Cant see modem using static address on wan.
-
Yes- public IP on the wan port that I have set static on the interface…
Not sure what caused those lines on my last post to be struck out- not intended...
Ive tried unchecking the block private network option with no success...
Tried a static route but may need to tweak on it some more...
Oh well, Ill keep trying and report back.
Thanks!
-
Ive tried unchecking the block private network option with no success…
I suspect that it you fiddle with that setting and expect it to take effect without a reboot you will also need to reset firewall states.
Wan trace
22:03:05.640036 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
22:03:08.567771 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
22:03:14.603369 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0This is your system on the LAN side attempting to access the web GUI on your modem?
How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.
Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.
-
This is your system on the LAN side attempting to access the web GUI on your modem?
Right.
How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.
Correct- it is not on the same subnet. Im going to run these same traces when I get home on my 1.2.3 box. I can see my cable modem under the same circumstances there and thats where Im confused.
Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.
I understand why thats needed. But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet? Ill post the results later from those traces…
-
But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?
I don't know enough about your configurations or their history to answer.
-
1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…
18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
18:54:46.861100 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 349
18:54:46.864786 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 256
18:54:46.881655 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
18:54:46.882129 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
18:54:46.883453 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 188
18:54:46.900938 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
18:54:46.901400 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
18:54:46.902723 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 228
18:54:46.917539 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
18:54:46.917965 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
18:54:46.919252 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 76
18:54:46.934230 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460Driving me nuts for sure... 192.168.100.1 is a private address right?? doing a web search now....
Once again from the other box...
19:05:51.751588 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
19:05:54.612605 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
19:06:00.648228 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0 -
What I thought I knew…
NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
OriginAS:
NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED -
1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…
18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0But where was this trace taken? WAN on pfSense? If so, suggests this modem has a route to 192.168.x.y/z
Does the modem in your "pfSense 2.0" configuration have a route to x.249.55.x/y?Also this modem clearly has a public address. In your other configuration the modem has a private address. But I don't know enough about what you have configured or your equipment to judge if this difference is significant.
-
both modems are bridges… that have available maintenance ips...
both pfsense boxes have public ip addresses on their wan interface.
cable modem------24.113.x.x-----------wan pfsense 1.2.3 lan-----172.31.125.0/24
dsl modem-------65.249.55.x-----------wan pfsense 2.0b5 lan------172.25.125.0/24
-
Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall? This shows how to configure pfSense so that it has an additional WAN address on the modem's subnet. If pfSense is configured as suggested in the article it removes the need for a route on the modem.
-
Thanks for working with me on this wallabybob! I think I found my answer of why one works and the other does not…
From http://homepage.ntlworld.com/robin.d.h.walker/cmtips/ipaddr.html
The IP address 192.168.100.1 will be present even if no web diagnostics are offered on that address.
The cable modem IP address 192.168.100.1 is not in the same sub-net as the user's PC. So, when trying to send to 192.168.100.1, the user PC's IP stack will normally route the packet to the Default Gateway address at the UBR. Since no routes exist to the private address 192.168.100.1 (and there are multiple instances of this IP address on any one CATV segment), the UBR drops the packet. This would mean that in theory the PC could never talk to the cable modem. However, the Surfboard, the 3Com Tailfin, and the ntl:home 100/120 are capable of sniffing the passing traffic through the transparent bridge to intercept any packets addressed to themselves. This only works when the bridge is open, so the cable modem diagnostics cannot be read when the cable modem is booting up or failing to remain in contact with the UBR.
Obviously the Linksys brand cable modems such as the befcmu10 has this feature… And obviously the Zoom brand DSL modem does not...
-
I think I found my answer of why one works and the other does not…
Thanks for the explanation.
And you can now access your DSL modem?
-
I think I found my answer of why one works and the other does not…
Thanks for the explanation.
And you can now access your DSL modem?
Havent got that far yet…
I have to be on site to play with that system to make sure I dont take it offline inadvertently... Tends to piss everyone off... ;D But the weekend is still young.
-
Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall?
I cant assign a second interface to the same network port as my static wan port…
-
I cant assign a second interface to the same network port as my static wan port…
So your modem is doing ppp and not pfSense? (called 'half bridge' mode by some.)
-
dsl modem is a bridge only. No login of any kind available on it. http://www.zoomtel.com/techsupport/adsl/adsl_5615.shtml
ISP has me set up as static "bridge mode".
They provide me an address, subnet and gateway to configure on my interface.
No ppp of any kind.
-
I guess you will have to use something like the "option 1" in the document.
-
I guess you will have to use something like the "option 1" in the document.
Im working on it… Ill come back and share how I did it if it works...
Thanks man!
-
I have just replaced my Zyxel ADSL modem/router by a Tenda D820 ADSL modem/bridge. The Tenda doesn't do ppp.
Here's how I setup my pfSense 2.0 BETA 5 snapshot build:
rl0 has two VLANs. OPT5 is VLAN 10 on rl0. pppoe1 is on OPT5. The modem has static IP 192.168.1.1.I configured OPT5 with static IP 192.168.1.2/24.
A ping from the LAN side of pfSense didn't elicit a response from the modem. A tcpdump on OPT5 (# tcpdump -i rl0_vlan10 host 192.168.1.1) showed the ping going to the modem but with a source IP address on the pfSense LAN subnet. Since the modem didn't have any static routes configured (there didn't seem to be any way to configure routes in the modem) the modem probably didn't know where to send the replies. Since I saw ping replies when I ping'd from pfSense, the missing route back to the LAN IP address was probably the reason I couldn't see replies to a ping from the LAN.
As explained in the document I referred to earlier, enabling NAT on the OPT5 should fix the source IP address problem. In the pfSense web GUI: Firewall -> NAT I clicked on the Outbound tab, added a rule Interface=OPT5 Protocol=Any Source=LAN subnet Destination=192.168.1.0/24 Translation Address=Interface Address No XMLRPCSync: Unticked, clicked on button Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) then clicked Save. I don't know if it was necessary but I also went to Diagnostics -> States, clicked on the Reset States tab then the Reset button.
Then I restarted the ping from the pfSense LAN subnet and it reported a response. The tcpdump on the rl0_vlan10 interface showed the ping with source address 192.168.1.2.
Attempts to access the web GUI of the modem time out so I still have a problem but seem to be closer to its solution.
It wasn't particularly obvious to me what the difference between the two Outbound NAT buttons ( Automatic outbound NAT rule generation (IPsec passthrough included) Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)). They seem to mean "Disable the following mappings" and "Enable the following mappings" respectively.
