 what does your arp table show? After you find the Mac and IP pair try to ping that address from the firewall itself they have a diagnostic area that allows pings to be tested. What port does your GUI is it 80? 8080? Does it use ssl?

Globaltrader312

@JonathanLee
ACL (Access Control List): Your rules for allowing or blocking are ACLs. If you use more than one interface, you must allow ICMP on both interfaces so that they can ping each other.

Which port is used for GUI access on your modem? Port 80

The IP address assigned to the modem is 192.168.5.1

The MAC and IP used should be displayed there. Do you see WAN2 and Vigor?
Is that a different interface? WAN 2 is with PPPOE on bge2

the interface of the modem is Vigor as name and running bge2

What happened to WAN, you are showing WAN2, not WAN is working normally except packet loss every now and then.

important I use a Faliover setup with Multi WAN 3 WAN interefaces

WAN 1 Vodafone Business Cable DHCP BGE1

WAN 3 Mobile Backup 4G bge3

lan is bge 4

I have set everything up according to the following video https://www.youtube.com/watch?v=uQTvMSNylf4&pp=ygUacGZzZW5zZSBtdWx0aSB3YW4gZmFpbGJvZXI%3D

if that is the case, what is your gateway set as WAN or WAN2, have you also looked at your outbound NAT rules if you are using multiple WAN interfaces?

Can you ping from the firewall ping side?

ping from pfsense guy to 8.8.8.8 works

the modem does not use ssl

Globaltrader312

@Globaltrader312 infos in screenshot

ping to 192.168.5.1 works

Globaltrader312

@Globaltrader312 with my edge router, the sorce nat rule has always worked for modem access via SSH or GUI via browser to 192.168.5.1 not possible. when I make the ping from the LAN interface then 100 packetloss

JonathanLee

@Globaltrader312 said in Access Modem GUI Behind Firewall:

@Globaltrader312 with my edge router, the sorce nat rule has always worked for modem access via SSH or GUI via browser to 192.168.5.1 not possible. when I make the ping from the LAN interface then 100 packetloss

Do you have a static route set for this traffic, this is on a different subnet, you would an ACL for port 80 to access it. It’s gonna be blocked by default. What subnet do you attempt to access the modem from?

Globaltrader312

@JonathanLee

I want to reach / access the subnet 192.168.5.0/24 to access the GUI of the modem at 192.168.5.1

I have configured the following interface bge 0 description Vigor this is the interface for the modem.

I have entered the following there

see screen shot

there I have entered a static IPV4 on the subnet of the modem 192.68.5.2/24

I then created the outbound nat rule

see screen shot 2

so exactly as in the instructions there was nothing about ACL etc.

I also tried the same with the firewall rule

johnpoz

@Globaltrader312 dude is the interface you created this 192.168.5.2 address connected to your modem?

What is pfsense wan?? What specific vigor "modem/router" do you have.. If the thing is doing nat already and pfsense gets a 192.168.5.x address there is NOTHING to do to access your modems interface from behind pfsense.. Any traffic coming from your lan would be natted to pfsense wan IP.

A simple drawing of your network and how the device connects to pfsense and what interface, and are you getting internet through this connection? Is pfsense wan a 192.168.5 network, or is pfsense getting a public IP because the device is bridge mode, or are you using PPPoe for the connection, etc..

patient0

@Globaltrader312 said in Access Modem GUI Behind Firewall:

To add the NAT:
...
Interface Address here I have entered the INtefrace address 192.168.5.1/24
Click Save

I got the same configuration, PPPoE with an Vigor166.

For the NAT: Translation Address ("Interface Address" in the doc) is the IP of your pfSense interface in the modem network, "Vigor address" in your case or 192.168.5.2.

Globaltrader312

@johnpoz said in Access Modem GUI Behind Firewall:

dude is the interface you created this 192.168.5.2 address connected to your modem?

What is pfsense wan?? What specific vigor "modem/router" do you have.. If the thing is doing nat already and pfsense gets a 192.168.5.x address there is NOTHING to do to access your modems interface from behind pfsense.. Any traffic coming from your lan would be natted to pfsense wan IP.

A simple drawing of your network and how the device connects to pfsense and what interface, and are you getting internet through this connection? Is pfsense wan a 192.168.5 network, or is pfsense getting a public IP because the device is bridge mode, or are you using PPPoe for the connection, etc..

