Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense with 2 modems as multiwan : cannot access webGUI of the secondary modem

    Routing and Multi WAN
    6
    29
    2529
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trap16 last edited by

      Hello,

      I have actually only basic knowledge on routing and setting up network, I would have some hints on the following and some way to sort it out.

      Actually my home network is under 10.x.x.x  (LAN) on a pfsense router.
      I own 2 router modems :
          - a box for fiber connection, plugged on WAN1 its adress is 192.168.1.1 , the pfsense WAN1 interface is set as 192.168.1.100
          - a modem for 4G connection, plugged on WAN2 its adress is 192.168.5.1 , the pfsense WAN2 interface is set as 192.168.5.100

      I have a set my pfsense router as multiwan, I followed some tuttorial for multiwan and set a group gateway with tier1 for fiber, and tier2 for 4G, aim is having a failover on 4G (i have a limited traffic volume on it) and main gateway as fiber.
      This seems to work.

      But.

      I noticed that i go on my fiber modem webpage without issue with http://192.168.1.1 or http://192.168.1.100
      While it is impossible to get on my 4G modem webpage ( with http://192.168.5.1) when all my modems are up.

      My understanding is when the fiber modem is up the traffic to 192.168.5.1 is routed to the fiber modem (which sound logical), while i want it to go on the 4G modem when i target 192.168.5.x network

      Is there anyway to define a rule somewhere (firewall, route ?) to tell when i open a browser on  http://192.168.5.1 I want to go on the 4G modem ?

      Best regards
      Olivier

      1 Reply Last reply Reply Quote 0
      • jahonix
        jahonix last edited by

        Create a firewall rule with destination 192.168.5.1 and use the 4G modem as gateway, maybe?
        Rule has to be on Lan interface (or where-ever you're coming from) and order of rules should be verified.

        1 Reply Last reply Reply Quote 0
        • T
          trap16 last edited by

          Thansk for your reply.

          I added the rule in my firewall but it did not changed behaviour,

          I found how to capture packet using diag and wireshark and found that it seems the packet are going on the correct gateway, but i do not see any reply , only tcp retransmission (I guess this is because i don't get a reply from the modem)

          1. capture on my 4G wan + browser opened to 192.168.5.1 (to be clear the modem has static ip 192.168.5.1 -netgear LB1110 default ip- and my pfsense router interface has ip 192.168.5.100 on the gateway targetting that modem)

          I guess this means the routing is correct but for some reason my 4G modem does not want to reply …

          1 Reply Last reply Reply Quote 0
          • jahonix
            jahonix last edited by

            Can you ping the modem's address?

            1 Reply Last reply Reply Quote 0
            • T
              trap16 last edited by

              Hello,

              I did a few more testing, which raised more questions … I added some screenshots to have a more friendly view of the problem.

              To answer your question, I can't ping my 4G modem from the LAN but I can ping it from the pfsense box.

              I also did some testing on my other modem (WAN1, the fiber modem-router) and found i can ping it from everywhere (LAN + pfsense box)
              strangely I have a device plugged on the subnet of this modem (a tv decoder) that i can't ping from the LAN and can ping from the pfsense box.

              See below :

              From left to right windows, from :

              1. pfsense
              2. a LAN computer, running under ubuntu
              3. another LAN computer running under windows

              Test done : ping 192.168.5.1 (the 4G modem LB1110) = OK/KO/KO , ping 192.168.1.1 (the fiber modem-router) = OK/OK/OK , ping 192.168.1.10 (the TV receiver) = OK/KO/KO
              Trying to access web GUI lead to same results as ping.

              I would understand a 100% fail from my test on the LAN (or a 100% success) but not that one, does it means the difference can be explained by the modem settings (so no issue is coming from my pfsense settings) ?

              Thanks a lot.


              1 Reply Last reply Reply Quote 0
              • T
                trap16 last edited by

                Another test today , I tried to check why pfsense can ping the tv receiver and why a computer on the LAN cannot …

                I used diagnostics on WAN1 interface to capture the packets for 192.168.1.10 and found that when i'm pinging from :

                • pfsense box (192.168.1.100) : the destination MAC is the MAC address of the tv receiver (the ping work in this case)
                • a computer on LAN (10.0.2.1) : the destination MAC is the MAC address of the fiber modem-router (and i get no reply)

                1 Reply Last reply Reply Quote 0
                • T
                  trap16 last edited by

                  I sorted out half of the issue, it was due to bad settings.

