Cable modem upgrade, now can't access dmz'd web server

esheesle

Upgraded my cable modem today, and unlike the old one, this one gives an internal ip address (10.0.0.2) to my pfsense firewall.  The old one gave the external ip.  Nat reflection worked great for internal hosts to access my web server, but now not working (assuming because it doesn't know what ip to reflect there).  Can't even access the host via public ip, but i can via the firewall ip (10.0.0.2).  Any way to get reflection working in this scenario?  I guess I could do split dns but that could break my internal caching dns setup.

Thoughts?

cmb

In that case, reflection has to work on the device that actually has the public IP, your cable modem in this case. I would see what options you have to go back to where you were before with the public IP on the firewall rather than the modem, avoid things like this, avoid potential complications with double NAT, and avoid the generally lower grade/reliability NAT that's found in modems.

esheesle

all the cable modem has is port forward and dmz host capability, both of which i've tried.  doesn't appear to want to route internal traffic back to its external ip.  and other way to do this?  The new cable modem is a docsis 3 capable vs the 2 from before, so an upgrade, but bit more of a pain i guess.

podilarius

You can do a split dns so that the internal clients access it via the DMZ address and not the external ip.

cmb

Doesn't it have just a dumb bridge mode of sorts so it's not involved in anything to do with IPs? Pretty much all cable modems do. That's what you want if it's possible.

esheesle

@cmb:

Doesn't it have just a dumb bridge mode of sorts so it's not involved in anything to do with IPs? Pretty much all cable modems do. That's what you want if it's possible.

Apparently not.  Ughh.  Arris Touchstone modem.  So if anyone knows a trick, just shout.

bardelot

Ask your ISP. I believe they can be reconfigured from their side.

johnpoz

If its doing nat its not a modem..

What is the model number of this gateway you have?

None of these arris cable modems say anything about doing nat.. Thats because they are "modems" and modems don't do NAT ;)

http://www.arrisi.com/product_catalog/touchstone/cable_modems.asp

esheesle

@johnpoz:

If its doing nat its not a modem..

What is the model number of this gateway you have?

None of these arris cable modems say anything about doing nat.. Thats because they are "modems" and modems don't do NAT ;)

http://www.arrisi.com/product_catalog/touchstone/cable_modems.asp

Very true, modems don't do nat.  gateway is the better term i guess.  not sure of the exact model but def arris touchstone docsis 3.0 gateway.  It has wireless and 4 ethernet ports, hence the nat'ing i guess.  I managed to figure out a work around with the split dns that doesn't completely remove my internal dns server.  i pointed my internal dns server at my pfsense for my 2 domain names only, and everything else resolves to the internet.  Seems to be pretty speedy so I'm happy.

JSmorada

I'm having a similar problem after being upgraded from Comcast standard to business class service. They replaced the Arris modem with an SMC SMCD3G-CCR DOCSIS 3.0 Gateway Modem. I have the PfSense 2.0 box attached to one of the lan ports on the SMC modem. Everything works except a web server I have on the local network which cannot be accessed from the outside world. The only option I have is to add the PfSense box to the DMZ of the SMC box, which didn't fix the problem. There isn't any option on the SMC box to disable its firewall and I don't want to attach the web server directly to the SMC box. Any ideas?

johnpoz

well your behind a gateway so double natting.  Putting the pfsense wan IP into the dmz should allow what you want, as long as forwarding on the pfsense box.

You could have issue with same network on wan vs lan now that pfsense is behind nat??

If you tried the dmz option I would assume you just messed that up, or there is something blocking you before your gateway even?

How exactly where you trying to access this webserver - if you were trying to do nat reflect, ie from box inside then yeah the double nat would cause problems with this because you would be hitting the comcast gateway and does it support nat refection?

JSmorada

I got hold of Comcast and they turned off the "firewall" function, but it's not acting as a bridge. It still has a WAN ip address and a LAN address. Correct me if I'm wrong, but what I need them to do is configure it to act as a modem, not a gateway; i.e. eliminate the LAN address and place the WAN address on the ethernet port where the pfSense box is connected.

johnpoz

Yes since you already have a NAT router, pfsense - you have little reason for your "modem" to do nat as well.

But if you place your devices in DMZ mode of this nat router - then it would work.  I just think your trying to access via nat reflection.  Which no will not work unless the device with the public IP your trying to access from inside support nat reflection.

Optimal setup is not to double nat.

AhnHEL

You cant just turn off the firewall function.  You need to get your cable company to put your gateway into bridge mode.  This would require a phone call to your cable company and allow them to transfer your service call to an elevated support tech who has the authority to fulfill that task.  Standard phone support employees will not be able to help you in this regard.

chpalmer

@onhel:

You cant just turn off the firewall function.  You need to get your cable company to put your gateway into bridge mode.  This would require a phone call to your cable company and allow them to transfer your service call to an elevated support tech who has the authority to fulfill that task.  Standard phone support employees will not be able to help you in this regard.

That totally depends on which cable company serves your area.

Where I live the cable company totally disowns any function of the device after the modem function. Comcast  business on the other hand seems to want to control your entire network.