Access Modem GUI Behind Firewall

JonathanLee · Jun 22, 2024, 11:17 PM

@Globaltrader312 what does your iMac get as an IP address when directly connected? That demarcation point maybe provides layer 3 address via dhcp directly from that modem to the connected device, if it’s working automatically with a direct connected device open a term window and try ifconfig, and or windows command dos prompt ipconfig. If might issue layer 3 by dhcp and you have it static set to the wrong subnet on interface configuration page.

Globaltrader312 · Jun 22, 2024, 11:15 PM

@JonathanLee

so the modem has no DHCP server activated but only modem mode and private IP is only assigned manually.

direct connection with Mac on the same port with manual ip configuration

with 192.168.5.3. GW 192.168.5.1 and Dns 192.168.5.1 works

same as with my ER 6P and ER 12 I used before the only difference with ER 6P and ER 12 was that I always had to run a second cable to the vigor but only because it can't do 2 assigment on the same ETH port.

JonathanLee · Jun 22, 2024, 11:22 PM

@Globaltrader312 set the static with the last octet as .3 if that address works. It doesn’t show in the arp table that is weird to me. Are you using a rollover cable, I don’t know if that is a thing anymore however your modem might want a rollover cable. You can also try to spoof the MAC address of the iMac on the interface to test if the arp entry populates. That gateway is that what you have set statically on the interface also?

Globaltrader312 · Jun 22, 2024, 11:23 PM

@JonathanLee

I use a normal Ethernet cable, nothing more.

see photo this is what it looks like on the mac when i connect directly.

🔒 Log in to view

JonathanLee · Jun 22, 2024, 11:32 PM

@Globaltrader312
Upstream gateway?? None?
🔒 Log in to view

What about 5.1?

JonathanLee · Jun 22, 2024, 11:28 PM

@patient0 what is your upstream gateway set as?

JonathanLee · Jun 22, 2024, 11:31 PM

@Globaltrader312 said in Access Modem GUI Behind Firewall:

@patient0

you're connecting to the internet by PPPoE using the Vigor167, yes? yes
Are you able to connect to the internet right now with the pfSense? yes with all 3 WAN interfaces
On what interface is PPPoE set? bge1
The VIGOR interface is assigned to the same interface as the PPPoE? yes bge1
Can you see the modem MAC and/or IP in the ARP table (Diagnostics > ARP table" yes
When you connected using the Mac, did you assign the IP to your Mac yourself or did it get one? And the IP your Mac got was .192.168.5.x not 192.168.1.5? 192.168.1.1 is the default network for the Vigor according to the docu.

when i connect to the mac i assign the ip manually in the settings with 192.168.5.3 🔒 Log in to view

Is the gateway in the same subnet? It seems like we are isolating it to the gateway, can you do a tracert command and see when it fails? And or turn on logging and see what shows up when you try a connection to the gui?

Globaltrader312 · Jun 22, 2024, 11:32 PM

@JonathanLee
yes i have not selected an upstream gateway as it says so in the instructions 🔒 Log in to view 🔒 Log in to view

JonathanLee · Jun 22, 2024, 11:35 PM

@Globaltrader312 5.0/24 shows bge1 interface. Do you have acls on bge1 ?

JonathanLee · Jun 22, 2024, 11:38 PM

@Globaltrader312 so it’s not the modem it’s a pfSense configuration mix up, we need to isolate the interface and gateway

Globaltrader312 · Jun 22, 2024, 11:41 PM

@JonathanLee no i have not set an ACL because it is not in the instructions 🔒 Log in to view

I have created an upstream gateway with 192.168.5.1 for testing purposes, but unfortunately this does not work either

i just don't understand why the access doesn't work i followed the instructions 100%.

could it be the multi WAN setup?

JonathanLee · Jun 22, 2024, 11:41 PM

This post is deleted!

JonathanLee · Jun 23, 2024, 12:05 AM

@Globaltrader312 That is a lot of hops for just a link to the modem something is off with the gateway and or nat. You show the .5.0/24 on bge1 also. I have not watched the video. Correct me if I am wrong you are just attempting to access the GUI on the modem from the LAN however you have 3 WANs one is VOIP you are attempting to access the .5.0/24 network from the VIGOR interface, however this network resides in the routing table on the bge2 what is bridged with bge1?

🔒 Log in to view
(shows interface bge1)

How did you bridge this connection?

🔒 Log in to view
(shows loopback interface not bge1)

🔒 Log in to view
(Shows vigor not bge1)

🔒 Log in to view
(vigor showing .5.2/24)

🔒 Log in to view
(your acl shows a source network that is different its 192.168.1.0/24 how does clients get layer 3 on the vigor interface of 1.0 if you have it set to 5.0/24??)

Please show how bge1 is configured.. Does bge1 show any ACLs configured?

Keep in mind I am just trying to isolate this in my head I wish I could see more but it is what it is. I am thinking that bge2 has a mix up as the trace route can't even see the first hop

JonathanLee · Jun 23, 2024, 12:09 AM

@Globaltrader312 also try this with the source address as vigor and other interfaces I think you can set it that way. You have it listed as lan

We want to trace route it from the interface you are using see below
🔒 Log in to view

You try others or just lan?
🔒 Log in to view

Globaltrader312 · Jun 23, 2024, 12:10 AM

@JonathanLee

so I have 3 WAN

WAN 1 bge0 DHCP
WAN2 bge1 pppoe
WAN 3 bge 2 DHCP

i am trying to access the GUI only via the additional interface vigor which is also assigned to bge1

the video describes the multi wan and failover configuration.

can it be that if I have assigned the gateway group in the firewall as described in the video ? see

🔒 Log in to view

I have made the firewall config exactly according to the instructions there is souce nat the address of the Lan Subnet of the Pfsense

this is 192.168.1.0/24

and as destination nat I have set the subnet of the Vigor 192.168.5.3/24 now

🔒 Log in to view

JonathanLee · Jun 23, 2024, 12:42 AM

@Globaltrader312

For the lan rule it shows gateway any try to change it to WAN2, and move that rule to the top, they work consecutively, so it hits the first matching rule and stops, you show no traffic on that rule at all yet, that might fix it. I am not gonna lie I didn’t watch the video I am looking for isolating the issue it doesn’t show any hops on trace route change the order of that rule and see if that starts to show some logs. I think it hits that first rule and that is pushing it to the wrong gateway.

Move this rule to the top.
🔒 Log in to view

It shows 0/0 bytes, so it is never reaching that rule. Put it on top to test it again and make sure it starts to show bytes the other any any rules are getting hit first thus gwv4 gateway is getting that request. Or fix the source addresses for the other rules

Globaltrader312 · Jun 23, 2024, 12:42 AM

@JonathanLee

||🔒 Log in to view 🔒 Log in to view 🔒 Log in to view

I have now selected ppoe as Getway WAN2 and moved it to the top

see screen shot

unfortunately it still does not load

JonathanLee · Jun 23, 2024, 12:44 AM

@Globaltrader312 above antilock as it still shows no traffic. We need to see traffic. What is your lan subnets alias set as also?

Globaltrader312 · Jun 23, 2024, 12:46 AM

@JonathanLee i can't set this rule over the anti lockout rule it always goes down 1

JonathanLee · Jun 23, 2024, 12:49 AM

@Globaltrader312 that modem also uses port 80? Can you change it on the modem to 8080? This would help a lot. I don’t use antilock out rules I got rid of them and changed my port to something else and made rules for it. You could get locked out so change your modem port instead that would work also