[SOLVED] Outbound NAT - ModemAccess

Wolf666

Works in 2.2 too.

johnpoz

I access my modem with no need of any rules or virtual nics.  What IP ae you trying to access and is actual modem or a gateway (modem/router combo)?

See attached - are you blocking rfrc1918 at the wan, this is on by default.

Running 2.1.5 i386

Wolf666

I have a PPPoA ADSL, I use a DrayTek Vigor 120 to convert PPPoA–>PPPoE. My pfSense manage the PPPoE login. In this way, the modem is not reachable, it stays in a different subnet (10.0.0.0/24) than my LANs. The only way to reach the Modem GUI is  to follow that:
https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN.

iraiam

It's a VDSL2 modem/router in Transparent Bridging mode, so the pfSense handles the PPOE login and all routing.

My Modem is at 192.168.0.1 (left at default).  My VLANS start at 192.168.1.1 and go to 192.168.9.1, as it stands right now; I set my laptop IP to 192.168.0.10 and plug in to the back of the modem on the port next to where the pfSense WAN interface is connected. This works fine, so my reasoning was I should be able to do the same thing without all the IP resetting and cable swapping, but I must be missing something.

The 2.0 instructions shown on this link is what I used in version 2.0, I can't seem to get it to work with 2.1.5

https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

I have also tried unchecking the block rfrc1989 along with numerous other firewall pass rules. I just can't seems to crack it.

johnpoz

If you can not get them to work your doing them wrong ;)

Your using these instructions right?

On 2.0, a PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port. So the tricks above are not needed and the NAT portion will not work at all.

If you already added the IP alias, remove it. If you added the IP alias via the shellcmd trick above, remove it also.

Instead, under Interfaces > (assign), create a new OPT interface, and assign it to the physical network card that is on WAN. For example, if your WAN on the assignment page is "PPPOE0(fxp0)", choose fxp0, and Save your changes.

Go to Interfaces > (your new OPT interface), and enable the interface. Give it an IP address in the same subnet as your modem, such as 192.168.1.5/24 (For example, the same IP address suggested in for the alias in the previous instructions). Do not set a gateway. If you like, you can rename the interface to something like ModemAccess.

Add an Outbound NAT rule as described above but do NOT choose the WAN interface, choose your new OPT interface.

You should then be able to access the modem from LAN.

iraiam

As I said before I am using the 2.0 instructions, they work in 2.0. why can't I get the same thing to work in 2.15? I don't know.

I have followed those instruction many times but always get the same result.

johnpoz

"but always get the same result."

Which is what?  What does a tracert show you, what does the routing table on pfsense show you?  Lets see your ifconfig off pfsense..  Can you ping the modem IP on pfsense?  Do you see an arp entry for it?

Here is the thing - these devices do what you tell them to do.. Creating an OPT interface on a physical interface is really no different than any other interface you would create, say you lan which works!!  So if this is not working your doing something wrong would be my take.

We can not figure out what is wrong without info to go off of..

iraiam

OK it's working now. I added a gateway to the virtual interface for modem access, the gateway in this case is the actual modem address (192.168.0.1)

The instructions say "Do not set a gateway", I cannot get it to function in 2.1.5 without a gateway. >:(

johnpoz

Ok a gateway has nothing to do with talking on a segment.  If you set one on an interface it now thinks that is a WAN type connection.

My guess would be that you didn't create the NAT correctly, and when you put a gateway on it and told pfsense it was a WAN connection it created the NAT for you.

Take a look at your NAT, so you correctly know how to do it - change your nat to manual and create the nat correctly and you would not need a gateway.

iraiam

With all due respect, I have dozens of NATs functional for other devices such as RFID scanners and IP cameras. I'm considering this workaround complete and I'm not spending any more time on it.

johnpoz

And now your pfsense thinks it has a WAN connection going to your gateway device "My Modem".. No modems have seen have that IP ;)

Dude I am not talking about a portforward, I am talking about an outbound NAT from your lan to your new opt1 interface, this is not the same inbound nat or portforward for devices on your lan from the internet.  Change your outbound nat from auto to manual and post your rules.  You will see a nat from your inside network to your opt1 network.  With all due respect its not rocket science here ;)

I don't really care how you setup your system - just pointing out that the instructions are correct, if followed correctly ;)  You don't set a gateway on a interface that is just talking to that segment, a gateway on an interface is a WAY off that segment..  That is not needed to talk from 192.168.0.5/24 to 192.168.0.1/24 for example