Accessing modem netwok from inside firewall (Bridge Mode)

Soloam · Aug 14, 2018, 5:39 PM

Hello, I have my cable provider modem outside of the pfsense network, with a different subnet, my main subnet is 192.168.3.0/24 and my modem is 192.168.1.0/24.

The modem is configured to bridge all traffic of port 4, so I connect pfsense to port 4 and all traffic is bridgged.

I loked at the toturial on Accessing modem from inside firewall but this case is different.

Is there any method to access the cable modem network (all devices in 192.168.1.0/24)? or do I need to create a VLAN and connect a physical cable to one of the other ports?

Thank You

Soloam · Aug 16, 2018, 10:41 PM

Any ideas? Thank you

johnpoz · Aug 19, 2018, 1:45 PM

There really should be no devices on this 192.168.1/24 since this becomes your transit network. While you could connected to them from your 192.168.3 via natting to the 192.168.1 that pfsense would do. Access anything on 192.168.3 from .1 would require a port forward.

Your better option would be just use your bridge connection (where pfsense gets public IP) and put these devices on 192.168.1 behind pfsense on .3 or some other vlan.

I would assume these devices are wifi and connecting to your isp device (not really a modem if its doing nat - it would be a gateway device).. If so your best option would prob be turn off that devices wifi and get a AP to put behind pfsense. Better yet get one that supports vlans and have switch that supports vlans and then you would really be cooking with gas.

jahonix · Aug 19, 2018, 4:06 PM

You said the modem is in bridge mode. Does pfSense get an IP from the ISP probably via DHCP?
Have you tried the tutorial you mentioned?

@johnpoz I don't think there's a transit network when modem is in bridge mode, right?

johnpoz · Aug 19, 2018, 5:43 PM

Yes there is a transit network even when you get a public IP.. The /21 the isp gives you is actually a transit network ;)

Your just not putting other devices on it that want to get to other downstream networks, etc. All the devices on this isp transit are routers or or end devices using this network to get to the internet... Ie they transit over it to get to where they want to actually go.

But in this case he is running a double nat to the pubic and his 192.168.1 network becomes a transit to get to his router with the public IP. There shouldn't be any devices on this transit, unless all they want to do it get to the internet.. Once he wants them to talk to other devices downstream that are not reachable via his default gateway then you run into problems with either asymmetrical routing or having to nat to prevent the asymmetrical traffic flow, or route on each device telling it which gateway to use to get to which network.

jahonix · Aug 20, 2018, 12:52 AM

If the modem is in bridge mode and pfSense connects to the ISP gateway directly then, AFAIK, the modem is out of the transit network.
pfSense gets the public IP on WAN (or 100.64.0.0/10 with CGN) and the modem can be reached on an RFC1918 IP as described in the docs.
You don't have double NAT in this case either.

Soloam · Aug 20, 2018, 9:01 AM

Hello all, the main problem is my ISP digital tv box set, I get a lot of problems when I connect it after pfsense, I keep getting connections drops, so I made the decision to keep it connected to my isp router. But now i would like to access it from my main network (to control it from my computer, iot). The isp router passes the internet to pfsense in bridge mode, and pfsense get the public ip by dhcp. I don't see other solution but to run a second cable from one of the other ports of the isp router that are not bridged back to pfsense.

johnpoz · Aug 20, 2018, 12:33 PM

In such a case you should be able to access the 192.168.1.x/24 IP from 192.168.3.x/24 because pfsense would nat your 192.168.3.x traffic to pfsense IP address in 192.168.1

If you do not nat this then yes you would run into a problem. You have to make sure you setup outbound nat on the 192.168.1 interface so that traffic coming from 192.168.3 is natted to the 192.168.1 address of pfsense in that network.

You would also need to make sure your not forcing your lan traffic out your specific wan dhcp gateway (ie your public connection). You need to leave the gateway on your lan as default or put a policy route above it to use your 192.168.1 interface when wanting to go to 192.168.1