Access modem on wan from lan on pfsense 2.2 rc
-
new user to pfsense here, and have hit a bit of a stumbling block: accessing modems on wan from lan. i went through the instructions for 2.0 but they do not work for 2.1.5.
my setup is as follows:
modem 1: interface em0, ip of 10.0.1.1
modem 2: interface em1, ip of 10.0.2.1lan is 10.0.0.1-255
i could use a step by step guide post of what actually works. thanks will be given!
edit: now on 2.2 rc because apinger decided it wasn't going to work on 2.1.5 anymore for no apparent reason after working fine since install,
guide on wiki is even less helpful now and needs a rewrite. that said otherwise 2.2 is working really nicely (including a now properly working apinger, meaning load balancing is now reliable woooooooo)edit 2: guide is right, however in my case i needed an additional any any firewall rule to make it work that wasn't mentioned. many thanks to the fine fellow below who put time aside to help me out on this :)
-
So pfsense gets say 10.0.1.2/24 on emo, and 10.0.2.2/24 on em1
What is mask on your lan? you sure its /24? If not your prob overlapping.
If the above is the case you should have no issues access 10.0.1.1 or 10.0.2.1 it is simple routing, unless you have nat turned off on pfsense and your modems don't have routes back to 10.0.0/24
-
yes, i have lan bridge (so i can have multiple ports on same subnet) set to /24
-
Huh?? what does that have to do with the question or what mask you use?
Dude you should have no problems accessing anything connected to interfaces of your pfsense. Be it a modem or PC or another router, etc..
modem 1: interface em0, ip of 10.0.1.1
modem 2: interface em1, ip of 10.0.2.1What is the IP of the modem your trying to access? I take it from your above statement that pfsense em0 interface 10.0.1.1/24 and em1 is 10.0.2.1/24 Or is that the IP of the modem.. What is the IP of pfsense on those interfaces?
And are you natting or not natting? Please validate what the IP of your modem is, and what the IP of your pfsense connected to that modem.
-
ip of those interfaces to the outside world is my public ip addresses (modems are transparently bridged)
modem 1 is 10.0.1.1 and modem 2 is 10.0.2.1
nat is on
-
Well then you have to put a vip on those interfaces so pfsense knows that those networks are there..
-
Well then you have to put a vip on those interfaces so pfsense knows that those networks are there..
just tried that, no dice
also tried what is listed for 2.0 here: https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
again no diceperhaps i'm missing something
-
And did you create outbound nats for the vip? You sure those IPs work, have you connected something else to them.. Are you using PPoe connection in pfsense?
What modems do you have? This is simple enough lab up.. But I have a sb6120 cable modem, its gui IP is 192.168.100.1. Pfsense wan via dhcp gets a 24.13.x.x address from isp - I don't have to do anything and can get to gui.
What type of vip did you setup? I can duplicate your setup in a lab and validate everything that needs do be done on pfsense.
-
And did you create outbound nats for the vip? You sure those IPs work, have you connected something else to them.. Are you using PPoe connection in pfsense?
What modems do you have? This is simple enough lab up.. But I have a sb6120 cable modem, its gui IP is 192.168.100.1. Pfsense wan via dhcp gets a 24.13.x.x address from isp - I don't have to do anything and can get to gui.
What type of vip did you setup? I can duplicate your setup in a lab and validate everything that needs do be done on pfsense.
i did create manual outbound nats for the vip, and i'm sure those ip's work (they worked in previous router with a command, nad i haven't changed modems between setups). i am using pppoe connection in pfsense, correct.
i have two different modems, one is a d-link dsl2320b, the other is an actiontec gateway from old isp set in dumb modem mode. as for vip setup i created new opt interface, selected that interface in the vip setup and pointed it to modem address (10.0.1.1). i then set that up under translation on the outbound rule pointed to the opt interface as instructed via the guide.
p.s.:
following that guide also nets me losing all connectivity on that port if that's a hint to anything (ip is lost and gateway status shows lost for wan connection)edit: dealt with this issue, still no luck getting to modem, but at least i figured out a bit more about how the firewall works -
"i am using pppoe connection in pfsense"
Well then you don't do the vips
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
On 2.0, a PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port. So the tricks above are not needed and the NAT portion will not work at all.
If you already added the IP alias, remove it. If you added the IP alias via the shellcmd trick above, remove it also.
Instead, under Interfaces > (assign), create a new OPT interface, and assign it to the physical network card that is on WAN. For example, if your WAN on the assignment page is "PPPOE0(fxp0)", choose fxp0, and Save your changes.
Go to Interfaces > (your new OPT interface), and enable the interface. Give it an IP address in the same subnet as your modem, such as 192.168.1.5/24 (For example, the same IP address suggested in for the alias in the previous instructions). Do not set a gateway. If you like, you can rename the interface to something like ModemAccess.
Add an Outbound NAT rule as described above but do NOT choose the WAN interface, choose your new OPT interface.
You should then be able to access the modem from LAN.
–-
Should prob updated that info - if your creating OPT interfaces there would be no rules on it. So you would have to create rules to allow you access. Oh wait your outbound access to the modem should work. and then return would be via state. Rules on that connection would be needed if you wanted your modem to initiate traffic. -
tried skipping making vip's, no change :(
-
So do a sniff on the interface you create - do you see the traffic go out or not?