                  • I removed the gateway from the WAN1 (to fiber modem) and WAN2 (to 4G modem) interface
                  • I added several LAN firewall rules to pass :
                      1) LAN net to WAN1 net with no gateway
                      2) LAN net to WAN2 net with no gateway
                      3) LAN net to any with my failover gateway group (192.168.1.1 tier 1 and 192.168.5.1 tier 2)

                  And now I can ping and access the tv receiver (192.168.1.10) from my LAN

                  So I can now ping correctly my fiber box modem, my tv receiver from my LAN, but the 4G modem is still failing (can access it from a shell on pfsense but not from my LAN)

                  B 1 Reply Last reply Reply Quote 1
                  • R
                    riccio99 last edited by

                    hi, i had a similar problem with another firewall (Dlink).

                    i added a protocol binding rule:
                    Service: HTTP
                    Local Gateway: the wan of the 4g modem
                    Source Networks: Any
                    Destination network: ip adress of the wan port of the 4g modem.

                    I hope it help you

                    1 Reply Last reply Reply Quote 0
                    • T
                      t__2 last edited by

                      Have almost the exact situation as this. Only difference my internal LAN is 192.168.1.1/24 and the address pfSense is usng for the Netgear LB1120 4G modem is 192.168.5.2 (gateway 192.168.5.1).
                      Failover works works great to the 4G modem if my primary FIOS gateway goes down for whatever reason.
                      I like the original poster cannot get to the 4G modem configuration web page from a computer on my LAN. I can ping the default web page address @ 192.168.5.1 and that works just fine. I have read all the posts I can find on this starting with the common one https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall. That and others I found are either not exactly the same situation or are not specific enough instructions for a noob like me to translate the shorthand used into actual settings in pfSense. Using latest 2.4.2_1 version by the way.

                      Any help would be appreciated.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Is the 4G modem webgui address the same address as the default gateway on that interface when it's up? Is it in the same subnet as the default gateway on that interface?

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • T
                          t__2 last edited by

                          Attached is what my Dashboard says . . .
                          Let me know if that is not the info you want.


                          1 Reply Last reply Reply Quote 0
                          • T
                            t__2 last edited by

                            Yes the default 4G modem web page is at 192.168.5.1. Same as the Gateway.

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Hmm. Seems like that should work. Do you have good outbound NAT on the WAN_CELL interface? If connections to 192.168.5.1 are source-NAT to 192.168.5.2 and it isn't working the next thing to look at would probably be a packet capture on that interface filtered on 192.168.5.1 during a connection attempt.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • T
                                t__2 last edited by

                                Sorry for my ignorance how do I tell if I "have good outbound NAT on the WAN_CELL interface"? I have not set up any special NAT, routing, or firewall rules to make this work yet. Mostly because I don't know what I am doing. The instructions I find searching Google are too generic like "create a new outbound NAT rule". Until I have done a few of them I will need detailed instructions on how to do things like that in the pfSense settings.

                                On a computer on the LAN when I put 192.168.5.2 in the browser URL field I get the pfSense box log in page. If I put 192.168.5.1 I eventually get "Problem loading page" and "The connection has timed out" warnings.

                                1 Reply Last reply Reply Quote 0
                                • Derelict
                                  Derelict LAYER 8 Netgate last edited by

                                  Then just post a screenshot of your outbound NAT.

                                  And having a LAN subnet of 10.0.0.0/8 is going to cause you nothing but grief. Why did you choose to do that?

                                  Chattanooga, Tennessee, USA
                                  The pfSense Book is free of charge!
                                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    t__2 last edited by

                                    Here is my Firewall/NAT/Outbound page. (If that is what you were asking for.)

                                    By the way I think you are getting postings from trap16 mixed up with mine. I don't have the 10.0.0.0/8 deal. Maybe I should have started a different thread but I have the same problem as trap16. Just a slightly different set up.

                                    In my setup I think the 10.3.201.0/24 network rules in the Firewall were automatically set up when I tried to configure OpenVpn. I have deleted my attempts to set it up for now so if you think I should delete those rules let me know.


                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      Yeah, you're right. I was confused. Your NAT rules look fine.

                                      So what you want to do is start a packet capture on WAN_CELL for all traffic for host 192.168.5.1 then try to connect to the modem then stop the capture.

                                      It would probably be best if you attached the capture since MAC addresses might be important. Or at least set the detail to Full, View Capture again and post that.

                                      Chattanooga, Tennessee, USA
                                      The pfSense Book is free of charge!
                                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        t__2 last edited by

                                        Is this the settings you want me to try for packet capture?

                                        How long do I run the capture? Until the browser times out?


                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          t__2 last edited by

                                          Here is the capture with the settings I posted. Ran it until the browser timed out.

                                          pfSense_capture.txt

                                          1 Reply Last reply Reply Quote 0
                                          • Derelict
                                            Derelict LAYER 8 Netgate last edited by

                                            Your modem is not accepting the ARP Reply for whatever reason. You'll need to ask them. pfSense is doing everything it is supposed to there.

