Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cablem Modem Access - Behind Pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    32 Posts 11 Posters 27.7k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jahonixJ Offline
      jahonix
      last edited by

      You block RFC1918 networks on WAN. 192.168.x.y is one of those private RFC1918 networks.
      At  Interfaces | WAN  you should uncheck "Block private networks".

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        @jahonix:

        You block RFC1918 networks on WAN. 192.168.x.y is one of those private RFC1918 networks.
        At  Interfaces | WAN  you should uncheck "Block private networks".

        That's only for ingress traffic. Reaching the modem is egress. Don't change that, it's fine as-is.

        1 Reply Last reply Reply Quote 0
        • jahonixJ Offline
          jahonix
          last edited by

          Sure and I would think so too.
          I have a VDSL modem in router mode (…don't ask) with an RFC1918 IP on WAN of my pfSense and I had to explicitly uncheck this to get modem access working.
          Don't know why this solved it this way but I had to get VoIP working first and didn't care about it later.

          1 Reply Last reply Reply Quote 0
          • M Offline
            macboy6
            last edited by

            I can access my cable modem IP of 192.168.100.1 with 0 changes to pfsense config.  It just works.

            Make sure you have a firewall rule on your LAN interface that allows you to reach any destination IP address.  If you are restricting access from LAN interface to RFC1918 addresses, then you will have to have a rule above it that allows you to reach destination 192.168.100.1.

            No reason why this shouldn't work.

            1 Reply Last reply Reply Quote 0
            • chpalmerC Offline
              chpalmer
              last edited by

              @chpalmer:

              What is your LAN subnet  ?

              Please!  ;)

              Here are screen shots of the current firewall rules. The cable modem is my own hardware. The GUI for the cable mode is operational if I make a direct connection with a notebook computer (no firewall).

              Can you also post what your firewall logs say when you try to connect?  Is there anything there that would indicate a block?  (my guess is you will see nothing there.)

              Try from your desktop-  c:/>ping 192.168.100.1

              Try from your pfsense box..  /diagnostic/ping  192.168.100.1

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • G Offline
                ghkrauss
                last edited by

                Thanks  for all the help in trying to understand the issue. I checked the firewall log after multiple attempts to access 192.168.100.1 (no entry). I noticed that the browser (firefox) shows https://192.168.100.1. Interesting it is https. The ip traffic passes through the firewall via the ping process. I have attached a screen capture. Could the issue be some sort of dns problem? The LAN subnet is 192.168.1.0, 255.255.255.0

                Capture3.PNG
                Capture3.PNG_thumb
                ![Capture 4.PNG](/public/imported_attachments/1/Capture 4.PNG)
                ![Capture 4.PNG_thumb](/public/imported_attachments/1/Capture 4.PNG_thumb)

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  so clearly you can ping it.. So are you running a proxy.. That could cause you issues, or captive portal?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    ghkrauss
                    last edited by

                    No proxy running on the firewall or elsewhere. The web browsers on the workstation are direct connect ie. no proxy. I am trying to examine everything to figure out what's in the world is causing the issue. Thanks for your suggestions. I am just going to continue until the source is discovered!

                    Best,

                    Howard

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      what I would do is sniff on your wan.. You see the request going out to 192.168.100.1 - what do you get back if anything?  Makes no sense that if you can ping it, and its has a gui that is there that you would not be able to access it.

                      You don't have any floating rules do you?  Some people that have really tight tinfoil hats like to lock down on outbound anything to rfc1918.. There been some threads about it, Its also a way to make sure you don't leak noise packets.  So it can be a good thing… I tried it for a while, but when I got no hits on it ever.  I wasn't leaking rfc1918 out to the internet I saw no use of it - and yeah it prevented me from talking to my modem.

                      See attached, where the rfc1918 float rule is disabled.  But I do still have my anti noise netbios rule.  Window machines has a nasty habit of doing a directed query to even public IPs via netbios..  Just no reason to let that out just trying to be a good netizen and keep my network from adding to the noise of the internet.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • H Offline
                        highwire
                        last edited by

                        With my Motorla SB6120, I could access the GUI on 192.168.100.1 with no changes to pfSense.  With my Cisco DPC3848, I cannot (though I can still ping it).  I believe that a lot of modems will allow any source IP address to connect (netmask 0.0.0.0) while others require the source IP address to be in the same subnet (192.168.100.0/24).

                        Below is how I got it working.  Create a virtual IP (I use 192.168.100.2), and then create an outbount NAT rule to translate your computer's IP address to 192.168.100.2 when accessing 192.168.100.1 so that your modem won't ignore it.  I had to reboot the pfSense firewall after doing this for it to take effect.

