Access to the modem web page

mrvarga · Nov 14, 2018, 6:26 PM

Dear all,
I have a pfsense router (192.168.2.1) with 4 gigabit port.
In the first port is connected my modem wan port, the interface is set up like dhcp.
The modem is set as bridge, so in pfsense i see the public IP address of the modem.
How can I access to the modem admin page (192.168.8.1) from my lan network?
I reed this guide (https://www.netgate.com/docs/pfsense/interfaces/accessing-modem-from-inside-firewall.html), bud I'am not able to solve the problem...

stephenw10 · Nov 14, 2018, 6:52 PM

What is shown there should be correct.

Add an IPAlias VIP on WAN as, say, 192.168.8.10/24.

Add an outbound NAT rule on WAN (switch to hybrid mode) to NAT traffic from the LAN subnet with destination 192.168.8.1 to 192.168.8.10.

That should allow LAN clients to access it.

If that's not working make sure the firewall itself can 'see' the modem. Try to ping it from Diag > Ping. Test TCP works from Diag > Test Port against ports 80 or 443.

Steve

Derelict · Nov 14, 2018, 7:08 PM

For what it's worth, for reasons I cannot quite wrap my head around, I also had to place this floating rule:

login-to-view

Disabling route-to makes sense to me. Disabling reply-to not so much.

192.168.100.2 is the VIP on WAN I am outbound NATting to as steve described above. 192.168.100.1 is, of course, the cable modem. Floating rule is on WAN in the outbound direction.

I just checked it again. Without reply-to disabled it does not work.

johnpoz · Nov 14, 2018, 7:50 PM

I have a cable modem and bridge.. Pfsense is 64.53.x.x, I can access my cable modem IP 192.168.100.1 without doing any of that..

PC on lan at 192.168.9.100, just put 192.168.100.1 in the browser and bing bang zoom... No vips, not odd nats, no disable reply-to.. No floating rules.

login-to-view

What modem is this with 192.168.8.1 - the common standard for cable modems is 100.1

SteveITS · Nov 14, 2018, 7:50 PM

@mrvarga said in Access to the modem web page:

192.168.8.1

Since this is a private IP did you go to Interfaces/WAN and uncheck "block private networks"?

johnpoz · Nov 14, 2018, 7:51 PM

That shouldn't matter since the state should allow it - the block rfc1918 would be for unsolicited traffic hitting the wan with a source IP of rfc1918.

Derelict · Nov 14, 2018, 7:52 PM

Absolutely does not work like that here.

Disabling reply-to made sense at the time but I had to pcap it off the firewall to know to try it.

Derelict · Nov 14, 2018, 7:53 PM

Yeah that would only matter if the modem was connecting to WAN.

I do block outbound RFC1918/Unroutable so I did have to carve out an exception for that.

mrvarga · Nov 14, 2018, 8:03 PM

@teamits said in Access to the modem web page:

Since this is a private IP did you go to Interfaces/WAN and uncheck "block private networks"?

No because the wan interface is set in DHCP mode and have directly the external ip address.

mrvarga · Nov 14, 2018, 8:05 PM

This is the procedure I have followed to put the modem in bridge mode https://forums.whirlpool.net.au/archive/2670005
But now i can mode get access to it.

johnpoz · Nov 14, 2018, 8:38 PM

So some devices when you put in bridge mode no longer listen on management IP.. So that might be the reason you can not access it..

192.168.8.1 is not your typical view my info on this IP sort of IP.. if that was the old lan IP you had before you put it bridge mode - its highly likely that IP is just gone and you should prob need to use something like the industry standard of 192.168.100.1

So your device is this Huawei E5186?

From looking at that hack to get bridge mode..

Note you must plug in the ethernet cable into the 4th LAN port labeled LAN/WAN, then plug the other end into your router servicing your LAN.

So if you want to get to 192.168.8.1 I would think you need to be connected to one of the other ports since it seems to put that 4th port into bridge mode... So plug a box into one of the other ports to access its 192.168.8.1

Do you have another interface on pfsense - you could connect one of the other ports to this interface, or vlan to access it.. That is the way I read that hack of a bridge mode for this device.

stephenw10 · Nov 14, 2018, 8:58 PM

Yes, looks like you might need an extra connection there. But test it from pfSense as I outlined, that is in the same subnet so is able to connect (if you don't need an extra connection).

Usually with this type of setup you need to NAT the traffic as most "modems" have no facility for adding a route of gateway on the LAN side. They can only talk back to devices in the subnet.

Steve

johnpoz · Nov 14, 2018, 9:09 PM

Comcast business gateways are like this... 1 Port of the switch on them can be put in bridge mode, and the other ports are natted..

Your not going to be able to hit the LAN ip from the bridged interface.. Your going to need to connect to one of the non bridged ports.

mrvarga · Nov 15, 2018, 9:39 PM

I connect another lan cable to pfsense router lan3 port to the model lan1 port. Set the interface to dhcp but this is the result:
login-to-view
If I set the iterface to static ip 192.168.8.100/24 and I try to ping the router:
login-to-view

Derelict · Nov 15, 2018, 11:05 PM

If you have to access the modem (honestly, how often does one really have to do this?) connect a laptop.

mrvarga · Nov 15, 2018, 11:10 PM

@derelict yes this is right, but is just for learn new things.
I think the error is in the modem ip address, the right is 192.168.1.1 and not the 192.168.8.1.
When I arrive home I will try...

johnpoz · Nov 16, 2018, 2:00 AM

From what I researched the default IP is the 8, but sure that could of been changed... My point was that once you put it in bridge mode that lan IP of what is actually a gateway and not a "modem" is not going to be available on the bridged interface.. So you will have to access if via one of its other switch ports.

This is completely different than say a "cable" modem that bridges your connection to the router behind (pfsense) and then also listens on 192.168.100.1 address on the same L2..

I concur with Derelict there is really little reason to just not connect a box to one of the "natted" switch ports on that gateway device if you need to access it... But its also possible to to connect and interface to pfsense..

The question comes down to the details of that device - which I have no actual experience with other than that thread you listed and I breezed through. But what I do have experience with is other "cable" gateways where you can put 1 port of the switch in bridge mode and device connected will get a public IP.. and other devices on other ports will get a natted ip - but in such cases dhcp is still running and connecting a device set for dhcp should get an address.

mrvarga · Nov 25, 2018, 2:36 PM

Can be my setting wrong, because somtimes (once every two days I lost the wan connection and the wan IP is 0.0.0.0) so I don't have internet and and have to manualy reboot the modem...
The modem is Huawei E5186 put in bridge mode by this guide (https://forums.whirlpool.net.au/archive/2670005), and the WAN interface setting si:
login-to-view
And this is the result:
login-to-view
I have also a lot of this log....
login-to-view

Babiz · Nov 25, 2018, 3:04 PM

@mrvarga Hi!

Here is my current working layout of pfSense, I can login to modem web ui
at 192.168.254.1 when it is propely configured with pppoe 8/35 link , dhcp server and bridge mode!
Because I add another MODEM interface side by side to PPPoe interface.

pfSense do all work and no need to make additional hybrid nat rule with this simple layout.
I also setup ipsec vpn and for reach remote device for mamaging watching remote stuffs, I do on remote site some hybrid nat and vips to re routing traffic on my local subnet. yes it's really amazing

Cheers.

mrvarga · Nov 25, 2018, 3:07 PM

@babiz