Access ISP router within "child" pfSense LAN network

fearlessfara · Sep 21, 2020, 10:37 PM

I'd like to access the ISP router within the pfSense network. I'll attach a graph of the net so it will be a bit more clear since there is a hierarchy.

Basically the problem is that within the pfSense network I cannot access the main ISP router network (192.168.1.1/24). When I try to SSH the ISP router on just to open the admin webpage I get no response and the connection times out. What do I need to do in order to access that "father" network?

kiokoman · Sep 21, 2020, 10:55 PM

usually, there is nothing to do but maybe you have block bogon/block private network checked on the wan interface

fearlessfara · Sep 23, 2020, 1:18 PM

Thank you and yes, you're (partially XD) right. Usually there is nothing to do/configure but this time something need to be modified I guess. The bogon-block feature is disabled but still I can't access my main ISP router... Any idea or suggestion?

johnpoz · Sep 23, 2020, 1:36 PM

There is nothing to do here. Unless your not natting on pfsense, you can access that IP just like any other IP on your wan. The block rfc1918 and bogon rules are inbound rules..

Unless your forcing traffic out a vpn connection?

Or you have some rule on lan/floating that would block said access.

Out of the box that would just work. Assuming pfsense wan is getting an IP on the 192.168.1/24 network

I would suggest you sniff on pfsense wan, connected to this upstream router.. Do you see traffic going to this 192.168.1.1 IP when you try and go there via one your lan clients? You don't have some other 192.168 network on any other interface on pfsense what would overlap that network do you?

fearlessfara · Sep 23, 2020, 2:20 PM

@johnpoz Thanks for the answer. I am not forcing traffic out a VPN connection. Traffic goes straing from the WAN interface of my pfSense to one of the LAN interfaces of the ISP modem. No interfaces are overlapping for sure (DHCP enabled too).
The connection between those two hosts is OK (I can ping 192.168.1.1) but when I try to access the management page on port 80 I think it drops the connection or it just times out.
I have pfBlockerNG installed on the pfSense but I dont think that this could cause any kind of issues.
Honestly this is a pretty stock otb pfSense installation, I didn't set particular thing or Vlans, anything really.

johnpoz · Sep 23, 2020, 2:28 PM

Suggest you sniff on the wan when you try and access web gui of 192.168.1.1 - do you get a response, is your source natted to 192.168.1.X (whatever wan IP of your psfense is) etc..

Your wan has a 192.168.1.X address right? Your not using a PPPoE connection?

fearlessfara · Sep 23, 2020, 2:36 PM

@johnpoz Here's what I see when i sniff the traffic going in/outbound

16:29:50.144463 IP 192.168.1.56 > 192.168.1.1: ICMP echo request, id 19542, seq 37578, length 9
16:29:50.144945 IP 192.168.1.1 > 192.168.1.56: ICMP echo reply, id 19542, seq 37578, length 9
16:29:50.364933 IP 192.168.1.56.45561 > 192.168.1.1.80: tcp 0
16:29:50.365415 IP 192.168.1.1.80 > 192.168.1.56.45561: tcp 0
16:29:50.646389 IP 192.168.1.56 > 192.168.1.1: ICMP echo request, id 19542, seq 37579, length 9
16:29:50.647026 IP 192.168.1.1 > 192.168.1.56: ICMP echo reply, id 19542, seq 37579, length 9
16:29:51.110850 IP 192.168.1.1.80 > 192.168.1.56.60194: tcp 0
16:29:51.111345 IP 192.168.1.56.60194 > 192.168.1.1.80: tcp 0
16:29:51.151052 IP 192.168.1.56 > 192.168.1.1: ICMP echo request, id 19542, seq 37580, length 9
16:29:51.151534 IP 192.168.1.1 > 192.168.1.56: ICMP echo reply, id 19542, seq 37580, length 9

As you can see there is clearly something wrong with those addresses, honestly I don't know why it is fitting the port as part of the IP address (and then obviusly the tcp is 0 because of I don't know what reason but it seems fair to be like that).
Looks like maybe the pfSense is doing something that malforms the request?
N.B. 192.168.1.56 is the pfSense WAN interface IP on the ISP subnet.

johnpoz · Sep 23, 2020, 2:36 PM

@fearlessfara said in Access ISP router within "child" pfSense LAN network:

16:29:50.364933 IP 192.168.1.56.45561 > 192.168.1.1.80: tcp 0
16:29:50.365415 IP 192.168.1.1.80 > 192.168.1.56.45561: tcp 0

that is typical and correct to what you should see.. sniff will show the source and dest ports like that.. Open that up say wireshark, or increase the verbosity of the sniff. I assume that is syn and syn,ack in response.

but he could be send you back RST? Which would mean F off..

fearlessfara · Sep 23, 2020, 4:00 PM

@johnpoz The RST TCP message was my greatest fear to be honest. I've reset the ISP router to its factory defaults and managed to isolate that the problem was (as I supposed on the pfSense). Now I'm gonna reset the pfSense too and see if it finally works again as normal.

johnpoz · Sep 23, 2020, 4:03 PM

@fearlessfara said in Access ISP router within "child" pfSense LAN network:

to isolate that the problem was (as I supposed on the pfSense).

And how exactly did you do that? To pfsense 192.168.1.1 is no different than 8.8.8.8 - if it sends on the traffic and nats it to its wan IP, what else do you think it should do?

fearlessfara · Sep 23, 2020, 4:10 PM

@johnpoz I dindn't recognize what was the source of the problem. I went by exclusion. After doing all the configurations of the ISP and checking that those were correct I had to exclude that there was a network misconfiguration on the side of the ISP device.
Then I started troubleshooting (again) on the pfSense, I removed all the installed plugins (and still had that problem) then I went doing all the setup wizard again (this seems to be the "final solution" to my problem) and now it looks like it's working as it should be.
Moral of the story: I made the setup wizard and now I can finally access my beloved ISP router again.

johnpoz · Sep 23, 2020, 4:15 PM

@fearlessfara said in Access ISP router within "child" pfSense LAN network:

I made the setup wizard

You never ran the wizard before? Were clients able to access internet sites?

The default IP of pfsense would of conflicted with your ISP devices lan.. Out of the box pfsense lan is 192.168.1.1/24 - so yeah that would of prevented access..

fearlessfara · Sep 23, 2020, 4:18 PM

@johnpoz Yes, I obviously had configured the pfSense before (using the setup wizard) and then I had to change the subnet to 10.0.0.1/24 to not overlap the parent one (I'm not really new to networking, but I am on pfSense ). To be honest this problem came up at some random point in the past days. I can't get to understand what caused it, really strange, isn't it?

johnpoz · Sep 23, 2020, 4:21 PM

Yeah if you were running fine on 10.0.0/24 for a while and could access the internet.. Possible something didn't complete when you changed the lan network? Just guessing..

But from your sniff pfsense looks to had sent on the traffic and natted to its wan IP.. I would of checked your state table next.. etc.

But glad you got it sorted..

fearlessfara · Sep 23, 2020, 5:07 PM

@johnpoz The LAN subnet configuration was ok, because I changed it when I installed the pfsense (otherwise as you said before it would have overlapped ISP router’s LAN). Looks a lil strange to me that I didn’t find the problem. Maybe looking at the state table would have been a good idea but since I’ve solved it “the easy way” and the state table is now renewed it’s useless now to take a look at it. Thanks for the help by the way!