Is there a way to set a "tag" (or specify Gateway / do PBR) prior to (or even during) NAT rules? [Dual WAN cable modem status pages]



  • See subject for the crux of the question... I'll explain the scenario here.

    I have a pretty basic pfSense setup running at home, but I'm adding a second WAN connection from a different ISP (at least temporarily).

    So I have WAN1, WAN2, and LAN interfaces on the firewall. LAN just has a single private /24. WAN1 & WAN2 are both DHCP, but do receive publicly routable addresses directly on the interfaces.

    Both WAN providers are cable ISPs in the US, using typical bridging/L2-based cable modems, so my WAN interfaces are just ethernet into modems. The modems have near-zero configurability.

    Both cable modems provide an HTTP "status page," but I have no control over the IP they listen on. In the US, it's kind of a defacto standard that cable modems are at 192.168.100.1. I want to be able to see the status pages of both modems simultaneously, from inside the LAN network.

    I can see each modem individually by adding a standard filter rule on the LAN side that matches on DST=192.168.100.1 and just forces the Gateway (PBR) for the traffic as needed. But this doesn't allow me to see both status pages simultaneously.

    The best way I could think of to try to see them both was using NAT/port-translation. E.g. DST=[pfSense LAN IP] port 881, NAT to 192.168.100.1 port 80. Problem with this is that once the traffic is NATed, I don't think there's any way to change the Gateway / perform PBR.

    I believe this is not a problem with pf itself, rather than just specifics of how pfSense does rules? I think if I could add a pass filter rule before the NAT rule that sets a "tag" on specific traffic, I could then have another filter rule (post-NAT) that just catches that tag and sets the Gateway. Or, is it possible to set a tag or Gateway on traffic during the NAT stage?

    I'm not familiar enough with "manual command-line pf" to know if any of this is actually possible though. If anybody has any other suggestions, I'm all ears.



  • Hello!

    Maybe use a second workstation to view the status page for the other modem. Two PBR rules with SRC IPs - one for each workstation. RDP into the second workstation if you want to see both on the same screen. Second workstation could be headless (pi). ?

    John



  • @serbus Yeah, I thought about something involving different src IPs. I wouldn't even need something with RDP, could just set up a proxy and bounce the traffic off of that... but that's still a work-around. It's a better work-around than fiddling with the firewall rules though, and I already have a Raspberry Pi running my Unifi controller that would be perfectly fine to run nginx as a reverse proxy in front of one of the modems.

    IMO, this should be something that's possible on a competent router/firewall, without involving any other equipment.