Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall

guardian · Jan 20, 2024, 6:34 PM

I am trying use these instructions:
Accessing a CPE/Modem from Inside the Firewall
https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html
but I don't understand them or they don't apply to my specific situation.

I am trying to assign the new interface, but I don't have PPPoE - my wan is em0:
IPv4 Address 107.179.SSS.abc
Subnet mask IPv4 255.255.255.224
Gateway IPv4 107.179.SSS.def

and my lan is em1, and it is used to attach multiple vlans which are RC1918 addresses in various 172.16.x.y/24

Where do I go from here?

SteveITS · Jan 20, 2024, 7:07 PM

@guardian What’s the IP of your ISP modem? In my experience with AT&T and Comcast nothing extra is needed and I can just browse to it.

guardian · Jan 21, 2024, 3:16 AM

@SteveITS said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

@guardian What’s the IP of your ISP modem? In my experience with AT&T and Comcast nothing extra is needed and I can just browse to it.
Putting the gateway into a browser does nothing.

The modem diagnostic interface is available at http://192.168.100.1. The same ethernet port has 2 addresses... if you use the gateway, you get the internet, if you use 192.168.100.1 you can view the diagnostics

@chpalmer said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

@guardian

I am going to assume that this is a cable modem. What model?

Hitron CODA-45 - Bridge mode only

Some cable companies do turn off the ability for the user to see the GUI of their own cable modem. Sucks but..
Not a problem -- read only interface - no password - only available on the lan - cable company confirmed that they don't have visibility - only the telemetry they get from their head end.

Can you ping 192.168.100.1 ? Try it from both your device and from pfSense diagnostic page.

Surprisingly it is working at this moment.

SteveITS · Jan 20, 2024, 8:19 PM

@guardian again I’ve never had to do this, but the gist of the article is to get a working IP in the modem’s network. Maybe try an alias 192.168.100.2/24 on WAN? Ping from pfSense should work at that point I’d think. And then outbound NAT using that IP to get to .1.

chpalmer · Jan 20, 2024, 8:25 PM

@guardian

I am going to assume that this is a cable modem. What model?

Some cable companies do turn off the ability for the user to see the GUI of their own cable modem. Sucks but..

Unless you have some type of VPN or PPPoe then you should be able to access the modem.. any ISP. If it does not answer based on its settings then there is nothing you can do except argue with your ISP about it. Good luck with that.

Can you ping 192.168.100.1 ? Try it from both your device and from pfSense diagnostic page.

guardian · Jan 21, 2024, 3:02 AM

@SteveITS said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

@guardian What’s the IP of your ISP modem? In my experience with AT&T and Comcast nothing extra is needed and I can just browse to it.

@SteveITS -- Interestingly I am able to access 192.168.100.1 at the moment while the service is operating correctly.

My problem is, when I lose connectivity (IPv4 address goes away), I can no longer reach 192.168.100.1 -- which is exactly when I need to look at it. I need to go get a laptop, unplug pfsense, connect the laptop to see what is happening with the modem.

Do I need some sort of NAT or other setup so that I can still access the Modem when the internet is down?

SteveITS · Jan 21, 2024, 3:06 AM

@guardian well that sounds like a completely different issue. Is the link dropping in pfSense system log? If pfSense is losing its IP I’d kind of expect so, so nothing is going to work.

johnpoz · Jan 21, 2024, 1:03 PM

@SteveITS said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

o nothing is going to work.

If you have a vip set, this IP would not go away... As long as the interface was up on pfsense.

SteveITS · Jan 21, 2024, 2:04 PM

@johnpoz That’s correct of course… in my head I was following the “link down” I alluded to and didn’t write it well.

Overall why does OP’s WAN IP disappear? Modem reboot, DHCP not renewed, bad cable, bad port, etc, etc.

johnpoz · Jan 21, 2024, 2:09 PM

@SteveITS said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

Overall why does OP’s WAN IP disappear? Modem reboot, DHCP not renewed, bad cable, bad port, etc, etc.

All very valid questions ;) if the port is down not going to matter if pfsense interface has an IP or not.. heheh

guardian · Jan 22, 2024, 5:32 AM

@johnpoz said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

@SteveITS said in Having Trouble with Instructions for Accessing a CPE/Modem from Inside the Firewall:

Overall why does OP’s WAN IP disappear? Modem reboot, DHCP not renewed, bad cable, bad port, etc, etc.

All very valid questions ;) if the port is down not going to matter if pfSense interface has an IP or not.. heheh

@johnpoz thanks for coming in on this. When pF sense is loses it's IP, it's on the RF side of the modem.

The link is still up but the public IP has disappeared. I believe if I had a static IP in the
192.168.100.1/24 range I would still be able to access the Modem Diagnostic GUI (WDG).

When I disconnect pfSense and plug in a laptop which is configured for DHCP, it can access the WDG. I wasn't paying attention when I did this, but I'm pretty sure that the laptop got configured by DHCP - I just entered http://192.168.100.1 in a web browser, and it displayed the WDG.

I put in a restriction in pfSense to not accept a an IP in the range 192.168.100.1/24 from DHCP based on advice from this forum because when the public IP would go away, and the gateway's internal DHCP would assign pfSense an IP in the 192.168.100.1/24 range. When the public IP came back, pfSense was not dropping this IP and requesting a public IP.

Is it possible to put a static VIP on the WAN (ethernet em0)? Would this solve the problem? If so, how do I do this since it isn't possible to assign 2 interfaces to a single ethernet port as per the instructions given in other replies.

SteveITS · Jan 22, 2024, 6:29 AM

@guardian in a nutshell you can add an IP alias: https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html

Then the Configure NAT step from https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html#configure-nat should work. I’d expect pfSense itself should be able to ping it as well with the alias functioning.

Basically you’re adding an extra IP to WAN.

stephenw10 · Jan 22, 2024, 1:50 PM

Yup that^. Just be sure that your outbound NAT rule is highly targeted so it only ever matches traffic trying to reach the modem.