Connect to bridged DSL modem (not PPPoE)
-
Hey chpalmer,
Yes, the modem (Actiontec) is bridged, and gets a public IP on its WAN interface. Still has an address of 192.168.1.254 on its LAN interface.
If I connect a laptop to one of the LAN ports of the modem I can connect to the modem GUI no problem.However, I cannot do the same from my LAN (going through the router). I think that all the traffic from the LAN (192.168.1.0/24) is routed by pfSense through the WAN IP, so that's my problem. Would a NAT rule be able to accomplish that?
Hope that makes sense. :)
-
Please post a "screenshot" of your pfSense Dashboard
-
-
As noted/pointed before, if you have the "modem" on 192.168.1.0/24 and your pfSense LAN on 192.168.1.0/24 (Same Network segment), it won't going to work…, you need to change one of them (Modem or pfSense LAN) to "other" Network Segment...
-
I changed the modem LAN to 192.168.2.0/24, the modem management IP is now 192.168.2.254.
To clarify, I'm not using double NAT. My ISP allows you to bridge one of the LAN interfaces (port 1), which is connected to my pfSense box.
I'm not sure what NAT rule I need to create in order to get devices in my LAN to reach the modem mgt, if that's at all possible.
I read the guide…
https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
...but the guide assumes a PPPoE setup. My provider does not use PPPoE, so there is that. :D
-
To clarify, I'm not using double NAT.
If your modem is providing a NAT address and you're using NAT with pfSense, then yes you are double NAT.
-
To clarify, I'm not using double NAT.
If your modem is providing a NAT address and you're using NAT with pfSense, then yes you are double NAT.
No, it's not double NAT. ::) Perhaps you should read the information I posted earlier.
The modem is setup in bridge from the WAN interface to port 1 of its LAN interface. I get the same public IP on both the WAN interface on the modem AND the WAN interface on the pfSense box. -
You need to add an alias address to the WAN interface in the WAN interface setup page DHCP client section. Add an address from the 192.168.2.0/24 subnet, for example 192.168.2.200/24, renew the WAN DHCP lease to let the setting be applied.
Then you need to add an outbound NAT rule at Firewall->NAT->Outbound. Switch to manual mode first if you haven't and save settings. Then add a new outbound NAT rule with interface "WAN", source network "192.168.1.0/24" (your LAN), destination "192.168.2.254/32" (the modem), translation address "other network" and other subnet "192.168.2.200" (the alias address you entered above). This rule should be the first rule in the outbound NAT rule list.
If you ask me I would have renumbered the LAN and let the modem have its default management address, if you ever need to reset settings on the modem to factory defaults you'll have to go trough the IP address change again.
HTH
Edit: This will not work if the management IP is not set on the bridge interface on the modem but is instead only on the NAT'ed LAN ports of the modem.
-
I get the same public IP on both the WAN interface on the modem AND the WAN interface on the pfSense box.
The public IP will no longer be active on your modem while it is bridge mode.
Now that you have this set up can you reach it?
-
I get the same public IP on both the WAN interface on the modem AND the WAN interface on the pfSense box.
The public IP will no longer be active on your modem while it is bridge mode.
Now that you have this set up can you reach it?
I'm pretty sure he means that he has the same subnet on the WAN side of the modem and the WAN side of pfSense (the LAN side of the modem).
-
I get the same public IP on both the WAN interface on the modem AND the WAN interface on the pfSense box.
The public IP will no longer be active on your modem while it is bridge mode.
Now that you have this set up can you reach it?