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 24.03

i have put the digram online via link because i can't upload it
Network Diagram

dude is the interface you created this 192.168.5.2 address connected to your modem? yes

What is pfsense wan?? i have 3 WAN with Multiwan and Failover setup

WAN 1 Vodafone Cable DHCP Public IP static Per DHCP

WAN SVDL PPPOE Public IP Static per PPPOE

WAN 3 Mobile behind router Mikrotik Chateau 5G DHCP

all are in one gateway group Failover GW

What specific model vigor 167

the Vigor only does MODEM mode no VLAN tagging or anything else

the Vigor has only one subnet to access the subnet is 192.168.5.0/24 the GUI is reachable at 192.168.5.1

the interface Vigor at Assignments is the interface on bge1 which is only available for accessing the modem GUI.

this has the static IPV4 192.168.5.2/24

The following setup 2 modems 1 router

Multimedia socket Coax connection Technicolor TC4400
Modem connected via COAX cable to the multimedia socket and a Lan cable to bge 0 on the Pfsense establishes the connection via DHCP and gets the Static Public iPv4 and V6 via Static DHCP.

Telephone socket 1 TAE cable to Vigor then 1 LAN cable from Vigor to bge1 to pfsense pfsense dials in via PPPOE with Static IPV4 Public assigned by the provider's RAS server.

Router Mikrotik Chatau 5G with Sim card Telekom Germany connected via LAN cable to PFsense bge2 connection is established via DHCP only Private IPv4 address 192.168.88.0/24

Globaltrader312

@patient0 I have now changed it but unfortunately I still cannot access the GUI of the Vigor.

patient0

@Globaltrader312 Ok, the firewall rule for LAN with destination is not needed, btw.

Your NAT Outbound rule looks ok, although it's easier to use "LAN subnets" as source and "VIGOR subnets" but it should work.

Have you changed the IP of the Vigor167? Meaning are you sure the subnet is 192.168.5.0/ ? If you check the ARP table you see the modem?

Globaltrader312

@patient0 no i have not changed the vigor subnet and i am 100% sure that it is correct i was connected directly to the macbook via LAN 2 days ago and could access it. just not via the pfsense

patient0

@Globaltrader312 I see.

To be sure:

• you're connecting to the internet by PPPoE using the Vigor167, yes?
• Are you able to connect to the internet right now with the pfSense?
• On what interface is PPPoE set?
• The VIGOR interface is assigned to the same interface as the PPPoE?
• Can you see the modem MAC and/or IP in the ARP table (Diagnostics > ARP table"
• When you connected using the Mac, did you assign the IP to your Mac yourself or did it get one? And the IP your Mac got was .192.168.5.x not 192.168.1.5? 192.168.1.1 is the default network for the Vigor according to the docu.

Globaltrader312

@patient0

you're connecting to the internet by PPPoE using the Vigor167, yes? yes
Are you able to connect to the internet right now with the pfSense? yes with all 3 WAN interfaces
On what interface is PPPoE set? bge1
The VIGOR interface is assigned to the same interface as the PPPoE? yes bge1
Can you see the modem MAC and/or IP in the ARP table (Diagnostics > ARP table" yes
When you connected using the Mac, did you assign the IP to your Mac yourself or did it get one? And the IP your Mac got was .192.168.5.x not 192.168.1.5? 192.168.1.1 is the default network for the Vigor according to the docu.

when i connect to the mac i assign the ip manually in the settings with 192.168.5.3

patient0

@Globaltrader312 Ok, then I'm out of ideas.

In the ARP table you only see your own IP/MAC but not of the modem. Below is mine:
.

Is there a route for 192.168.5.0/24 in the routing table (Diagnostics > Routes)?

Did you connect your Mac to the same port on Vigor that you now use to connect the pfSense?

JonathanLee

Please look at the bottom of the modem for the 48bit MAC address and please see what IP is assigned to it in the ARP table.

Also try to see if the modem will issue a dhcp address if you set that interface to dhcp and not static, see if that populates the arp table entry.

Globaltrader312

@patient0

no no entry in routes

and yes if I connect the Mac to the same port it works

JonathanLee

@Globaltrader312 what does your iMac get as an IP address when directly connected? That demarcation point maybe provides layer 3 address via dhcp directly from that modem to the connected device, if it’s working automatically with a direct connected device open a term window and try ifconfig, and or windows command dos prompt ipconfig. If might issue layer 3 by dhcp and you have it static set to the wrong subnet on interface configuration page.