Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] webConfigurator accessible via WAN IP address, not LAN

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    6 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bclothier
      last edited by

      I am hoping that someone can help me with an installation issue.

      pfSense will not allow me to access the webConfigurator using the IP address of the LAN interface.  Instead, pfSense requires me to use the IP address of the WAN interface (but through the LAN interface).  I would like access to the webConfigurator using the IP address of the LAN interface.

      My installation is new and uses the latest pfSense version (2.4.3).  Virtually all of the settings are default, with the sole exception of those required to get the WAN and LAN interfaces up and running.  My setup is as follows:

      <internet>–- [AT&T Gateway] –- [pfSense Box] –- [UniFi Security Gateway Pro] –- <my network="">The AT&T Gateway is in “DMZPlus” mode, which I believe is an IP pass-through mode.  Going from left to right:

      • The WAN interface of the pfSense box has the same IP address as otherwise would be (or is) assigned to the WAN interface of the AT&T Gateway.
      • The LAN interface of the pfSense box has a static IP address of 10.0.0.1.  pfSense is set to enable DHCP server on the LAN interface.  The subnet is 10.0.0.0/24 and has a range of 10.0.0.2 – 10.0.0.254.
      • The WAN interface of the UniFi Security Gateway Pro is set to DHCP mode and has an IP address of 10.0.0.2.
      • The LAN interface of the UniFi Security Gateway Pro has an IP address of 10.0.1.1 and serves IP addresses from a DHCP subnet of 10.0.1.0/16.

      Clients downstream of the UniFi Security Gateway Pro have no problems with Internet access, latency, or throughput.  I can also access the web-based console of the AT&T Gateway with no problems.  However, my attempts to ping either 10.0.0.1 and 10.0.0.2 fail (i.e., all pings time-out).</my></internet>

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        @bclothier:

        • The WAN interface of the pfSense box has the same IP address as otherwise would be (or is) assigned to the WAN interface of the AT&T Gateway.

        Same as what ?

        Btw : remove [UniFi Security Gateway Pro] - connect your PC directly to pfSense LAN and check that it obtains a IP between 10.0.0.2 – 10.0.0.254.
        The GUI access will be fine.
        Draw your conclusions  ;)

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          What are you hoping to accomplish here?  I can see no reason for such a setup.. Use either the unifi or pfsense..

          So you have a 2wire/Pace gateway from ATT?  If so dmzplus is not ip passthru - its just a dmz host, ie all ports forwarded to this IP.  Is a nat.. So in your case your running triple nat… Even if pfsense got public your still double natting?  Unless you turned off natting on your unifi?

          Why?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • B
            bclothier
            last edited by

            @Gertjan

            Same as what ?

            Same as the WAN IP address normally assigned to the AT&T residential gateway by AT&T.

            The AT&T residential gateway receives a WAN IP address from an enterprise gateway somewhere within AT&T’s networking infrastructure.  This WAN IP address is not the same as the IP addresses assigned to clients connected to the AT&T Gateway.  Those clients receive LAN IP addresses via DHCP from a default DHCP pool (e.g., 192.168.1.0/24).

            As shown in the diagram above, the only “client” connected to my AT&T residential gateway is my pfSense box.  The AT&T residential gateway operates this connection in “DMZPlus” mode.  In this mode, the WAN IP address of the AT&T residential gateway is the same as the IP address assigned to the WAN port of the pfSense box.  I presume that AT&T residential gateway is operating in some sort of pass-through mode.

            Btw : remove [UniFi Security Gateway Pro] - connect your PC directly to pfSense LAN
            and check that it obtains a IP between 10.0.0.2 – 10.0.0.254.  The GUI access will be fine.

            I conducted this test before formally integrating the pfSense box into my network.  However, your suggestion still has merit.  The USG Pro was unplugged from the LAN port of the pfSense box, and in its place, a laptop was plugged in.  The webConfigurator login screen popped when pointing my web browser to 10.0.0.1.

            Draw your conclusions ;)

            I did.  I logged into the UniFi controller (which effectively programs the USG Pro).  There I discovered the problem.  The USG Pro was setup to assign addresses from the DHCP pool of 10.0.0.1/16 (i.e., 10.0.0.1 – 10.0.255.254).  This pool overlaps with the DHCP pool used by the LAN port of pfSense, i.e., 10.0.0.1/24.  So I had inadvertently instructed the USG Pro to assign an IP address to its own WAN port (i.e., 10.0.0.2) that is reserved for use in the LAN.

            I switched to 172.16.0.1/8 for the connections between my pfSense box and my USG Pro.  The former was changed from 10.0.0.1 to 172.16.0.1 and the latter from 10.0.0.2 to 176.16.0.2.  Problem solved.  I can now access the webConfigurator using the IP address of the LAN interface.

            1 Reply Last reply Reply Quote 0
            • B
              bclothier
              last edited by

              @johnpoz

              What are you hoping to accomplish here?  I can see no reason for
              such a setup.. Use either the unifi or pfsense..

              The UniFi Security Gateway Pro serves as a router for a 48-port Unifi Switch, an 8-port PoE UniFi switch, and three UniFi HD access points. The UniFi controller software allows me to manage this equipment in ways simply not possible with pfSense, especially in regards to the wireless portion.

              The pfSense box serves as an edge firewall for my network.  I am in the process of setting up Suricata for IPS/IDS functionality.  I will also set up webfiltering when I am finished with Suricata.  I think that you will agree that pfSense is far more capable than the UniFi software in providing security functionality.

              So to answer your question:  The UniFi Security Gateway Pro is my router, while pfSense is my firewall.  I am using each in the role it's best suited for in my network.

              So you have a 2wire/Pace gateway from ATT?

              My AT&T residential gateway is a Pace 5268.

              If so dmzplus is not ip passthru - its just a dmz host, ie all ports
              forwarded to this IP.  Is a nat.. So in your case your running triple
              nat… Even if pfsense got public your still double natting?  Unless
              you turned off natting on your unifi?

              Why?

              In “DMZplus” mode, the Pace 5268 assigns its public IP address directly to the pfSense box.  The pfSense box is not assigned a private address (e.g., 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8).  I see no evidence of port forwarding on the Pace 5268.  Moreover, when I run traceroute in pfSense, the first IP address corresponds to a DHCP server in AT&T’s network.  The Pace 5268 does not appear in the traceroute.  So my configuration is double-NAT'ed, not triple-NAT'ed.

              As for being double NAT’ed, I have not experienced any changes in latency.  If anything, my latency has decreased slightly (as measured via ping).  But I am not reading much into that observation.  So while double NAT'ed configurations are generally undesirable, I am not seeing any problems with my setup.  I guess time will tell.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                So while double NAT'ed configurations are generally undesirable, I am not seeing any problems with my setup.  I guess time will tell.

                If the USG is just a router / controller why not just disable NAT there?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.