Accessing modem from outside firewall



  • I wanted to have full local/remote access to my cable modem (a Motorola Surfboard) interface sitting on the WAN port of pfSense and having an internal IP of 192.168.100.1 (that's a hard plugged IP on Motorola cable modems and outside my LAN 192.168.1.0/24)

    1. The "inside firewall" access has been adequately covered (PfSense documentation, forum post).  The simple solution is to add a Virtual IP (Firewall –> Virtual IP) and then you can access the modem from inside the LAN with nothing else. So, in my case I added an IP Alias on the WAN interface, single address with IP 192.168.100.3/24. That's it, had full access to the modem interface from inside the LAN.

    2. The "outside firewall", remote access is more complicated.
    There are 2 NAT settings that need to be configured.

    a. The NAT –> Port Forward needs to forward on the WAN interface all TCP traffic on the WAN Address, port 81 (my choice) to 192.168.100.1 on the HTTP port.

    b. Next is outbound NAT and there you need to forward on the WAN interface 'any' source traffic to destination 192.168.100.0/24, * ports to NAT address 192.168.100.3 (that's the Virtual IP set in #1). That's it, now you should be able to access the modem interface from your public IP address (try it outside your home LAN) on port 81 (my choice)



  • @nikandriko:

    The simple solution is to add a Virtual IP (Firewall –> Virtual IP) and then you can access the modem from inside the LAN with nothing else. So, in my case I added an IP Alias on the WAN interface, single address with IP 192.168.100.3/24. That's it, had full access to the modem interface from inside the LAN.

    First time poster and brand new to pfSense.  So please go easy on me  ;)

    I'm trying to just get the access from inside the lan part working.  I have my WAN port set as DHCP, connected to my Hitron CDA3 cable modem.  The modem's default interface is 192.168.100.1.  The modem gives my WAN port an IP of 192.168.100.2.  My LAN on pfSense is set as 192.168.2.x.  It wasn't clear to me whether I need to set the WAN Virtual IP to a 192.168.100.x IP, or a 192.168.2.x IP.  I actually did try both and neither seemed to give me access to the modem interface.  And now I can't even delete the one I set up as 192.168.2.220/24, as pfSense tells me "This entry cannot be deleted because it is still referenced by at least one Gateway".  Any advice?

    I had been trying to set up pfSense prior to getting my new cable modem actually installed.  Today, once I got the modem installed/provisioned by the tech, I did a clean reinstall of pfSense.  I can now access the modem internally, without having to do anything special with VIP settings.  It just lets me through, even though my LAN is on the 192.168.2.x subnet.  I'm happy!!



  • @nikandriko:

    I wanted to have full local/remote access to my cable modem (a Motorola Surfboard) interface sitting on the WAN port of pfSense and having an internal IP of 192.168.100.1.

    1. The "inside firewall" access has been adequately covered (PfSense documentation, forum post).  The simple solution is to add a Virtual IP (Firewall –> Virtual IP) and then you can access the modem from inside the LAN with nothing else. So, in my case I added an IP Alias on the WAN interface, single address with IP 192.168.100.3/24. That's it, had full access to the modem interface from inside the LAN.

    2. The "outside firewall", remote access is more complicated.
    There are 2 NAT settings that need to be configured.

    a. The NAT –> Port Forward needs to forward on the WAN interface all TCP traffic on the WAN Address, port 81 (my choice) to 192.168.100.1 on the HTTP port.

    b. Next is outbound NAT and there you need to forward on the WAN interface 'any' source traffic to destination 192.168.100.0/24, * ports to NAT address 192.168.100.3 (that's the Virtual IP set in #1). That's it, now you should be able to access the modem interface from your public IP address (try it outside your home LAN) on port 81 (my choice)

    A better solution would be to do what I do and use a VPN into your pfsense, and then access the Surfboard from there.  Otherwise you are exposing your modem management port to the world.



  • @pwood999:

    A better solution would be to do what I do and use a VPN into your pfsense, and then access the Surfboard from there.  Otherwise you are exposing your modem management port to the world.

    You're right. But if you see Motorola's Surfboard WebGui you'll see that there are no settings to modify, it's all stats.



  • If I remember correctly, the 192.168.100.1 on SB Modem is used when the device is in bridge mode, and has both status info and a login for management ?