Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cant see modem using static address on wan.

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 3 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC Offline
      chpalmer
      last edited by

      This is your system on the LAN side attempting to access the web GUI on your modem?

      Right.

      How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.

      Correct- it is not on the same subnet. Im going to run these same traces when I get home on my 1.2.3 box. I can see my cable modem under the same circumstances there and thats where Im confused.

      Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.

      I understand why thats needed. But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?  Ill post the results later from those traces…

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        @chpalmer:

        But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?

        I don't know enough about your configurations or their history to answer.

        1 Reply Last reply Reply Quote 0
        • chpalmerC Offline
          chpalmer
          last edited by

          1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

          18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
          18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
          18:54:46.861100 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 349
          18:54:46.864786 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 256
          18:54:46.881655 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
          18:54:46.882129 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
          18:54:46.883453 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 188
          18:54:46.900938 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
          18:54:46.901400 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
          18:54:46.902723 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 228
          18:54:46.917539 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
          18:54:46.917965 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
          18:54:46.919252 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 76
          18:54:46.934230 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460

          Driving me nuts for sure...   192.168.100.1 is a private address right??   doing a web search now....

          Once again from the other box...  
          19:05:51.751588 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
          19:05:54.612605 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
          19:06:00.648228 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • chpalmerC Offline
            chpalmer
            last edited by

            What I thought I knew…

            NetRange: 192.168.0.0 - 192.168.255.255
            CIDR: 192.168.0.0/16
            OriginAS:
            NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED

            Triggering snowflakes one by one..
            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

            1 Reply Last reply Reply Quote 0
            • W Offline
              wallabybob
              last edited by

              @chpalmer:

              1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

              18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
              18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0

              But where was this trace taken? WAN on pfSense? If so, suggests this modem has a route to 192.168.x.y/z
              Does the modem in your "pfSense 2.0" configuration have a route to x.249.55.x/y?

              Also this modem clearly has a public address. In your other configuration the modem has a private address. But I don't know enough about what you have configured or your equipment to judge if this difference is significant.

              1 Reply Last reply Reply Quote 0
              • chpalmerC Offline
                chpalmer
                last edited by

                both modems are bridges… that have available maintenance ips...

                both pfsense boxes have public ip addresses on their wan interface.

                cable modem------24.113.x.x-----------wan pfsense 1.2.3 lan-----172.31.125.0/24

                dsl modem-------65.249.55.x-----------wan pfsense 2.0b5 lan------172.25.125.0/24

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wallabybob
                  last edited by

                  Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall? This shows how to configure pfSense so that it has an additional WAN address on the modem's subnet. If pfSense is configured as suggested in the article it removes the need for a route on the modem.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC Offline
                    chpalmer
                    last edited by

                    Thanks for working with me on this wallabybob!  I think I found my answer of why one works and the other does not…

                    From http://homepage.ntlworld.com/robin.d.h.walker/cmtips/ipaddr.html

                    The IP address 192.168.100.1 will be present even if no web diagnostics are offered on that address.

                    The cable modem IP address 192.168.100.1 is not in the same sub-net as the user's PC. So, when trying to send to 192.168.100.1, the user PC's IP stack will normally route the packet to the Default Gateway address at the UBR. Since no routes exist to the private address 192.168.100.1 (and there are multiple instances of this IP address on any one CATV segment), the UBR drops the packet. This would mean that in theory the PC could never talk to the cable modem. However, the Surfboard, the 3Com Tailfin, and the ntl:home 100/120 are capable of sniffing the passing traffic through the transparent bridge to intercept any packets addressed to themselves. This only works when the bridge is open, so the cable modem diagnostics cannot be read when the cable modem is booting up or failing to remain in contact with the UBR.

                    Obviously the Linksys brand cable modems such as the befcmu10 has this feature…  And obviously the Zoom brand DSL modem does not...

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      wallabybob
                      last edited by

                      @chpalmer:

                      I think I found my answer of why one works and the other does not…

                      Thanks for the explanation.

                      And you can now access your DSL modem?

