Unable to access Transparent Bridge (WAN/LAN) from LAN

swears123

Hello all,

Apologies if this has been covered somewhere, I've searched but have not been able to find the information to help me solve this. I am trying to access the pfsense Web GUI from my local LAN network. Currently, I can only connect to the web GUI if I directly connect to the OPT1 LAN interface where DHCP is enabled and an IP address is served to my laptop.

My Setup:

Cable Modem (192.168.100.1) > (WAN) PFSense (LAN1) > UDM Router (10.50.10.xxx)

• I have a Bridge interface enabled with my WAN and LAN1 interfaces
• No IP addresses are assigned to the WAN and LAN1 interfaces
• DHCP is disabled for WAN and LAN1 Interfaces
• The two System tunable options are set correctly per the pfsense documentation
• Outbond NAT is disabled

I believe that I need to assign an IP address to the bridge interface to access the PFSense Web GUI from my LAN (Unifi), however, I am not sure what IP address/upstream gateway to use. I've tried multiple IPs with no success. I am able to access my Cable Modem's web GUI from the LAN so I don't believe I need to do anything on the Unifi router side.

Any guidance is greatly appreciated. Thank you!

viragomann

@swears123
Without an IP the device is not accessible. Also it cannot pull updates or packages.

You have to assign an IP to the bridge within the Cable modems Lan.
For pulling updates / packages you also need to set the cable modem as default gateway (in the bridge interface settings).

For accessing the web GUI ensure that you have a firewall rule in place which allow this.

swears123

@viragomann Thanks for the quick response!

I set the IP address of the Bridge interface to 192.168.100.2. I also have an Allow All rule on the bridge interface.

Do I need any other firewall rules in the LAN1 or WAN interfaces?

When I set the Default Gateway to the Cable Modem address (in the Bridge Interface), I receive the following message:

The following input errors were detected:

The gateway address 192.168.100.1 does not lie within one of the chosen interface's subnets.

viragomann

@swears123 said in Unable to access Transparent Bridge (WAN/LAN) from LAN:

Do I need any other firewall rules in the LAN1 or WAN interfaces?

The you have to add the rule on the incoming interface, so LAN.
But if it is needed depends on the tunables settings.

When I set the Default Gateway to the Cable Modem address (in the Bridge Interface), I receive the following message:
The following input errors were detected:
The gateway address 192.168.100.1 does not lie within one of the chosen interface's subnets.

You have to set the network mask properly. You might need a /24.

stephenw10

Yes, the bridge or one of the interfaces needs to have an IP to be accessible. That IP needs to be in the UDM WAN subnet (192.168.100.0/24) if pfSense is going to use it to check for updates etc.
It doesn't have to be though as long as the UDM router knows how to reach it.

Steve

swears123

@viragomann said in Unable to access Transparent Bridge (WAN/LAN) from LAN:

But if it is needed depends on the tunables settings.

Thanks. Adding a /24 allowed me to add 192.168.100.1 as the default gateway. However, when I did this the internet no longer worked.

viragomann

@swears123
Are you really sure that you've disable NAT in Firewall > NAT > Outbound?

swears123

@viragomann Correct. Outbound NAT is disabled:

Disable Outbound NAT rule generation.
(No Outbound NAT rules)

viragomann

@swears123
I assume you're talking about the internet access on devices in the 10.50.10.xxx network?

I cannot think of any reason, why the default gateway on pfSense should have any impact if you have disabled NAT.

What do you get exactly?
Can you still access the modem?

Are the routes and the DNS settings correct on the device?

swears123

@viragomann

Yes, that is correct. Devices on 10.50.10.xxx lose internet when I add the default gateway of 192.168.100.1 in pfsense. As soon as I delete the default gateway, internet returns.

I still have access to the Unifi Console as well as the upstream Cable Modem when the default gateway is added, however, I still cannot access pfsense from the 10.50.10.xxx network.

I haven't made any changes to routes/dns settings so I assume those are okay.

viragomann

@swears123
Does this also happen if you remove the gateway from the interface settings, but add a gateway in System > Gateways and set it as default then?

swears123

@viragomann Yes, it does.

viragomann

@swears123
The gateway is only for pfSense itself. However, without it you should be able to access pfSense from behind the UDM at least. Does this work?

swears123

@viragomann No access to pfsense from behind udm (10.50.10.xxx) network with or without default gateway.

I'm using the IP address 192.168.100.2 for the pfsense bridge interface.

stephenw10

What's the UDM WAN IP?

swears123

@stephenw10 That would be my external ISP IP address (which I don't want to show on here ;) )

I tried setting that as the Gateway in PFSense but I got an error.

viragomann

@swears123 said in Unable to access Transparent Bridge (WAN/LAN) from LAN:

That would be my external ISP IP address (which I don't want to show on here ;) )

No need to post it here, but this is something what should have been mentioned before.
So the UDM does PPPoE or something alike?

It needs to have an IP the modems LAN / pfSense network to get access, maybe es an alias and it need to do masquerading to this IP on traffic which is destined to pfSense.

swears123

@viragomann Fair enough.

WAN on the Unifi set to DHCP and it pulls the external IP (not the modem, I assume by design). I suppose I can try to set a static IP on the Unifi WAN to the modem's IP. Does that make sense?

I don't know anything about masquerading/Alias'.

stephenw10

Yes, if the UDM has a PPPoE WAN then the default gateway on pfSense should be an IP on the UDM in the modem subnet. Or no gateway.

Why are you adding pfSense here though? It doesn't appear to be doing anything useful.

viragomann

@swears123
You need an additional IP on WAN aside the DHCP.This is called IP alias in pfSense.

An upstream router commonly have masquerading enabled. That means, it translates source IP in upstream packets into its WAN IP.
So since the UDM has a public IP, I expect it does this as well. However, for accessing pfSense you need to translate it to the second WAN IP in 192.168.100.0/24.
If this is not possible you can add a static route for the 10.50.10.0/24 to pfSense and point it the the UDM and hope that it works.