Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing a private ip admin interface of the gateway pfsense is connected to

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 5 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ
      JKnott
      last edited by

      @bughit:

      @viragomann:

      @bughit:

      But pfsense is blocking it.

      Why do you think so?
      By default pfSense allows access to any destination on LAN. If you haven't changed the LAN rules it shouldn't be blocked.

      However, maybe it's miss-routed. When you try to access 10.0.1.1 pfSense will send the packets to the default gateway IP. Maybe that causes that the gateway doesn't response.
      As a workaround assign an IP of the subnet of 10.0.1.1 to the WAN interface as an IP Alias (Firewall > Virtual IPs).

      I mentioned that when I connect directly to the gateway, I can access 10.0.1.1, so the gateway does respond and the connected pc interface has no ip aliases, just the same public ip as pfsense's WAN. I haven't dug into the logs yet, but it seems clear that pfsense is somehow blocking to/from 10.0.1.1.

      You say you can connect when directly connected.  Where are you connected when it fails?  If on the WAN side, that's to be expected, as that address is not allowed in or out of any firewall/router.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • B
        bughit
        last edited by

        @JKnott:

        You say you can connect when directly connected.  Where are you connected when it fails?  If on the WAN side, that's to be expected, as that address is not allowed in or out of any firewall/router.

        In the first post I mentioned that I want to be able to access 10.0.1.1 from the pfsense LAN, which is not working.

        Also creating an alias (10.0.1.2/24) did not help.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          The GW (huh, that's normally pfSense) most certainly should NOT have IP in your LAN subnet! Move your LAN elsewhere. Or move the GW's LAN elsewhere. Also see https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

            What device is this gateway??  when you say your directly connect your PC are you talking about a different port on this device that what pfsense was connected too?  Please give make and model of this "gateway"

            that you say the gateway has public_ip_2 seems unlikely??  So you have a routed public network at your using as transit between this device and pfsense wan??

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • B
              bughit
              last edited by

              @johnpoz:

              "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

              What device is this gateway??

              It's a comcast business gateway, in "router" mode (not nat, not bridge).  This mode (since bridging only works for dhcp dynamic ips, found experimentally and confirmed by comcast support) is specifically for putting your purchased static IPs directly on the internet, the gateway ui seems to confirm it, it shows that nat is off, firewall is off and bridging is off.

              @johnpoz:

              when you say your directly connect your PC are you talking about a different port on this device that what pfsense was connected too?

              No, same port, in place of pfsense, giving the pc interface the same static public ip as pfsense wan (public_ip_1).

              @johnpoz:

              Please give make and model of this "gateway"

              Don't have that at the moment.

              @johnpoz:

              that you say the gateway has public_ip_2 seems unlikely??  So you have a routed public network at your using as transit between this device and pfsense wan??

              If you NAT through it, public_ip_2 becomes your public ip, but if you want to use your own gateway with your static ip (public_ip_1), you can turn off nat and firewall and it just does plain routing (presumably), public_ip_2 becomes the second hop on a traceroute.  I don't know exactly how they implement this, presumably there are still two interfaces and it routes between them.

              One other detail, I can ping and traceroute the comcast gateway admin ip (10.0.1.1) from pfsense LAN even when "Block private networks" is checked, yet can't tcp (browse) to it. Either it refuse to NAT to private ips or the firewall is blocking it.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                We have a comcast business gateway at work.. And if you want to nat and access the "gateway" device interface you plug into a different port on the device..  When I go back to work on tuesday I can verify..    But when your connected to a port that gives you a public IP you can not access the "gateways" admin interface..

                Please post up the devices make and model..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  bughit
                  last edited by

                  @johnpoz:

                  But when your connected to a port that gives you a public IP you can not access the "gateways" admin interface..

                  Telling me something is impossible after I told you I've done it is not helpful.

                  Here's another detail, if I configure a virtual ip alias on WAN (10.0.1.2/24), I can nc and curl 10.0.1.1 admin interface from the pfsense box.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Dude I am just trying to help and explaining from experience these business devices that I have direct experience with.. But you seem even unwilling to even give the make and model of your device or explain what you mean by

                    "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

                    If your saying this 10.0.1.1 is on the same Layer 2 as your pfsense wan public IP.. Then you can for sure access it with a simple vip on this pfsense interface and doing your outbound nat correctly.  Per the instructions on how to access "modem" dok linked too..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • B
                      bughit
                      last edited by

                      @johnpoz:

                      Dude I am just trying to help and explaining from experience these business devices that I have direct experience with.. But you seem even unwilling to even give the make and model of your device or explain what you mean by

                      "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

                      If your saying this 10.0.1.1 is on the same Layer 2 as your pfsense wan public IP.. Then you can for sure access it with a simple vip on this pfsense interface and doing your outbound nat correctly.  Per the instructions on how to access "modem" dok linked too..

                      What is the significance of the comcast device model when I already confirmed that I can curl its admin page from the pfsense box?  If it won't let me access it from the LAN, the issue is clearly in the routing or NAT or firewall of pfsense.

                      As for public_ip_2, and also 10.0.1.1, the expanded explanation is here:

                      https://forum.pfsense.org/index.php?topic=136052.msg745052#msg745052

                      what about it is unclear?

                      1 Reply Last reply Reply Quote 0
                      • B
                        bughit
                        last edited by

                        @doktornotor:

                        The GW (huh, that's normally pfSense) most certainly should NOT have IP in your LAN subnet! Move your LAN elsewhere. Or move the GW's LAN elsewhere. Also see https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

                        That doc provided a clue.  So the bottom line, I had to A) create an ip alias and B) create an outbound NAT rule to NAT through that alias.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.