                      1 Reply Last reply Reply Quote 0
                      • chpalmerC Offline
                        chpalmer
                        last edited by

                        @wallabybob:

                        @chpalmer:

                        I think I found my answer of why one works and the other does not…

                        Thanks for the explanation.

                        And you can now access your DSL modem?

                        Havent got that far yet…

                        I have to be on site to play with that system to make sure I dont take it offline inadvertently... Tends to piss everyone off...  ;D  But the weekend is still young.

                        Triggering snowflakes one by one..
                        Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                        1 Reply Last reply Reply Quote 0
                        • chpalmerC Offline
                          chpalmer
                          last edited by

                          @wallabybob:

                          Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall?

                          I cant assign a second interface to the same network port as my static wan port…

                          Triggering snowflakes one by one..
                          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                          1 Reply Last reply Reply Quote 0
                          • W Offline
                            wallabybob
                            last edited by

                            @chpalmer:

                            I cant assign a second interface to the same network port as my static wan port…

                            So your modem is doing ppp and not pfSense? (called 'half bridge' mode by some.)

                            1 Reply Last reply Reply Quote 0
                            • chpalmerC Offline
                              chpalmer
                              last edited by

                              dsl modem is a bridge only. No login of any kind available on it.  http://www.zoomtel.com/techsupport/adsl/adsl_5615.shtml

                              ISP has me set up as static "bridge mode".

                              They provide me an address, subnet and gateway to configure on my interface.

                              No ppp of any kind.

                              Triggering snowflakes one by one..
                              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                              1 Reply Last reply Reply Quote 0
                              • W Offline
                                wallabybob
                                last edited by

                                I  guess you will have to use something like the "option 1" in the document.

                                1 Reply Last reply Reply Quote 0
                                • chpalmerC Offline
                                  chpalmer
                                  last edited by

                                  @wallabybob:

                                  I  guess you will have to use something like the "option 1" in the document.

                                  Im working on it…  Ill come back and share how I did it if it works...

                                  Thanks man!

                                  Triggering snowflakes one by one..
                                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                  1 Reply Last reply Reply Quote 0
                                  • W Offline
                                    wallabybob
                                    last edited by

                                    I have just replaced my Zyxel ADSL modem/router by a Tenda D820 ADSL modem/bridge. The Tenda doesn't do ppp.

                                    Here's how I setup my pfSense 2.0 BETA 5 snapshot build:
                                    rl0 has two VLANs. OPT5 is VLAN 10 on rl0.  pppoe1 is on OPT5. The modem has static IP 192.168.1.1.

                                    I configured OPT5 with static IP 192.168.1.2/24.

                                    A ping from the LAN side of pfSense didn't elicit a response from the modem. A tcpdump on OPT5 (# tcpdump -i rl0_vlan10 host 192.168.1.1) showed the ping going to the modem but with a source IP address on the pfSense LAN subnet. Since the modem didn't have any static routes configured (there didn't seem to be any way to configure routes in the modem) the modem probably didn't know where to send the replies. Since I saw ping replies when I ping'd from pfSense, the missing route back to the LAN IP address was probably the reason I couldn't see replies to a ping from the LAN.

                                    As explained in the document I referred to earlier, enabling NAT on the OPT5 should fix the source IP address problem. In the pfSense web GUI: Firewall -> NAT I clicked on the Outbound tab, added a rule Interface=OPT5 Protocol=Any Source=LAN subnet  Destination=192.168.1.0/24     Translation Address=Interface Address     No XMLRPCSync: Unticked, clicked on button Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) then clicked Save. I don't know if it was necessary but I also went to Diagnostics -> States, clicked on the Reset States tab then the Reset button.

                                    Then I restarted the ping from the pfSense LAN subnet and it reported a response. The tcpdump on the rl0_vlan10 interface showed the ping with source address 192.168.1.2.

                                    Attempts to access the web GUI of the modem time out so I still have a problem but seem to be closer to its solution.

                                    It wasn't particularly obvious to me what the difference between the two Outbound NAT buttons ( Automatic outbound NAT rule generation (IPsec passthrough included)   Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT)). They seem to mean "Disable the following mappings" and "Enable the following mappings" respectively.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.