-
updated to 2.2rc today to resolve broken apinger (needed for multi wan/load balancing to work right), in the process noting why i was having problems before with the firewall: when i set to manual rules it locks in my public ip addresses in the nat rules. i cannot do this because i have dynamic ip addresses meaning every reboot i would have to fiddle with nat. hybrid mode in 2.2 also doesn't work because it tries nating the created interface to public ip address. i'm thinking the guide for this is going to need rewritten because none of it works at all in 2.2, and it can't be used with dynamic ip's that change every login in any version of pfsense.
-
Huh?? I think your not understanding the process of creating an opt interface connected to your wan. You don't need to create any nats for this..
You stated your PPPoE right - so while that IP can change whenever. It has nothing to do with your rfc1918 address space on your modem.
Your not putting a gateway on this new interface - so its not a wan, and would not be doing nat. Its just like another lan segment. Your creating an OPT interface tied to your physical wan interface connected to your modem, putting a pfsense IP on it in a specific network.
You don't nat between lan segments. See drawing attached.
Once you create your opt interfaces connected to the physical interfaces your modems are on - you just put a IP that interface that is on same network as your modems local IP. PFsense would then route traffic to those networks. You would only need to make sure that your lan rules allow the traffic to those network segments, which the default any any would do.
-
assuming by talking about the default any any you mean the anti-lockout rule that is created, then i have tried what you suggested (i checked for connectivity to modem after every step in the 2.0 guide, including just creating an opt interface with an ip in range of the modem) and it isn't working for me.
-
What dude – no not the anti lock out rule.. What are your rules on your lan segment?
If its not working, then your modem doesn't have a gateway to talk back to your other network would be my guess.. In that case you would have to nat.. This is not rocket science -- its just like putting another lan segment on your network. And simple routing. For the modem to talk to 10.0.0.0/24 it would need to know that it needs to talk to pfsense IP on the 10.0.1.0/24 segment.
If your modem on 10.0.1.1/24 does not know how to get to 10.0.0.14/24 then you would have to nat. But again this has nothing to do wth any IPs changing. So can pfsense ping your modems 10.0.1.1 address from its 10.0.1.2 IP on its opt interface you created? If so and your client can not talk to it, then you most likely need a nat.
If pfsense can not ping it - then you have something else wrong - like modem is not on the IP you think it is, you have not created the interface correctly on pfsense, etc..
Lets see pfsense pinging the modem, then lets see your nat setup. Keep in mind you would be natting to the your opt interface(s) you created.
-
sorry, whilst i am good with some areas of networking, i am not with others xD
here is a screenshot of my lan rules (bridge is a combination of 3 ports to be on the same subnet): https://i.imgur.com/POG6VvO.png
LB in the second entry is redirecting traffic towards a gateway group that does load balancing between my incoming two wan connections.
as for modem ip's, i know they are right (i was just down in basement a couple days ago to check on some things manually) and i have to manually assign ip's in linux on laptop to gain access to modem when directly plugged in. as for rules on the modem there aren't any, but considering that i can access modems fine when using laptop with merely a manual ip assignment on the laptop i don't think they need any.
as for pinging, i have not been able to ping either modem from my desktop.
p.s. i apologize for seeming like a noob, i'm just trying to piece together why exactly it isn't working as it should be (i'm sitting here scratching my head a bit).
-
Bridge??? Dude you said nothing of a bridge.. WHY do you have a bridge setup? Pfsense is a ROUTER, if you need to switch ports then use a switch.. I really can see no reason to ever create a bridge.
And who said anything about pinging from your desktop.. SSH to pfsense, and ping the modem IP from there. Or use the gui diag, ping
Until pfsense can ping the modems you can not expect anything behind pfsense to be able to do it. If you want - setup team viewer and I will remote in and fix it. This really is 2 minutes of setup.
Once you assign an opt interface to the physical interface connected to your modem. You put an IP on it in the same segment as your modems IP, since your modem does not have route or gateway to get from its 10.0.1/24 network to your lan 10.0.0/24 network you would need to nat traffic coming from 10.0.0/24 to the opt interface on the modems segment.
-
reasoning behind bridge is for bandwidth: one lan port provides 1Gbps each way, which would be a bottleneck between devices (many gigabit computers, ac router in ap mode, and a deca bridge (directv stuff), so i put a bunch of ports on a bridge so each of the above three gets it's own dedicated bandwidth from the router, unless you know of a 10gig fiber switch that isn't mega expensive.
i can pm you teamviewer info if you wish, what would a good time be (following est)?
-
So your wan is 3gig? your lan port on your router doesn't do anything unless going to the wan.. So yes your lan port should = or exceed your wan bandwidth. So you have a multi gb wan connection?
How does interfaces 3 gig interfaces in a bridge = 10gig fiber switch?
If you need more bandwidth or you want failover for an interface you would LAGG them..
https://doc.pfsense.org/index.php/LAGG_InterfacesI am in Chicago area so Central time for me - I don't have any thing planned today.. On vac til end of the year – yeah!! So PM the info, we can exchange personal email and we can chat over the teamviewer. But until you can get pfsense to ping your modems, nothing behind pfsense is going to be able to get to them.
