Accessing a private ip admin interface of the gateway pfsense is connected to



  • pfsense lan: 10.0.0.1 (10.0.0.0/24)
    pfsense wan: public_ip_1

    gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)

    I want to be able to access 10.0.1.1 from the pfsense LAN.  It works if I hook up a pc directly to the gateway (giving it  public_ip_1).  But pfsense is blocking it. Unchecking "Block private networks" on the pfsense WAN interface does not help.

    Thanks



  • @bughit:

    But pfsense is blocking it.

    Why do you think so?
    By default pfSense allows access to any destination on LAN. If you haven't changed the LAN rules it shouldn't be blocked.

    However, maybe it's miss-routed. When you try to access 10.0.1.1 pfSense will send the packets to the default gateway IP. Maybe that causes that the gateway doesn't response.
    As a workaround assign an IP of the subnet of 10.0.1.1 to the WAN interface as an IP Alias (Firewall > Virtual IPs).



  • @viragomann:

    @bughit:

    But pfsense is blocking it.

    Why do you think so?
    By default pfSense allows access to any destination on LAN. If you haven't changed the LAN rules it shouldn't be blocked.

    However, maybe it's miss-routed. When you try to access 10.0.1.1 pfSense will send the packets to the default gateway IP. Maybe that causes that the gateway doesn't response.
    As a workaround assign an IP of the subnet of 10.0.1.1 to the WAN interface as an IP Alias (Firewall > Virtual IPs).

    I mentioned that when I connect directly to the gateway, I can access 10.0.1.1, so the gateway does respond and the connected pc interface has no ip aliases, just the same public ip as pfsense's WAN. I haven't dug into the logs yet, but it seems clear that pfsense is somehow blocking to/from 10.0.1.1.



  • @bughit:

    @viragomann:

    @bughit:

    But pfsense is blocking it.

    Why do you think so?
    By default pfSense allows access to any destination on LAN. If you haven't changed the LAN rules it shouldn't be blocked.

    However, maybe it's miss-routed. When you try to access 10.0.1.1 pfSense will send the packets to the default gateway IP. Maybe that causes that the gateway doesn't response.
    As a workaround assign an IP of the subnet of 10.0.1.1 to the WAN interface as an IP Alias (Firewall > Virtual IPs).

    I mentioned that when I connect directly to the gateway, I can access 10.0.1.1, so the gateway does respond and the connected pc interface has no ip aliases, just the same public ip as pfsense's WAN. I haven't dug into the logs yet, but it seems clear that pfsense is somehow blocking to/from 10.0.1.1.

    You say you can connect when directly connected.  Where are you connected when it fails?  If on the WAN side, that's to be expected, as that address is not allowed in or out of any firewall/router.



  • @JKnott:

    You say you can connect when directly connected.  Where are you connected when it fails?  If on the WAN side, that's to be expected, as that address is not allowed in or out of any firewall/router.

    In the first post I mentioned that I want to be able to access 10.0.1.1 from the pfsense LAN, which is not working.

    Also creating an alias (10.0.1.2/24) did not help.


  • Banned

    The GW (huh, that's normally pfSense) most certainly should NOT have IP in your LAN subnet! Move your LAN elsewhere. Or move the GW's LAN elsewhere. Also see https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall


  • LAYER 8 Global Moderator

    "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

    What device is this gateway??  when you say your directly connect your PC are you talking about a different port on this device that what pfsense was connected too?  Please give make and model of this "gateway"

    that you say the gateway has public_ip_2 seems unlikely??  So you have a routed public network at your using as transit between this device and pfsense wan??



  • @johnpoz:

    "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

    What device is this gateway??

    It's a comcast business gateway, in "router" mode (not nat, not bridge).  This mode (since bridging only works for dhcp dynamic ips, found experimentally and confirmed by comcast support) is specifically for putting your purchased static IPs directly on the internet, the gateway ui seems to confirm it, it shows that nat is off, firewall is off and bridging is off.

    @johnpoz:

    when you say your directly connect your PC are you talking about a different port on this device that what pfsense was connected too?

    No, same port, in place of pfsense, giving the pc interface the same static public ip as pfsense wan (public_ip_1).

    @johnpoz:

    Please give make and model of this "gateway"

    Don't have that at the moment.

    @johnpoz:

    that you say the gateway has public_ip_2 seems unlikely??  So you have a routed public network at your using as transit between this device and pfsense wan??

    If you NAT through it, public_ip_2 becomes your public ip, but if you want to use your own gateway with your static ip (public_ip_1), you can turn off nat and firewall and it just does plain routing (presumably), public_ip_2 becomes the second hop on a traceroute.  I don't know exactly how they implement this, presumably there are still two interfaces and it routes between them.

    One other detail, I can ping and traceroute the comcast gateway admin ip (10.0.1.1) from pfsense LAN even when "Block private networks" is checked, yet can't tcp (browse) to it. Either it refuse to NAT to private ips or the firewall is blocking it.


  • LAYER 8 Global Moderator

    We have a comcast business gateway at work.. And if you want to nat and access the "gateway" device interface you plug into a different port on the device..  When I go back to work on tuesday I can verify..    But when your connected to a port that gives you a public IP you can not access the "gateways" admin interface..

    Please post up the devices make and model..



  • @johnpoz:

    But when your connected to a port that gives you a public IP you can not access the "gateways" admin interface..

    Telling me something is impossible after I told you I've done it is not helpful.

    Here's another detail, if I configure a virtual ip alias on WAN (10.0.1.2/24), I can nc and curl 10.0.1.1 admin interface from the pfsense box.


  • LAYER 8 Global Moderator

    Dude I am just trying to help and explaining from experience these business devices that I have direct experience with.. But you seem even unwilling to even give the make and model of your device or explain what you mean by

    "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

    If your saying this 10.0.1.1 is on the same Layer 2 as your pfsense wan public IP.. Then you can for sure access it with a simple vip on this pfsense interface and doing your outbound nat correctly.  Per the instructions on how to access "modem" dok linked too..



  • @johnpoz:

    Dude I am just trying to help and explaining from experience these business devices that I have direct experience with.. But you seem even unwilling to even give the make and model of your device or explain what you mean by

    "gateway: has a public_ip_2, and also 10.0.1.1 (it's admin interface)"

    If your saying this 10.0.1.1 is on the same Layer 2 as your pfsense wan public IP.. Then you can for sure access it with a simple vip on this pfsense interface and doing your outbound nat correctly.  Per the instructions on how to access "modem" dok linked too..

    What is the significance of the comcast device model when I already confirmed that I can curl its admin page from the pfsense box?  If it won't let me access it from the LAN, the issue is clearly in the routing or NAT or firewall of pfsense.

    As for public_ip_2, and also 10.0.1.1, the expanded explanation is here:

    https://forum.pfsense.org/index.php?topic=136052.msg745052#msg745052

    what about it is unclear?



  • @doktornotor:

    The GW (huh, that's normally pfSense) most certainly should NOT have IP in your LAN subnet! Move your LAN elsewhere. Or move the GW's LAN elsewhere. Also see https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

    That doc provided a clue.  So the bottom line, I had to A) create an ip alias and B) create an outbound NAT rule to NAT through that alias.


Log in to reply