pfsense with mikrotik LTE in passthrough mode, how to access mikrotik admin panel ?

astrolabius

Hi,

This is my first post here. I'm using pfsense for quite some time for now, but currently I've a problematic setup.
I've got a mikrotik LTE router which has enabled lte passthrough mode to my pfsense box. Pfsense obtains ip over dhcp from mikrotik router, and is able to NAT this to entire LAN network. Mikrotik however expose admin panel on 192.168.88.1 ip address, which I'm not able to access. I've found this post https://forum.netgate.com/topic/164454/accessing-modem-from-internal-network which seems to describe exact same problem as I have, however proposed solution does not work for me. Here's what I have

mikrotik LTE <--> switch (VLAN 1000) <--> pfsense WAN

I've also tried direct connect without switch (works the same) switch gave me additional PoE for mikrotik.

WAN IP: DHCP one in 10.X.X.X net
LAN IP: 10.120.Y.Y
Mikrotik admin panel ip: 192.168.88.1

I've created VIP (IP Alias) on WAN interface - 192.168.88.2/32
I've created hybrid outbound rule:

I've logged in to pfsense box over ssh and I'm able to ping VIP, but not able to ping 192.168.88.1

However when I'm connected to mikrotik admin panel (through different port) I know that mikrotik sees pfsense box VIP, but still not able to ping it.

One observation is that if I'd disable LTE interface on mikrotik LTE, pfsense starts pinging mirkotik router, so I'm closer to conclusion that the problematic part is mikrotik router, and not pfsense configuration.

Can you help me with what I'm doing wrong ? Or should I setup something differently on my mikrotik box ?

viragomann

@astrolabius said in pfsense with mikrotik LTE in passthrough mode, how to access mikrotik admin panel ?:

I've created VIP (IP Alias) on WAN interface - 192.168.88.2/32

You can access nothing with a /32 mask. You need to use at least a /30 mask, but it should match the setting on the Mikrotik, which might be /24.

astrolabius

@viragomann I've tried with /24 mask as well, but without success. Currently I'm trying to update routeros version, as this might be a problem as well

stephenw10

Yeah the VIP needs to have a subnet that includes the modem IP, like /24.

The source address on your outbound NAT rule has to match where ever you;re trying to connect from. So probably 'LAN net'.
'This Firewall' only includes IP addresses on the firewall itself not local subnets.

Steve

astrolabius

@stephenw10 @viragomann
Now I think I got it. I've to have VIP in /24 not, the outbound network. This is something I haven't tried yet. But will. Unfortunately I'd have direct access to this system in a week from now :( And don't want to risk setting it up remotely (currently I've dropped from passthrough mode in favor of double NAT, anyway my ISP does not serve me public IP, sot I'd say it's more likely triple NAT). One thing, which I think, I'm not getting. I thought that during VIP creation I'm setting up IP pool which will be assigned to this Interface, and not used by this interface. Am I wrong here ?

Thanks in advance for reply.

stephenw10

@astrolabius said in pfsense with mikrotik LTE in passthrough mode, how to access mikrotik admin panel ?:

I thought that during VIP creation I'm setting up IP pool which will be assigned to this Interface, and not used by this interface.

Not for an IPAlias VIP on WAN. You would add one for each IP you want to use there and at least one them has to be defined with the correct subnet mask so the routes are added. Otherwise pfSense has no idea how to reach any other IP in the subnet.

So you you just need to change your VIP on WAN to be 192.168.88.2/24.

Then change the source in the outbound NAT rule to 'LAN net' so that traffic from clients in the LAN matches it.