                        1. Firewall -> Virtual IPs
                        • Type: IP Alias
                        • Interface: WAN
                        • Address Type: Single address
                        • Address: 192.168.100.2 (if your modem's GUI is on 192.168.100.1)
                        • VHID Group: 1
                        • Advertising frequency: Base - 1, Skew - 0
                        1. Firewall -> NAT -> Outbound
                        • choose "Hybrid Outbound NAT rule generation
                        • Add a new rule:
                          a) Interface: WAN
                          b) Protocol: Any
                          c) Source: Any
                          d) Destination: Type - Network
                          e) Destination network for the outbound NAT mapping: 192.168.100.1/32
                          f) Translation: Address - 192.168..100.2()
                          g) Description: "Cable modem access"
                        1 Reply Last reply Reply Quote 1
                        • G Offline
                          ghkrauss
                          last edited by

                          What port did you specify in the Firewall Outbound setup?

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            highwire
                            last edited by

                            I left all the ports blank ('all ports').

                            1 Reply Last reply Reply Quote 0
                            • chpalmerC Offline
                              chpalmer
                              last edited by

                              What is the absolute error on your browser when you try?  HTTPS might just be a certificate error and refusal to connect.

                              Triggering snowflakes one by one..
                              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                              1 Reply Last reply Reply Quote 0
                              • G Offline
                                ghkrauss
                                last edited by

                                No certificate error. But just wondered if htts might be an issue. I am still working on this today to see if I can make any progress.  It may be just some issue with the Netgear CM 500 cable modem. I had an older Arris SB 6141 cable modem and had absolutely no issue. If these firm could just have a "engineering standards approach there would be less issues!

                                1 Reply Last reply Reply Quote 0
                                • W Offline
                                  wbond
                                  last edited by

                                  Have you tried forcing http?  I can reach my cable modem with http://192.168.100.1, but not https://192.168.100.1.

                                  *update: Mine is a Netgear CM600.

                                  1 Reply Last reply Reply Quote 0
                                  • G Offline
                                    ghkrauss
                                    last edited by

                                    Thanks for tip. I tried it and it started to connect but then just stalled after I put in the user and password. I then tried to repeat the process and no connection was available. Some strange process…

                                    1 Reply Last reply Reply Quote 0
                                    • chpalmerC Offline
                                      chpalmer
                                      last edited by

                                      Well- I gotta thank you.  You have talked me out of buying the Netgear modem.  Im going to wait for Zoom to come out with a 32X8 modem.

                                      Triggering snowflakes one by one..
                                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                                      1 Reply Last reply Reply Quote 0
                                      • G Offline
                                        ghkrauss
                                        last edited by

                                        You are making the correct decision! I am not having any issues with the Netgear CM500 other than the remote login. We are about to go to 200MB traffic service so it was time to upgrade and I did research and felt Netgear would be ok? The Netgear modem is in a machine room with the Pfsense router and a GB switch so I now will have to go down and checkout matters locally if an investigation is required. I am very please with the many Pfsense board members that made suggestions. The Pfsense community is a great group.

                                        1 Reply Last reply Reply Quote 0
                                        • V Offline
                                          vanyie
                                          last edited by

                                          @chpalmer:

                                          @chpalmer:

                                          What is your LAN subnet  ?

                                          Please!  ;)

                                          Here are screen shots of the current firewall rules. The cable modem is my own hardware. The GUI for the cable mode is operational if I make a direct connection with a notebook computer (no firewall).

                                          Can you also post what your firewall logs say when you try to connect?  Is there anything there that would indicate a block?  (my guess is you will see nothing there.)

                                          Try from your desktop-  c:/>ping 192.168.100.1

                                          Try from your pfsense box..  /diagnostic/ping  192.168.100.1

                                          Sorry i have the same problem but
                                          firewall ping router succesfully using diagnostic tools
                                          i don't ping router from my pc using cmd

                                          does anyone has suggestion?

                                          Version 2.4.2-RELEASE-p1 (amd64)
                                          built on Tue Dec 12 13:45:26 CST 2017
                                          FreeBSD 11.1-RELEASE-p6

                                          Thanks
                                          Vanyie

                                          Pfsense

                                          ![ping from pfsense.png](/public/imported_attachments/1/ping from pfsense.png)
                                          ![ping from pfsense.png_thumb](/public/imported_attachments/1/ping from pfsense.png_thumb)
                                          ![ping from pc.png](/public/imported_attachments/1/ping from pc.png)
                                          ![ping from pc.png_thumb](/public/imported_attachments/1/ping from pc.png_thumb)

                                          1 Reply Last reply Reply Quote 0
                                          • V Offline
                                            vanyie
                                            last edited by

                                            Solved, sorry, thanks to all.

                                            I don't know what was going wrong.
                                            I changed modem IP, changed Firewall Wan IP. Now everithing works and i can reach router from Firewall LAN

                                            ???

                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.