[SOLVED] webConfigurator accessible via WAN IP address, not LAN



  • I am hoping that someone can help me with an installation issue.

    pfSense will not allow me to access the webConfigurator using the IP address of the LAN interface.  Instead, pfSense requires me to use the IP address of the WAN interface (but through the LAN interface).  I would like access to the webConfigurator using the IP address of the LAN interface.

    My installation is new and uses the latest pfSense version (2.4.3).  Virtually all of the settings are default, with the sole exception of those required to get the WAN and LAN interfaces up and running.  My setup is as follows:

    <internet>–- [AT&T Gateway] –- [pfSense Box] –- [UniFi Security Gateway Pro] –- <my network="">The AT&T Gateway is in “DMZPlus” mode, which I believe is an IP pass-through mode.  Going from left to right:

    • The WAN interface of the pfSense box has the same IP address as otherwise would be (or is) assigned to the WAN interface of the AT&T Gateway.
    • The LAN interface of the pfSense box has a static IP address of 10.0.0.1.  pfSense is set to enable DHCP server on the LAN interface.  The subnet is 10.0.0.0/24 and has a range of 10.0.0.2 – 10.0.0.254.
    • The WAN interface of the UniFi Security Gateway Pro is set to DHCP mode and has an IP address of 10.0.0.2.
    • The LAN interface of the UniFi Security Gateway Pro has an IP address of 10.0.1.1 and serves IP addresses from a DHCP subnet of 10.0.1.0/16.

    Clients downstream of the UniFi Security Gateway Pro have no problems with Internet access, latency, or throughput.  I can also access the web-based console of the AT&T Gateway with no problems.  However, my attempts to ping either 10.0.0.1 and 10.0.0.2 fail (i.e., all pings time-out).</my></internet>



  • Hi,

    @bclothier:

    • The WAN interface of the pfSense box has the same IP address as otherwise would be (or is) assigned to the WAN interface of the AT&T Gateway.

    Same as what ?

    Btw : remove [UniFi Security Gateway Pro] - connect your PC directly to pfSense LAN and check that it obtains a IP between 10.0.0.2 – 10.0.0.254.
    The GUI access will be fine.
    Draw your conclusions  ;)


  • Rebel Alliance Global Moderator

    What are you hoping to accomplish here?  I can see no reason for such a setup.. Use either the unifi or pfsense..

    So you have a 2wire/Pace gateway from ATT?  If so dmzplus is not ip passthru - its just a dmz host, ie all ports forwarded to this IP.  Is a nat.. So in your case your running triple nat… Even if pfsense got public your still double natting?  Unless you turned off natting on your unifi?

    Why?



  • @Gertjan

    Same as what ?

    Same as the WAN IP address normally assigned to the AT&T residential gateway by AT&T.

    The AT&T residential gateway receives a WAN IP address from an enterprise gateway somewhere within AT&T’s networking infrastructure.  This WAN IP address is not the same as the IP addresses assigned to clients connected to the AT&T Gateway.  Those clients receive LAN IP addresses via DHCP from a default DHCP pool (e.g., 192.168.1.0/24).

    As shown in the diagram above, the only “client” connected to my AT&T residential gateway is my pfSense box.  The AT&T residential gateway operates this connection in “DMZPlus” mode.  In this mode, the WAN IP address of the AT&T residential gateway is the same as the IP address assigned to the WAN port of the pfSense box.  I presume that AT&T residential gateway is operating in some sort of pass-through mode.

    Btw : remove [UniFi Security Gateway Pro] - connect your PC directly to pfSense LAN
    and check that it obtains a IP between 10.0.0.2 – 10.0.0.254.  The GUI access will be fine.

    I conducted this test before formally integrating the pfSense box into my network.  However, your suggestion still has merit.  The USG Pro was unplugged from the LAN port of the pfSense box, and in its place, a laptop was plugged in.  The webConfigurator login screen popped when pointing my web browser to 10.0.0.1.

    Draw your conclusions ;)

    I did.  I logged into the UniFi controller (which effectively programs the USG Pro).  There I discovered the problem.  The USG Pro was setup to assign addresses from the DHCP pool of 10.0.0.1/16 (i.e., 10.0.0.1 – 10.0.255.254).  This pool overlaps with the DHCP pool used by the LAN port of pfSense, i.e., 10.0.0.1/24.  So I had inadvertently instructed the USG Pro to assign an IP address to its own WAN port (i.e., 10.0.0.2) that is reserved for use in the LAN.

    I switched to 172.16.0.1/8 for the connections between my pfSense box and my USG Pro.  The former was changed from 10.0.0.1 to 172.16.0.1 and the latter from 10.0.0.2 to 176.16.0.2.  Problem solved.  I can now access the webConfigurator using the IP address of the LAN interface.



  • @johnpoz

    What are you hoping to accomplish here?  I can see no reason for
    such a setup.. Use either the unifi or pfsense..

    The UniFi Security Gateway Pro serves as a router for a 48-port Unifi Switch, an 8-port PoE UniFi switch, and three UniFi HD access points. The UniFi controller software allows me to manage this equipment in ways simply not possible with pfSense, especially in regards to the wireless portion.

    The pfSense box serves as an edge firewall for my network.  I am in the process of setting up Suricata for IPS/IDS functionality.  I will also set up webfiltering when I am finished with Suricata.  I think that you will agree that pfSense is far more capable than the UniFi software in providing security functionality.

    So to answer your question:  The UniFi Security Gateway Pro is my router, while pfSense is my firewall.  I am using each in the role it's best suited for in my network.

    So you have a 2wire/Pace gateway from ATT?

    My AT&T residential gateway is a Pace 5268.

    If so dmzplus is not ip passthru - its just a dmz host, ie all ports
    forwarded to this IP.  Is a nat.. So in your case your running triple
    nat… Even if pfsense got public your still double natting?  Unless
    you turned off natting on your unifi?

    Why?

    In “DMZplus” mode, the Pace 5268 assigns its public IP address directly to the pfSense box.  The pfSense box is not assigned a private address (e.g., 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8).  I see no evidence of port forwarding on the Pace 5268.  Moreover, when I run traceroute in pfSense, the first IP address corresponds to a DHCP server in AT&T’s network.  The Pace 5268 does not appear in the traceroute.  So my configuration is double-NAT'ed, not triple-NAT'ed.

    As for being double NAT’ed, I have not experienced any changes in latency.  If anything, my latency has decreased slightly (as measured via ping).  But I am not reading much into that observation.  So while double NAT'ed configurations are generally undesirable, I am not seeing any problems with my setup.  I guess time will tell.


  • Netgate

    So while double NAT'ed configurations are generally undesirable, I am not seeing any problems with my setup.  I guess time will tell.

    If the USG is just a router / controller why not just disable NAT there?