How to access Thomson Speedtouch modem web GUI through SG-1000 microfirewall
-
Hello, My SG-1000 microfirewall is usually configured as a router with its WAN port connected by DHCP to the LAN port of a modem-router. The modem-router connects to my ISP by PPPoE.
Today, I want to test replacing my usual modem-router by a Thomson Speedtouch ST510V6 modem, which is configured in bridge mode instead of being a router. So, instead of using DHCP on the SG-1000's WAN port, I use PPPoE and the Username and password given to me by my ISP.
As configured, the Thomson Speedtouch LAN port IP is 10.0.0.1, while its WEB GUI access is at IP 10.0.0.138.
I can connect my Macbook computer to the Thomson Speedtouch WEB GUI by a direct ethernet cable at the IP address 10.0.0.138 and configure it from there.
If I connect the Thomson Speedtouch to the WAN port of my SG-1000 by PPPoE, and then connect my mac computer to the LAN port of the SG-1000, the mac computer receives internet connection. However, it can no longer access the WEB GUI of the Thomson Speedtouch.
On the Terminal application of the mac, PING appears to be blocked by the SG-1000. If I issue the terminal command: "ping 10.0.0.138", the reply is:
Request timeout for icmp_seq xx
60 bytes from 80.10.124.25: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 2907 0 0000 3e 01 8707 192.168.1.105 10.0.0.138Repeated for each ping attempt.
The sole change I did on the SG-1000 configuration was replacing DHCP by PPPoE (with Username and password) on the WAN configuration of the SG-1000.
What could I be doing wrong ? What should I do to access the WEB GUI of the Thomson speedtouch modem through the SG-1000 firewall ? TIA for any help.
-
RTFM https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall
-
Thanks Grimson. It took me a full day to get it to work. I just succeeded. Not the fault of the instructions, though: Two possible causes for my difficulties:
On the new ModemAccess interface the instruction states "give it an IP address in the same subnet as the modem, such as 192.168.1.5/24". I gave it 10.0.0.5 and forgot to specify /24. By default, the Pfsense configurations sets it other than /24 (a smaller subnetwork, probably /32, which does not include 10.0.0.138 in its subnetwork).
But then, I could not access anyway. PING, as advertised to me by Johnpoz on this forum, helped me enormously. My computer wanted to access https://10.0.0.138 while the modem wanted to respond to a request to http://10.0.0.138. Currently, I have access only through my iPad. [Edit] I now have access through 1Password > Safari (my normal setup). It was a problem of caches.
Nevertheless, problem solved, it works, was not simple. Thanks.
-
All that done, it works now, but I may have configured wrong.
Regarding NAT configuration (Firewall > NAT > Outbound), mine was set to "Automatic outbound NAT rule generation (IPsec passthrough included)". This was its default configuration, I had never touched it. All what it did had been generated automatically. It contained three pairs of rules (total 6 rules), related respectively to the 127.0.0.0 /8 source (whatever that may be) and my two VLANS. Then, the instruction was to add a new outbound NAT rule. Specifically: (1) switch to "Manual outbound NAT" ; (2) create the ModemAccess new outbound NAT rule ; (3) save. Now, my Firewall > NAT > Outbound configuration is set to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)". The screen shot below shows that I have now my original 6 automated rules plus the one that I manually added.
I still do not know the role of the initial 6 automated rules and would be perfectly unable to determine when this set of rules would need to be changed. For that reason, it seems to me I would be better off switching now to "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)", thus preserving the one manual rule that I created, the former 6 automated rules that were formerly generated automatically, plus any additions (or changes) to my initial 6 automated rules.
To which extent is my thinking wrong ?
Any advice on this would be welcome. TIA.