Pfsense with 2 modems as multiwan : cannot access webGUI of the secondary modem

t__2

Here is my Firewall/NAT/Outbound page. (If that is what you were asking for.)

By the way I think you are getting postings from trap16 mixed up with mine. I don't have the 10.0.0.0/8 deal. Maybe I should have started a different thread but I have the same problem as trap16. Just a slightly different set up.

In my setup I think the 10.3.201.0/24 network rules in the Firewall were automatically set up when I tried to configure OpenVpn. I have deleted my attempts to set it up for now so if you think I should delete those rules let me know.

pfSense_outbound.png_thumb

Derelict

Yeah, you're right. I was confused. Your NAT rules look fine.

So what you want to do is start a packet capture on WAN_CELL for all traffic for host 192.168.5.1 then try to connect to the modem then stop the capture.

It would probably be best if you attached the capture since MAC addresses might be important. Or at least set the detail to Full, View Capture again and post that.

t__2

Is this the settings you want me to try for packet capture?

How long do I run the capture? Until the browser times out?

pfsense_packets.png_thumb

t__2

Here is the capture with the settings I posted. Ran it until the browser timed out.

pfSense_capture.txt

Derelict

Your modem is not accepting the ARP Reply for whatever reason. You'll need to ask them. pfSense is doing everything it is supposed to there.

11:31:58.374001 0a:40:06:d2:5d:5d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.2 tell 192.168.5.1, length 46
11:31:58.374014 00:08:a2:0b:8e:0e > 0a:40:06:d2:5d:5d, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.5.2 is-at 00:08:a2:0b:8e:0e, length 28
11:32:14.614066 0a:40:06:d2:5d:5d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.2 tell 192.168.5.1, length 46
11:32:14.614083 00:08:a2:0b:8e:0e > 0a:40:06:d2:5d:5d, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.5.2 is-at 00:08:a2:0b:8e:0e, length 28

and on and on.

t__2

Thanks Derelict for your help on this.

Tell me this, Why if I unplug the 4G modem from our pfSense box and plug it into a computer I can get the configuration web page at 192.168.5.1? No changes at all to the modem required to do this. Did not even power down or reset the modem. Does that mean my Linux computer talks to the modem differently then the pfSense box does?

Derelict

No idea. Would need to see a PCAP from that computer port in that situation to see what is different.

Does that mean my Linux computer talks to the modem differently then the pfSense box does?

ARP is ARP.

t__2

OK I did a tcpdump with the Linux machine connected directly to the 4G modem. Started it then went to 192.186.5.1 and stopped it as soon as the log in page for the modem came up. Not sure I was doing it correctly but here it is.

pfSense_tcpdump.txt

Derelict

Yeah that doesn't even try to ARP - it seems to have already accepted that MAC address into it's ARP table based on received traffic (as it should).

You are going to have to ask the modem manufacturer/provider why it refuses to acknowledge the ARP Reply the WAN port is sending.

Sorry. It's really as simple as that. pfSense is doing nothing wrong.

t__2

I have some questions.

What does not even try ARP? The modem or my Linux computer tied to the modem?

What has already accepted what MAC address into it's ARP table?

I am just wondering if either in the modem or pfSense can we put th MAC manually to get this to work.

Sorry if these are dumb questions but I am new to all this.

Derelict

Christ, man.

The modem doesn't try ARP because it has accepted the MAC address for that computer based on other traffic.

Or at least the ARP was not included in your capture.

You MIGHT be able to make it work by spoofing the MAC address on the WAN but I would CALL THE ISP AND MAKE THEM FIX IT PROPERLY.

Why are people so reluctant to call the people they are actually PAYING?!?

(Please tell me you have rebooted the modem.)

t__2

Derelict, While I am flattered that you refer to me a famous historical figure I can claim no such celebrity.

Anyway so you answered my questions. It is the 4G modem that would have to have the computers MAC preapproved so to speak so it would work. Unfortunately the modem interface has no way to manually set that. As you said I may be able to have pfSense spoof the computers MAC address but either way would limit what computer on my LAN I could access the web page from.

Sorry to frustrate you on this but the ISP (Ting) is no help on this as they did not supply the modem. It's not their recommended device. On top of that Netgear has about the worst support policies on the planet. They often take several months just to start looking at a support ticket.

Anyway thanks again for all the help.

Derelict

So you're rolling your own and this is what you get.

bavcon22

@trap16 it worked for me.