Cable modem access on different subnet
-
Just a quick question. My cable modem‘s private ip is at 10.0.0.1. I can get to that IP address via browser on a device with 192.168.92.x without setting up anything. Since these devices are on two separate subnets, how am I able to access my cable modem. I expected I would need to do some special networking to make the cable modem accessible. It is nice it works, but I would really like to know why it works.
Thank you,
Jerold
-
Hello Jerold.
Your modem only knows two things, first is the default route to WAN.
Second is the 10.0.0.0 network.When you try to reach it from 192.168.92.x, the modem is not aware that this network is behind the LAN, and it will answer the request through the WAN.
So, you will need to configure a static route, in your modem.
dest 192.168.92.x gateway 10.0.0.X where X is your pfsense IP.dead on arrival, nowhere to be found.
-
@mcury said in Cable modem access on different subnet:
Hello Jerold.
Your modem only knows two things, first is the default route to WAN.
Second is the 10.0.0.0 network.When you try to reach it from 192.168.92.x, the modem is not aware that this network is behind the LAN, and it will answer the request through the WAN.
So, you will need to configure a static route, in your modem.
dest 192.168.92.x gateway 10.0.0.X where X is your pfsense IP.That’s what is confusing. I can get to it without a static route, via wan. What does the static route get me? I can get to it just fine.
-
@jpvonhemel You are probably being natted.
So, when you leave 192.168.92.X, you get out through the 10.0.0.X network, being sourced by pfsense IP.In this case, the modem would be able to forward the packet back to your pfsense's WAN IP.
Edit: Test if disabling NAT in pfsense will make that stop working
-
@mcury would this be PFSense nat? The cable modem is bridged, so it has to be PFSense that makes this work!
-
Well, if the modem is bridged, you would be getting a public IP in your pfsense's WAN, and not a RFC1918, unless that is what your ISP provides you, like CGNAT does.
-
I seem to have figured out why the private address on the LAN side makes it to the Wan and ultimately to the cable modem.
Automatic Outbound NAT
The default option, which automatically performs NAT from internal interfaces, such as LAN, to external interfaces, such as WAN.When I change this Nat Outbound setting to * Disable Outbound NAT rule generation*, I can no longer get into my modem settings. Turning it back on, after a minute or two, let’s me back in.
-
Hello!
The 10.0.0.x is just an address pfsense doesnt have a route for, so it sends it out the default wan route. The modem intercepts it and responds.
This thread might be of interest...
https://forum.netgate.com/topic/149747/cable-modem-hack-cable-haunt-pfsense-rule
John
-
@mcury said in Cable modem access on different subnet:
So, you will need to configure a static route, in your modem.
dest 192.168.92.x gateway 10.0.0.X where X is your pfsense IP.I have a Hitron modem, in bridge mode. Even though my LAN subnet is 172.16.0.0, I can access the modem at 192.168.100.1. Given there's no routing configured for it, I expect it's examining the IP address of outgoing http connections for that address. I'll have to do a packet capture to see what's actually happening.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
what is pfsense wan IP in this scenario? I have gut feeling that your "modem" is not in bridge mode and pfsense has 10.x address on its wan.
Pretty much every cable "modem" I have ever seen is 192.168.100.1, what is the model number of this cable modem.. You sure its not a gateway device.
-
Hi @johnpoz!
My Wan interface is an Arris TG3482G (XB6) from Comcast. It does have a gateway but I disable it with bridge mode and gives a public ip to my Wan Interface. Here are some screenshots.
I have the interface setup to reject private ip assignment from the cable modem to avoid the gui bug it has caused me in the past.
0 -
@jpvonhemel said in Cable modem access on different subnet:
TG3482G
Yeah that is a gateway, not just a cable modem.. Its a modem/router..
That would explain the non 192.168.100.1 address.
I can access my modem as well without having to do anything, on the 192.168.100.1 address.. This is because pfsense would route it out the wan IP..
This amounts to running multiple layer 3 on the same layer 2..
Do a sniff, you will prob notice your dest being sent to a different mac, then what your answer comes back from.. Because pfsense is trying to send to its gateway, and your device intercepts the traffic - since its bridging and sees all traffic.
-
@JKnott said in Cable modem access on different subnet:
I'll have to do a packet capture to see what's actually happening.
I just tried and noticed something curious. Frames to the modem use a different MAC than the ones from it. Coming from the modem, the HFC MAC is used, but the ISP gateway MAC is used going to it. So, when I connect to that modem, it considers the 192.168.100.1 address to be off the network, as expected, but the response comes directly from the modem. However, I have no idea how the packets actually get from my firewall to the modem. Does the modem intercept them, after reading the IP address? Or does my ISPs gateway forward them back to the modem.
-
See my sniff, there is no way its being forwarded back - look at the times involved.
They are being intercepted by the device, because of the IP of the dest.
edit:
If your device does not do interception like this, And know where to send the data back too. Then the way to access it is via vip on your wan. So that you talk to the device from an IP on its own network. -
pfsense routes anything not in its own LAN subnet(s) out the WAN. It does not matter if the address is in private space or not.
If your address is the default 192.168.1.0/24 and you try to reach 192.168.5.50 it will forward that request out the WAN to/through the modem.
As johnpoz said "They are being intercepted by the device, because of the IP of the dest." +1
My switch right here has an address of 172.31.125.2 and I expect it to answer when I go to that address. But it otherwise does its job of distributing traffic on my LAN. Modems do likewise.
