Troubleshooting question

guardian

I am having connectivity issues which I believe are caused by my provider.

It would be really helpful if I had a way to log into my internet gateway/modem (attached to the pfSense LAN port) which has a web interface on 192.168.100.1 .

Is there any way that I can access this normally non-routable address from my workstation?

Gertjan

@guardian said in Troubleshooting question:

Is there any way that I can access this normally non-routable

My LAN uses 192.168.1.1/24, a seocnd LAN uses 192.168.2.2.1/24, a third 192.168.4.1/24 and my OpenVPN server uses 192.168.3.1/24.

My ISP router has been set up to use 192.168.10.1/24 on it's LAN - pfSEnse obtained, using 192.168.10.4. pfSense uses the default 'dhcp' on it's WAN.

Usinga PC on LAN, having 192.168.1.x, when I want to see the ISP router's GUI, I enter 192.168.10.1 - which means that 192.168.1.x get routed through to 192.168.10.1 just fine.
I can see and use the ISP router's GUI just fine.

Something is missing in your question ;)
If you pfSense WAN interface doesn't have a RFC1918 IP, then a 'trick' is needed.
pfSense got you covered, it's in the manual : Accessing a CPE/Modem from Inside the Firewall.

stephenw10

@guardian said in Troubleshooting question:

my internet gateway/modem (attached to the pfSense LAN port)

Do you mean the actual LAN interface? Or is it attached to the WAN?

You may need to add a VIP in the 192.168.100.X subnet and NAT traffic to it. See:
https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

(Ooops same link!)

guardian

Thanks very much for the quick reply @Gertjan @stephenw10 and answering the question I should have asked. I knew that the RFC1918 was not routable and some sort of workaround was necessary--I just didn't ask the question properly. Thanks very much for the correction/answering the right question. I'll give this a shot and let you know if I have questions/run into trouble.

@stephenw10 said in Troubleshooting question:

You may need to add a VIP in the 192.168.100.X subnet and NAT traffic to it. See:
https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

@Gertjan said in Troubleshooting question:

Something is missing in your question ;)
If you pfSense WAN interface doesn't have a RFC1918 IP, then a 'trick' is needed.
pfSense got you covered, it's in the manual : Accessing a CPE/Modem from Inside the Firewall.

AndyRH

In case that does not work, what I did was route the ISP through my switch so all I have to do is either add a USB NIC to my PC or change my PC's VLAN and then I am on the ISP side of pfSense.

guardian

@AndyRH said in Troubleshooting question:

In case that does not work, what I did was route the ISP through my switch so all I have to do is either add a USB NIC to my PC or change my PC's VLAN and then I am on the ISP side of pfSense.

Interesting Idea -- You have given me an idea to try.

johnpoz

@guardian There are many uses for running the connection from your modem through a switch. One being yea its easy to add something to this network for whatever reason, span port if you want to sniff traffic.. For say troubleshooting something like dhcp where its hard to say get the sniff going on pfsense while it boots up..

Also if you have a switch between just because your modem interface goes down, pfsense won't (unless your switch goes down as well). Sure it won't be able to renew its IP or actually get anywhere but the interface won't reset, it just won't be able to get to the internet.

You could if you so desire put acls on on the ports to filter traffic. You could rate limit at the switch ports. Depending on the feature set of the switch your using.

You could shut the switch port off to pfsense at the switch via a simple command at the switch.

There is all kinds of reasons why its beneficial to have switch between pfsense wan and the modem..

guardian

@johnpoz said in Troubleshooting question:

@guardian There are many uses for running the connection from your modem through a switch. One being yea its easy to add something to this network for whatever reason, span port if you want to sniff traffic.. For say troubleshooting something like dhcp where its hard to say get the sniff going on pfsense while it boots up..

Also if you have a switch between just because your modem interface goes down, pfsense won't (unless your switch goes down as well). Sure it won't be able to renew its IP or actually get anywhere but the interface won't reset, it just won't be able to get to the internet.

You could if you so desire put acls on on the ports to filter traffic. You could rate limit at the switch ports. Depending on the feature set of the switch your using.

You could shut the switch port off to pfsense at the switch via a simple command at the switch.

There is all kinds of reasons why its beneficial to have switch between pfsense wan and the modem..

@johnpoz I appreciate the input, unfortunately I don't have spare ports on a switch I can use -- and I agree that is a great way to go.

Given the setup that I have, is there a way that I can setup a virtual IP on the ethernet port in the 192.168.100/0/24 subnet so I can get to the modem regardless of if I have a public IP or not?

johnpoz

@guardian the instructions how to get to your modem have already been given multiple times.

I do it this way.. I have a 192.168.100.2 vip on my wan, that is connected to my modem..

Do you have any outbound rules in floating that block rf1918? Do you have any rules on your lan where where your client is trying to access 192.168.100.1 that would block or policy route?