Multi-WAN Access to Modem GUIs Difficulty

A.Bursell

Hello,

Home setup. Intermediate User. Two 4G based modems. pfSense 2.4.0RC

I have been using the basic pfSense setup with only minor tweeks but for Multi-WAN I setup essentially using https://www.tecmint.com/how-to-setup-failover-and-load-balancing-in-pfsense/ as a guide, though I did make minor changes like leaving the Block Private Networks checkbox enabled in the Interface pages.

The actual workings of the network seem to be nearly flawless. Both WANs see activity and my intention was to have it function in a round-robin format with no preference, which is appears to do. I did setup fail-over which is more of a nice-to-have thing, but for the minimal effort I think worth it. I have tested that by unplugging each modem and that also appears to function perfect.

My issue: I have difficulty getting the to the GUI's on the modems. When I was in a single-WAN configuration I did not have any issues. With this setup, the pages will time-out a majority of the time though refreshing several times will bring them up which is what really baffles me. I cannot seem to predict when they will work and when they won't. Once I have them up, they seem to function correctly. This leads me to believe there is some type of a routing issue.

1- I thought possibly there was maybe a DNS issue and pfSense was confused because I hadn't originally assigned DNS servers to the interfaces, but doing that did not change anything.
2- I unchecked the block private networks checkboxes from the interface pages, which I really though would fix the issue, but that did not do anything either.
3- I created firewall rules that specifically pass LAN traffic request for each WAN IP to each of the WAN IP addresses. This seems to allow for access to the modem GUIs 100% of the time since I have done this.

My questions:

1- Why am I having trouble getting to the modem GUI pages now when I did not as a single WAN?
2- If this is common/normal, is a firewall rule the way to overcome it or is there a better way?
3- If a firewall rule is the answer, can you please check my rule and make sure I have done it correct/the best/most effecient/most secure way?

Thanks,
Adam

johnpoz

So your double natting these connection and your wan networks are 192.168.5 and 192.168.10

Well you rules look correct.  To let it out without being forced out your wan groups..  But in your rule you list network, but then give a host address 192.168.5.1/24 is not a network - that is a host address.  A network address would be 192.168.5.0/24

If you want to allow access to 192.168.5.1 then change your rule to be single host or address, not network.

A.Bursell

@johnpoz:

So your double natting these connection and your wan networks are 192.168.5 and 192.168.10

Well you rules look correct.  To let it out without being forced out your wan groups..  But in your rule you list network, but then give a host address 192.168.5.1/24 is not a network - that is a host address.  A network address would be 192.168.5.0/24

If you want to allow access to 192.168.5.1 then change your rule to be single host or address, not network.

Wow- I completely missed the network vs. single host issue. pfSense was allowing access to the modems when the rule was set as network, but changing it to a single host still gives me the same results but is now correct, if not more secure at a minimum. Thank you for that.

I actually believe I am triple-NATing at this point, as the 4G already has a built-in NAT with the provider, my current cell-modem setup is waiting on a firmware update to allow for bridge mode (NAT), and pfSense of course. Not ideal for sure, but everything is working correctly for me.

I'm still left wondering if this is normal for this type of setup and why it would be the case. Why could I get to my modem when single WAN but multi-WAN I have difficulty?

Adam

johnpoz

How do you have this connected?  You have ethernet plugged into your wan and other physical interface directly right?

There is no reason why you should have any issues with accessing either device on those addresses..  As long as you don't have some sort of asymmetrical setup.. So your setup like pic attached.  You don't have a network overlap with wrong mask.. They are all /24?

Your not running your all your different networks over a dumb switch?

What does your routing table look like in pfsense?  You don't have any rules in floating pushing out a gateway do you?

A.Bursell

@johnpoz:

How do you have this connected?  You have ethernet plugged into your wan and other physical interface directly right?

There is no reason why you should have any issues with accessing either device on those addresses..  As long as you don't have some sort of asymmetrical setup.. So your setup like pic attached.  You don't have a network overlap with wrong mask.. They are all /24?

Your not running your all your different networks over a dumb switch?

What does your routing table look like in pfsense?  You don't have any rules in floating pushing out a gateway do you?

I want to be clear that it all appears to be working correctly now (with the firewall rule change) and I am not having issues. But I am asking because I'm not sure it's "right" or if my setup should be different. I appreciate your help in either getting it setup right or helping me understand if this is right (I don't feel like it is but I can't tell why it's not right).

Yes, everything is hardwired and looks just like the picture. I have 2 4G modems that are hardwired to a pfSense box (WAN and OPT1), and the LAN port on the pfSense box is connected to the WAN port on a Netgear wireless router running in AP mode. All clients are either connected by WiFi or hardwire to the Netgear router.

No floating rules.

I've never looked at the routing table before but I found it and am posting it below (I also selected to resolve names in case it makes it easier).

Adam

johnpoz

" But I am asking because I'm not sure it's "right" or if my setup should be different."

Oh I thought you were still having issues even after the firewall fix..

"but changing it to a single host still gives me the same results"

That sure sounds like you were still having problems..

Your setup is correct.  You would allow access to whatever networks are attached to pfsense be it a "wan" sort of network or some other local network before you policy route and send traffic out a specific gateway or group, etc.  Because that gateway can not get to the other networks.  So your rule that does not set a gateway allows for the routing table to be used.

A.Bursell

Sorry for the miscommunication-

I meant that while I had the firewall rule pointing to a "network" and it worked, when I changed to a single host like you suggested, I still got the same positive results.

So yes, it appears to be working, and now I understand that it is correct.

For my own sake, can you explain why it works in single-WAN without an additional firewall rule but multi-WAN worked intermittently until I added the specific rule? It seems like pfSense should know how to get to the individual address even without additional help, just as it does in single-WAN. Is it because it has multiple gateway now and chooses them round-robin so it gets "lost" if it doesn't happen to be on the right one? (My working theory.)

Thanks again for your help.

johnpoz

In single mode your not pointing towards a gateway…  Or the only gateway you can to go is where your trying to go..

If you were load balancing, and it tried to go out the wan2 wan when your trying to talk to wan1 then not going to work is it ;)

A.Bursell

@johnpoz:

In single mode your not pointing towards a gateway…  Or the only gateway you can to go is where your trying to go..

If you were load balancing, and it tried to go out the wan2 wan when your trying to talk to wan1 then not going to work is it ;)

Perfect, thank you. Appreciate the help!