I must have explained my setup poorly, sorry. :) I'll try again:
ISP (DSL provider, not PPPoE) > Actiontec T2200H modem / router > pfSense firewall router > LAN
-
ISP (telus): provides a dynamically assigned public IP addresses (say it's 1.2.3.4, gateway 1.1.1.1)
-
T2200H (modem/router): the T2200H gets an IP (say the IP is 1.2.3.4 for simplicity) on the WAN interface: this connection is bridged to port 1 on the LAN side of the T2200H (*); the remaining 3 ports on the T2200H still do NAT, but there is nothing connected to them - The LAN subnet on the T2200H is now 192.168.2.0/24, and the mgr IP is 192.168.2.254. I connected port 1 (the bridged interface) of the T2200H to the WAN int. of my pfSense box
-
pfSense (firewall, NAT): the same 1.2.3.4 external address and 1.1.1.1 gateway are assigned to the WAN interface. The LAN subnet is 192.168.1.0/24, mgt at 192.168.1.1
(*) this is an option the ISP (telus) finally introduced after people complained that they wanted to use their own router, but didn't want to double NAT. It's sort of explained on this page:
https://forum.telus.com/t5/Home/Bridge-Mode-Using-Your-Own-Router/ta-p/52181
-
-
@kpa:
You need to add an alias address to the WAN interface in the WAN interface setup page DHCP client section. Add an address from the 192.168.2.0/24 subnet, for example 192.168.2.200/24, renew the WAN DHCP lease to let the setting be applied.
Then you need to add an outbound NAT rule at Firewall->NAT->Outbound. Switch to manual mode first if you haven't and save settings. Then add a new outbound NAT rule with interface "WAN", source network "192.168.1.0/24" (your LAN), destination "192.168.2.254/32" (the modem), translation address "other network" and other subnet "192.168.2.200" (the alias address you entered above). This rule should be the first rule in the outbound NAT rule list.
If you ask me I would have renumbered the LAN and let the modem have its default management address, if you ever need to reset settings on the modem to factory defaults you'll have to go trough the IP address change again.
HTH
Edit: This will not work if the management IP is not set on the bridge interface on the modem but is instead only on the NAT'ed LAN ports of the modem.
I did try what you suggest, but it's still not working. Cannot ping 192.168.2.254, or see the GUI.
I admit I don't understand the concept of DHCP alias. I changed the modem IP because it was easier, I have several static IP and reservations on the LAN side.
 -
Because your not using any PPP tunnel, the modems (new) subnet is outside your local LAN. So any requests to that new subnet (192.168.2.x) will pass through your pfSense router from your LAN and through/to the modem by default. Since there is no tunnel the modem interface will see the attempt without any extra configuration on your part on the pfSense box.
The only issue that there could be is that the modem itself does not have a path back to your LAN. Many DSL modems (unlike most cable modems/bridges) do not have a specified (gateway) on their maintenance interface and therefore do not send any traffic outside their own subnet.
Easy way- (Probably a huge security hole) would be to connect your LAN switch to a second port on the modem and put the modem back on 192.168.1.x. Then make a firewall rule on your LAN interface that blocks the modem IP from anything. Requests from anything on your LAN would pass back and forth on your local LAN without any traffic transversing the pfSense box. You could try this as a test and then unplug it when not in use. (how often do you need to see your modem stats anyways..)
Otherwise- you need to provide a path from 192.168.2.254 on your wan to 192.168.1.0/24 on your LAN. The modem likely does not know on it's own.
-
@kpa:
Edit: This will not work if the management IP is not set on the bridge interface on the modem but is instead only on the NAT'ed LAN ports of the modem.
I think that this is actually the case.
-
I think that this is actually the case.
Ive heard there is one or two modems out there like this but Ive never run into any of them.. What model do you have?
-
I think that this is actually the case.
Ive heard there is one or two modems out there like this but Ive never run into any of them.. What model do you have?
This is actually very common on any modem/router that allows you to set the LAN ports individually as bridge or NAT. On the brigded ports the management interface which is the nat'ed LAN interface is completely hidden because it's behind the NAT and firewall from the perspective of the bridged network segment. There is no additional management IP set on the bridge because that would be reduntant.
-
I think that this is actually the case.
Ive heard there is one or two modems out there like this but Ive never run into any of them.. What model do you have?
ISP (DSL provider, not PPPoE) > Actiontec T2200H modem / router > pfSense firewall router > LAN
-
Yes, the modem (Actiontec) is bridged, and gets a public IP on its WAN interface. Still has an address of 192.168.1.254 on its LAN interface.
If I connect a laptop to one of the LAN ports of the modem I can connect to the modem GUI no problem.This would show that your modem is reachable in bridge mode.
