Access to all routers on my Network

johnpoz · Aug 10, 2019, 9:58 AM

So you are providing all your clients with something running pfsense as their edge router?

OpenWifi · Aug 10, 2019, 10:41 AM

@johnpoz No. They all have Tp-Link routers but i have a pfsense box that gives static dhcp leases to all the routers on the network. Kindly note i am a wireless internet service provider

johnpoz · Aug 10, 2019, 10:44 AM

Well if not your equipment - they would have to configure them to allow you remote access. Which has zero to do with pfsense.

OpenWifi · Aug 10, 2019, 11:02 AM

@johnpoz do you know of VNC ? It does exactly that but it is not a package in pfsense

johnpoz · Aug 10, 2019, 11:09 AM

VNC does not open the ports on their router to allow you remote access ;)

There are plenty of ways you "could" get remote access their router or network - all of which require them to do something..

Do you go and setup their routers for them? If so allow remote gui access to it from your IP. Or give them instructions on how to allow it if they desire.

Again none of which has anything to do with pfsense at all..

stephenw10 · Aug 10, 2019, 2:41 PM

If you control those routers then just open a port or setup some port forward on them and lock them down to prevent your customers changing that.

Most regular ISPs use TR-069 for that sort of stuff. pfSense can't help you with that.

Probably better to ask this on a WISP forum I'm sure you are not the first to want to do this!

Steve

OpenWifi · Aug 10, 2019, 3:35 PM

@stephenw10 Thank you

johnpoz · Aug 10, 2019, 4:11 PM

Exactly what I have been saying since the beginning ;)

BogusException · Aug 10, 2019, 7:03 PM

@OpenWifi I see. Others may have answered your question, but as a courtesy I want to address your reply.
As I understand, your network layout is such that you have WiFi APs for customers, like in a hotel or big store. These devices are on a LAN that sits on a router port on site. This router is maintained remotely, and likely is what plugs directly into their modem, or other device providing Eth to site from upstream/Internet. Sound about right?

Enter the firewall. You put it between modem and router(s), but where before the router's WAN interface was available directly, there is this firewall getting in the way. Can't connect because FW WAN address is the old address of router, which is now on LAN sitting on FW inside/LAN port.

Is this how it went?

So now, vendors hit the same IP they used to, but FW is not the router, so nothing. If so, what you seek is a way for internet clients to see the router on the old address. This is mostly done with port forwarding, where you know:

Incoming port(s)
Incoming IP source address/range (sometimes)
IP address on LAN of device to direct that traffic to.

Port forwarding is just what it sounds like. Since you don't want ALL traffic inbound to go to this one router, you decide which inbound ports will be valid to pass to router, like 22 if they are using SSH.

So you tell FW that if anything comes in for the FW's WAN Address ( the one the switch used to have), direct that traffic to the new up address it got. To the outside, there is no difference. As long as there is only one managed device behind the firewall, it's easy.

Hope this helps, but I had to make a ton of assumptions.

stephenw10 · Aug 11, 2019, 2:57 PM

@BogusException said in Access to all routers on my Network:

but I had to make a ton of assumptions

And some were incorrect I think.

OpenWifi is a WISP of sorts. Their network, therefore, is a series of wireless access points connected to pfSense.

The routers they need to access are the TP-Link devices at each customer site that connect via wifi back to the access points.

Thus to access those routers they simply need to have a port open to allow it in the router itself. I would choose to use a port forward to 443 from some other port rather than open 443 directly if that's an option.

Steve

johnpoz · Aug 11, 2019, 11:33 AM

You can port forward all day long, why should he have to port forward on his devices? He is the WAN for the routers, he is not going through a nat..

The problem his why would the customers routers admin be open... Is not, and that is not his device.. Its customers - for him to admin min.. They would have to open up the port to their web gui, ssh, etc.

Which maybe they do or do not want to do, etc..

All which has ZERO to do with pfsense..

BogusException · Aug 11, 2019, 2:57 PM

@stephenw10 True dat. Thanks!