Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant see modem using static address on wan.

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 3 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC Offline
      chpalmer
      last edited by

      Sorry long week so far…

      By IP.

      Firefox can't establish a connection to the server at 10.0.0.2.

      Lan trace
      21:54:59.859269 IP (tos 0x0, ttl 128, id 6340, offset 0, flags [DF], proto TCP (6), length 48)
          172.25.125.53.3620 > 10.0.0.2.80: Flags ~~, cksum 0x8de8 (correct), seq 3214275548, win 65535, options [mss 1460,nop,nop,sackOK], length 0

      Wan trace
      22:03:05.640036 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
      22:03:08.567771 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
      22:03:14.603369 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0~~

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        So in both locations your pfSense WAN address is a publicly addressable IP passed to it by your ISP? Or are you manually assigning static IP's?
        If that's the case then I'm surprised you can access the modem at either end as I would expect there to be no route.

        Have you unchecked 'block private networks' on WAN?

        Try adding a route manually to the modem IP via WAN.

        Steve

        1 Reply Last reply Reply Quote 0
        • chpalmerC Offline
          chpalmer
          last edited by

          Yes- public IP on the wan port that I have set static on the interface…

          Not sure what caused those lines on my last post to be struck out- not intended...

          Ive tried unchecking the block private network option with no success...

          Tried a static route but may need to tweak on it some more...

          Oh well, Ill keep trying and report back.

          Thanks!

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • W Offline
            wallabybob
            last edited by

            @chpalmer:

            Ive tried unchecking the block private network option with no success…

            I suspect that it you fiddle with that setting and expect it to take effect without a reboot you will also need to reset firewall states.

            @chpalmer:

            Wan trace
            22:03:05.640036 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
            22:03:08.567771 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
            22:03:14.603369 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0

            This is your system on the LAN side attempting to access the web GUI on your modem?

            How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.

            Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.

            1 Reply Last reply Reply Quote 0
            • chpalmerC Offline
              chpalmer
              last edited by

              This is your system on the LAN side attempting to access the web GUI on your modem?

              Right.

              How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.

              Correct- it is not on the same subnet. Im going to run these same traces when I get home on my 1.2.3 box. I can see my cable modem under the same circumstances there and thats where Im confused.

              Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.

              I understand why thats needed. But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?  Ill post the results later from those traces…

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • W Offline
                wallabybob
                last edited by

                @chpalmer:

                But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?

                I don't know enough about your configurations or their history to answer.

                1 Reply Last reply Reply Quote 0
                • chpalmerC Offline
                  chpalmer
                  last edited by

                  1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

                  18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
                  18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
                  18:54:46.861100 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 349
                  18:54:46.864786 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 256
                  18:54:46.881655 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
                  18:54:46.882129 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
                  18:54:46.883453 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 188
                  18:54:46.900938 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
                  18:54:46.901400 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
                  18:54:46.902723 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 228
                  18:54:46.917539 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
                  18:54:46.917965 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
                  18:54:46.919252 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 76
                  18:54:46.934230 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460

                  Driving me nuts for sure...   192.168.100.1 is a private address right??   doing a web search now....

                  Once again from the other box...  
                  19:05:51.751588 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
                  19:05:54.612605 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
                  19:06:00.648228 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC Offline
                    chpalmer
                    last edited by

                    What I thought I knew…

                    NetRange: 192.168.0.0 - 192.168.255.255
                    CIDR: 192.168.0.0/16
                    OriginAS:
                    NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      wallabybob
                      last edited by

                      @chpalmer:

                      1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

                      18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
                      18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0

                      But where was this trace taken? WAN on pfSense? If so, suggests this modem has a route to 192.168.x.y/z
                      Does the modem in your "pfSense 2.0" configuration have a route to x.249.55.x/y?

                      Also this modem clearly has a public address. In your other configuration the modem has a private address. But I don't know enough about what you have configured or your equipment to judge if this difference is significant.

                      1 Reply Last reply Reply Quote 0
                      • chpalmerC Offline
                        chpalmer
                        last edited by

                        both modems are bridges… that have available maintenance ips...

                        both pfsense boxes have public ip addresses on their wan interface.

                        cable modem------24.113.x.x-----------wan pfsense 1.2.3 lan-----172.31.125.0/24

                        dsl modem-------65.249.55.x-----------wan pfsense 2.0b5 lan------172.25.125.0/24

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • W Offline
                          wallabybob
                          last edited by

                          Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall? This shows how to configure pfSense so that it has an additional WAN address on the modem's subnet. If pfSense is configured as suggested in the article it removes the need for a route on the modem.

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC Offline
                            chpalmer
                            last edited by

                            Thanks for working with me on this wallabybob!  I think I found my answer of why one works and the other does not…

                            From http://homepage.ntlworld.com/robin.d.h.walker/cmtips/ipaddr.html

                            The IP address 192.168.100.1 will be present even if no web diagnostics are offered on that address.

