Access Modem GUI Behind Firewall

Globaltrader312 · Jun 22, 2024, 1:14 PM

Hello

I have several problems with the firewall at the moment.

I would like to access the GUI of my SVDSL modem I have also done everything according to the PFsense instructions Outbound Nat created interface created for the modem with Static IPV4 from the subnet of the modem unfortunately I get no access the page always loads but it does not work I do not know where the error is.

the second problem is that the firewall blocks the ICMP traffic for ping plotter although I have created an ICMP rule in the firewall.

it worked for a short time but since today the ICMP traffic does not go out anymore, but the rule is there.

unfortunately i don't know what to do i have followed the instructions but somewhere i can't see the error.

see screenshots

login-to-view login-to-view login-to-view

johnpoz · Jun 22, 2024, 1:14 PM

@Globaltrader312 said in Access Modem GUI Behind Firewall:

the ICMP traffic does not go out anymore

Why would a rule on your wan2 allow icmp to go out from something running ping plotter?

Where are you running ping plotter? On your lan, the rule to allow outbound to the internet or some other local network would be on the interface that this device is connected too - ie your lan?

Have no idea what your trying to do on your vigor interface?

Globaltrader312 · Jun 22, 2024, 1:38 PM

@johnpoz ping plot is running on my max and would like to monitor / record packet loss for my ISP as proof of a malfunction because unfortunately this often happens and it ducks away.

for ping plotter to work ICMP packets must be sent therefore the firewall rule

as for the vigor interface this is supposed to be a local interface for accessing the GUI of the modem my Vigor 167 SVDSL modem.

I have followed the instructions from netgate but unfortunately it does not work because as I read it a menu item is missing see instructions

https://docs.netgate.com/pfsense/en/latest/recipes/modem-access.html

Translation
:
Interface Address I do not have this item as a selection.

I have done everything else exactly as in the instructions.

johnpoz · Jun 22, 2024, 1:56 PM

@Globaltrader312 said in Access Modem GUI Behind Firewall:

for ping plotter to work ICMP packets must be sent therefore the firewall rule

But those rules wouldn't be on a wan interface.. That rule would be allowed on the interface where the icmp request enters the firewall.. I have no idea what a "max" is or where it is located on your network.

As to what you have done or not done for talking to your modems gui IP, if this on some network other than what pfsense actual wan interface gets from your isp device I have no idea. But the instructions are not missing anything... If your just using your wan, then create a vip on this interface.

Globaltrader312 · Jun 22, 2024, 2:00 PM

@johnpoz I have to correct myself apparently the ICMP packets are going through but it seems like there was constant packet loss according to the ping plotter even though I had internet via DSL.

that Ink plotter shows packet loss is nothing new Noermalerweise only when I have WAN 1 on Vodafone Business Cable Internet 1000 MBIT Down and 50 UP with Public IPV4 but there are often problems there.

what I am generally wondering is whether the PFsense has problems with onboard NIC I use a Dell EMC R430 as a server for the PFsense there are 3 Onoard ETH connections and the 4 in an extra Inteel 350 Quad Port Card PCIE there goes once LAN out WAN 3 mobile in.

all are on GBIT.

Translated with www.DeepL.com/Translator (free version)

Globaltrader312 · Jun 22, 2024, 2:52 PM

@Globaltrader312 What do you mean by MAX ?

the instructions say yesConfigure a new Interface

A PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port.

Navigate to Interfaces > Assignments
Set Available network ports: to the physical network card for the PPPoE WAN

For example, if the WAN is PPPOE0(ix3), choose ix3.

Click fa-plus Add to assign this port as a new OPT interface
Navigate to Interfaces > (new OPT interface)
Configure the settings as follows:

Enable
:
Checked
Description
:
ModemAccess or a similar useful name.
IPv4 Configuration Type
:
Static
IPv4 Address
:
Configure an IP address in the same subnet as the modem, such as 192.168.1.5/24. in my case I have configured 192.168.5.2/24
IPv4 Upstream Gateway
:
None

Do not set a gateway. I have not set one
Click Save
Click Apply Changes

To add the NAT:

Navigate to Firewall > NAT, Outbound tab.
Switch to Hybrid Outbound NAT and click Save
Click fa-plus to add a new Outbound NAT rule
Configure the settings as follows:
Interface
:
ModemAccess
Source
:
Network, enter the LAN subnet there I have 192.168.1.0/24
Destination
:
The IP subnet of the modem
Translation and here 192.168.5.0/24
:
Interface Address here I have entered the INtefrace address 192.168.5.1/24
Click Save

unfortunately there is no connection for the GUI

JonathanLee · Jun 22, 2024, 3:00 PM

You need to make a ACL for both interfaces you want to use icmp on. You can’t do one without the other. I see you made one ACL but where is the ACL for the other interface or subnet?