And found this at DSLR.. take it for what it is worth. I don't know this posters knowledge to be accurate or not.. But based on your comment above it seems accurate.
RFC1483 bridging will bridge the WAN or DSL interface on the Actiontec device with all of the Ethernet ports on the LAN side of the device.
Once you enable bridging, one router that's connected to any of the ports on the device will become your new network gateway. After you do that, the only reason to plug anything else into the Actiontec device will be if it were on DSL service and you wanted to access the graphical statistics, at which point you'd configure a device manually (with some random IP like 192.168.1.152) so that you can go to the device's administration pages.
His comment was to someone on pppoe.
When I had "bridged service" from my ISP at one of our remote outposts (no pppo anything) I was able to reach the modems maintenance page from any computer on the network without any changes to the firewall. It just worked out of the box. Modem was a bridge only device and had no on board router. If you haven't tried (with the new address) this Id suggest you do.
All of our other dsl connections are pppoe and therefore the pfSense boxes need to be set up.
-
Yes, the modem (Actiontec) is bridged, and gets a public IP on its WAN interface. Still has an address of 192.168.1.254 on its LAN interface.
If I connect a laptop to one of the LAN ports of the modem I can connect to the modem GUI no problem.This would show that your modem is reachable in bridge mode.
OK, one last attempt at explaining. :D The Actiontec modem has 4 "LAN" ports, but only 1 of these 4 ports can be configured (if the user so wishes - it's not by default), to be bridged with the WAN interfaces. As I like to use my own router, and I do not like double NAT, I did use this option. However, this "bridge" only works / affects LAN port 1. The remaining 3 "LAN" ports (port 2, 3 and 4) still operate as you had not bridged port 1, and will NAT the WAN connection.
So, for instance, if I now connect a laptop directly to "LAN" port 2 on the modem, I get a NATed address of 192.168.2.2 from the Actiontec, AND I'm able to access the modem GUI at 192.168.2.254.
And found this at DSLR.. take it for what it is worth. I don't know this posters knowledge to be accurate or not.. But based on your comment above it seems accurate.
RFC1483 bridging will bridge the WAN or DSL interface on the Actiontec device with all of the Ethernet ports on the LAN side of the device.
Once you enable bridging, one router that's connected to any of the ports on the device will become your new network gateway. After you do that, the only reason to plug anything else into the Actiontec device will be if it were on DSL service and you wanted to access the graphical statistics, at which point you'd configure a device manually (with some random IP like 192.168.1.152) so that you can go to the device's administration pages.
His comment was to someone on pppoe.
When I had "bridged service" from my ISP at one of our remote outposts (no pppo anything) I was able to reach the modems maintenance page from any computer on the network without any changes to the firewall. It just worked out of the box. Modem was a bridge only device and had no on board router. If you haven't tried (with the new address) this Id suggest you do.
All of our other dsl connections are pppoe and therefore the pfSense boxes need to be set up.
No, that is NOT accurate - how old is that post? It's not how the telus firmware works these days. I posted a link from the ISP website earlier on how their modem works. For a long while, the root password for the telus firmware was semi-public, and you could login as root and bridge all ports or whatever.
All that has been changed several years ago, when the telus decided to allow bridging "officially", but only for port 1. Since then, if you like to use your own router, that's the best option you have.
-
OK, one last attempt at explaining. :D The Actiontec modem has 4 "LAN" ports, but only 1 of these 4 ports can be configured (if the user so wishes - it's not by default), to be bridged with the WAN interfaces. As I like to use my own router, and I do not like double NAT, I did use this option. However, this "bridge" only works / affects LAN port 1. The remaining 3 "LAN" ports (port 2, 3 and 4) still operate as you had not bridged port 1, and will NAT the WAN connection.
So, for instance, if I now connect a laptop directly to "LAN" port 2 on the modem, I get a NATed address of 192.168.2.2 from the Actiontec, AND I'm able to access the modem GUI at 192.168.2.254.
I know my eyesight isn't as good as it used to be but this is the first time in this thread you have mentioned it this way.
You actually have internet past your pfSense box and on ports 2-4 on your modem when both have the same public IP address?? :o
What comes up if you try and access your public IP address from a browser?
