NAT to cable modem admin UI needs to come from same subnet

jhg

Hitron CODA-56 modem (which is working very well)

It has an admin UI at 192.168.100.1, so I thought all I needed to do was add a static route to it. This didn't work, and I discovered that traffic to that address must also have a source IP in the same /24. So I attempted to create an outgoing NAT rule as follows:

Outbound NAT Mode: Hybrid

Rule

• Interface: WAN
• Source: LAN Subnets
• Source Port: *
• Destination: 192.168.100.0/24
• Destination Port: *
• NAT Address: 192.168.100.2/32
• NAT Port: *

But this also doesn't work.

With packet capture I can see the traffic exiting the WAN interface, with the correct source and destination addresses, but I don't see any response:

Running packet capture:
/usr/sbin/tcpdump -ni re1 -c '1000' -U -w - '((net 192.168.100.0/24)) and ((not vlan))'

01:25:43.122880 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0
01:25:46.863886 IP 192.168.100.2.38110 > 192.168.100.1.80: tcp 0
01:25:47.131851 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0
01:25:54.875554 IP 192.168.100.2.38110 > 192.168.100.1.80: tcp 0
01:25:55.144524 IP 192.168.100.2.24852 > 192.168.100.1.80: tcp 0

I know the modem's UI works because I could access the UI when I was using a Linux-based router, before I replaced it with pfSense.

Is there anything obvious I need to fix so I can see the response traffic?

johnpoz

@jhg I ran into the same sort of problem that had me scratching my head for awhile..

I hear good things about that modem by the way ;)

Anyhoo.. Here is my setup. Sounds exactly what your trying to do, etc..

The disable auto generated reply-to allows it to work..

I was also blocking outbound rfc1918, to keep any noise I might generated by typos in rfc1918 addresses, etc from going out my connection I had a work laptop for one that was generating lots of traffic to "work" Ip ranges, etc. The block rfc1918 rule is just below that allow rule with the disable reply-to set, prob should of grabbed it in the screenshot.

edit: trying to remember the thread where we found this.. I will have to see if I can find that thread.

edit2: here it is https://forum.netgate.com/topic/181715/solved-problems-with-understanding-advanced-egress-filtering

mer

Different cable modem, but I had similar issues.
I did the exact same as @johnpoz and make sure you don't forget the disable reply to step. That bit me once or twice.

SteveITS

TL,DR ;) but it looks like there are some suggestions. Netgate has a recipe page for this : https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

I’ve never had to do anything for AT&T or Comcast modems, it “just works.”