                            The cable modem IP address 192.168.100.1 is not in the same sub-net as the user's PC. So, when trying to send to 192.168.100.1, the user PC's IP stack will normally route the packet to the Default Gateway address at the UBR. Since no routes exist to the private address 192.168.100.1 (and there are multiple instances of this IP address on any one CATV segment), the UBR drops the packet. This would mean that in theory the PC could never talk to the cable modem. However, the Surfboard, the 3Com Tailfin, and the ntl:home 100/120 are capable of sniffing the passing traffic through the transparent bridge to intercept any packets addressed to themselves. This only works when the bridge is open, so the cable modem diagnostics cannot be read when the cable modem is booting up or failing to remain in contact with the UBR.

                            Obviously the Linksys brand cable modems such as the befcmu10 has this feature…  And obviously the Zoom brand DSL modem does not...

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • W Offline
                              wallabybob
                              last edited by

                              @chpalmer:

                              I think I found my answer of why one works and the other does not…

                              Thanks for the explanation.

                              And you can now access your DSL modem?

                              1 Reply Last reply Reply Quote 0
                              • chpalmerC Offline
                                chpalmer
                                last edited by

                                @wallabybob:

                                @chpalmer:

                                I think I found my answer of why one works and the other does not…

                                Thanks for the explanation.

                                And you can now access your DSL modem?

                                Havent got that far yet…

                                I have to be on site to play with that system to make sure I dont take it offline inadvertently... Tends to piss everyone off...  ;D  But the weekend is still young.

                                Triggering snowflakes one by one..
                                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                1 Reply Last reply Reply Quote 0
                                • chpalmerC Offline
                                  chpalmer
                                  last edited by

                                  @wallabybob:

                                  Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall?

                                  I cant assign a second interface to the same network port as my static wan port…

                                  Triggering snowflakes one by one..
                                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                  1 Reply Last reply Reply Quote 0
                                  • W Offline
                                    wallabybob
                                    last edited by

                                    @chpalmer:

                                    I cant assign a second interface to the same network port as my static wan port…

                                    So your modem is doing ppp and not pfSense? (called 'half bridge' mode by some.)

                                    1 Reply Last reply Reply Quote 0
                                    • chpalmerC Offline
                                      chpalmer
                                      last edited by

                                      dsl modem is a bridge only. No login of any kind available on it.  http://www.zoomtel.com/techsupport/adsl/adsl_5615.shtml

                                      ISP has me set up as static "bridge mode".

                                      They provide me an address, subnet and gateway to configure on my interface.

                                      No ppp of any kind.

                                      Triggering snowflakes one by one..
                                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                      1 Reply Last reply Reply Quote 0
                                      • W Offline
                                        wallabybob
                                        last edited by

                                        I  guess you will have to use something like the "option 1" in the document.

                                        1 Reply Last reply Reply Quote 0
                                        • chpalmerC Offline
                                          chpalmer
                                          last edited by

                                          @wallabybob:

                                          I  guess you will have to use something like the "option 1" in the document.

                                          Im working on it…  Ill come back and share how I did it if it works...

                                          Thanks man!

                                          Triggering snowflakes one by one..
                                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                          1 Reply Last reply Reply Quote 0
                                          • W Offline
                                            wallabybob
                                            last edited by

                                            I have just replaced my Zyxel ADSL modem/router by a Tenda D820 ADSL modem/bridge. The Tenda doesn't do ppp.

                                            Here's how I setup my pfSense 2.0 BETA 5 snapshot build:
                                            rl0 has two VLANs. OPT5 is VLAN 10 on rl0.  pppoe1 is on OPT5. The modem has static IP 192.168.1.1.

                                            I configured OPT5 with static IP 192.168.1.2/24.

                                            A ping from the LAN side of pfSense didn't elicit a response from the modem. A tcpdump on OPT5 (# tcpdump -i rl0_vlan10 host 192.168.1.1) showed the ping going to the modem but with a source IP address on the pfSense LAN subnet. Since the modem didn't have any static routes configured (there didn't seem to be any way to configure routes in the modem) the modem probably didn't know where to send the replies. Since I saw ping replies when I ping'd from pfSense, the missing route back to the LAN IP address was probably the reason I couldn't see replies to a ping from the LAN.

                                            As explained in the document I referred to earlier, enabling NAT on the OPT5 should fix the source IP address problem. In the pfSense web GUI: Firewall -> NAT I clicked on the Outbound tab, added a rule Interface=OPT5 Protocol=Any Source=LAN subnet  Destination=192.168.1.0/24     Translation Address=Interface Address     No XMLRPCSync: Unticked, clicked on button Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) then clicked Save. I don't know if it was necessary but I also went to Diagnostics -> States, clicked on the Reset States tab then the Reset button.

                                            Then I restarted the ping from the pfSense LAN subnet and it reported a response. The tcpdump on the rl0_vlan10 interface showed the ping with source address 192.168.1.2.

                                            Attempts to access the web GUI of the modem time out so I still have a problem but seem to be closer to its solution.

                                            It wasn't particularly obvious to me what the difference between the two Outbound NAT buttons ( Automatic outbound NAT rule generation (IPsec passthrough included)   Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT)). They seem to mean "Disable the following mappings" and "Enable the following mappings" respectively.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.