                                            11:31:58.374001 0a:40:06:d2:5d:5d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.2 tell 192.168.5.1, length 46
                                            11:31:58.374014 00:08:a2:0b:8e:0e > 0a:40:06:d2:5d:5d, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.5.2 is-at 00:08:a2:0b:8e:0e, length 28
                                            11:32:14.614066 0a:40:06:d2:5d:5d > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.5.2 tell 192.168.5.1, length 46
                                            11:32:14.614083 00:08:a2:0b:8e:0e > 0a:40:06:d2:5d:5d, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.5.2 is-at 00:08:a2:0b:8e:0e, length 28

                                            and on and on.

                                            Chattanooga, Tennessee, USA
                                            The pfSense Book is free of charge!
                                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            1 Reply Last reply Reply Quote 0
                                            • T
                                              t__2 last edited by

                                              Thanks Derelict for your help on this.

                                              Tell me this, Why if I unplug the 4G modem from our pfSense box and plug it into a computer I can get the configuration web page at 192.168.5.1? No changes at all to the modem required to do this. Did not even power down or reset the modem. Does that mean my Linux computer talks to the modem differently then the pfSense box does?

                                              1 Reply Last reply Reply Quote 0
                                              • Derelict
                                                Derelict LAYER 8 Netgate last edited by

                                                No idea. Would need to see a PCAP from that computer port in that situation to see what is different.

                                                Does that mean my Linux computer talks to the modem differently then the pfSense box does?

                                                ARP is ARP.

                                                Chattanooga, Tennessee, USA
                                                The pfSense Book is free of charge!
                                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                1 Reply Last reply Reply Quote 0
                                                • T
                                                  t__2 last edited by

                                                  OK I did a tcpdump with the Linux machine connected directly to the 4G modem. Started it then went to 192.186.5.1 and stopped it as soon as the log in page for the modem came up. Not sure I was doing it correctly but here it is.

                                                  pfSense_tcpdump.txt

                                                  1 Reply Last reply Reply Quote 0
                                                  • Derelict
                                                    Derelict LAYER 8 Netgate last edited by

                                                    Yeah that doesn't even try to ARP - it seems to have already accepted that MAC address into it's ARP table based on received traffic (as it should).

                                                    You are going to have to ask the modem manufacturer/provider why it refuses to acknowledge the ARP Reply the WAN port is sending.

                                                    Sorry. It's really as simple as that. pfSense is doing nothing wrong.

                                                    Chattanooga, Tennessee, USA
                                                    The pfSense Book is free of charge!
                                                    DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                    1 Reply Last reply Reply Quote 0
                                                    • T
                                                      t__2 last edited by

                                                      I have some questions.

                                                      What does not even try ARP? The modem or my Linux computer tied to the modem?

                                                      What has already accepted what MAC address into it's ARP table?

                                                      I am just wondering if either in the modem or pfSense can we put th MAC manually to get this to work.

                                                      Sorry if these are dumb questions but I am new to all this.

                                                      1 Reply Last reply Reply Quote 0
                                                      • Derelict
                                                        Derelict LAYER 8 Netgate last edited by

                                                        Christ, man.

                                                        The modem doesn't try ARP because it has accepted the MAC address for that computer based on other traffic.

                                                        Or at least the ARP was not included in your capture.

                                                        You MIGHT be able to make it work by spoofing the MAC address on the WAN but I would CALL THE ISP AND MAKE THEM FIX IT PROPERLY.

                                                        Why are people so reluctant to call the people they are actually PAYING?!?

                                                        (Please tell me you have rebooted the modem.)

                                                        Chattanooga, Tennessee, USA
                                                        The pfSense Book is free of charge!
                                                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                        1 Reply Last reply Reply Quote 0
                                                        • T
                                                          t__2 last edited by

                                                          Derelict, While I am flattered that you refer to me a famous historical figure I can claim no such celebrity.

                                                          Anyway so you answered my questions. It is the 4G modem that would have to have the computers MAC preapproved so to speak so it would work. Unfortunately the modem interface has no way to manually set that. As you said I may be able to have pfSense spoof the computers MAC address but either way would limit what computer on my LAN I could access the web page from.

                                                          Sorry to frustrate you on this but the ISP (Ting) is no help on this as they did not supply the modem. It's not their recommended device. On top of that Netgear has about the worst support policies on the planet. They often take several months just to start looking at a support ticket.

                                                          Anyway thanks again for all the help.

                                                          1 Reply Last reply Reply Quote 0
                                                          • Derelict
                                                            Derelict LAYER 8 Netgate last edited by

                                                            So you're rolling your own and this is what you get.

                                                            Chattanooga, Tennessee, USA
                                                            The pfSense Book is free of charge!
                                                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                                            1 Reply Last reply Reply Quote 0
                                                            • B
                                                              bavcon22 @trap16 last edited by

                                                              @trap16 it worked for me.

                                                              1 Reply Last reply Reply Quote 0
                                                              • First post
                                                                Last post