Globaltrader312 · Jun 22, 2024, 3:05 PM

@JonathanLee

what exactly do you mean by ACL ? can you perhaps give me the relevant paragraph from the instructions, thank you.

with WAN 1 Cable ICMP always works with only one rule only with PPOE it sometimes works stupidly

maybe you can also tell me why the MOdem access does not work thanks

JonathanLee · Jun 22, 2024, 3:21 PM

@Globaltrader312 ACL (Access Control List) your pass or block rules are ACLs. If you’re using more than one interface you need to approve ICMP on both interfaces for them to ping each other. What port is used for GUI access on your modem? Check on ARP page also to get the IP address assigned to the modem. It should show the MAC and the IP being used. You show WAN2 and Vigor? Is that is a different interface? What happened to WAN you show WAN2 I noticed if that’s the case what is your gateway set as WAN or WAN2, also have you looked at your outbound NAT rules if you are using multiple WAN interfaces? Can you ping it from the firewall ping page?

Globaltrader312 · Jun 22, 2024, 3:22 PM

@JonathanLee the instructions say yesConfigure a new Interface

A PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port.

Navigate to Interfaces > Assignments
Set Available network ports: to the physical network card for the PPPoE WAN

For example, if the WAN is PPPOE0(ix3), choose ix3.

Click fa-plus Add to assign this port as a new OPT interface
Navigate to Interfaces > (new OPT interface)
Configure the settings as follows:

Enable
:
Checked
Description VIGOR BGE 0 the same as PPOE only a new interface
:
ModemAccess or a similar useful name.
IPv4 Configuration Type
:
Static
IPv4 Address
:
Configure an IP address in the same subnet as the modem, such as 192.168.1.5/24. in my case I have configured 192.168.5.2/24
IPv4 Upstream Gateway
:
None

Do not set a gateway. I have not set one
Click Save
Click Apply Changes

To add the NAT:

Navigate to Firewall > NAT, Outbound tab.
Switch to Hybrid Outbound NAT and click Save
Click fa-plus to add a new Outbound NAT rule
Configure the settings as follows:
Interface
:
ModemAccess
Source
:
Network, enter the LAN subnet there I have 192.168.1.0/24
Destination
:
The IP subnet of the modem
Translation and here 192.168.5.0/24
:
Interface Address here I have entered the INtefrace address 192.168.5.1/24
Click Save

unfortunately there is no connection for the GUI

JonathanLee · Jun 22, 2024, 3:26 PM

@Globaltrader312 what does your arp table show? After you find the Mac and IP pair try to ping that address from the firewall itself they have a diagnostic area that allows pings to be tested. What port does your GUI is it 80? 8080? Does it use ssl?

Globaltrader312 · Jun 22, 2024, 3:34 PM

@JonathanLee
ACL (Access Control List): Your rules for allowing or blocking are ACLs. If you use more than one interface, you must allow ICMP on both interfaces so that they can ping each other.

Which port is used for GUI access on your modem? Port 80

The IP address assigned to the modem is 192.168.5.1

The MAC and IP used should be displayed there. Do you see WAN2 and Vigor?
Is that a different interface? WAN 2 is with PPPOE on bge2

the interface of the modem is Vigor as name and running bge2

What happened to WAN, you are showing WAN2, not WAN is working normally except packet loss every now and then.

important I use a Faliover setup with Multi WAN 3 WAN interefaces

WAN 1 Vodafone Business Cable DHCP BGE1

WAN 3 Mobile Backup 4G bge3

lan is bge 4

I have set everything up according to the following video https://www.youtube.com/watch?v=uQTvMSNylf4&pp=ygUacGZzZW5zZSBtdWx0aSB3YW4gZmFpbGJvZXI%3D

if that is the case, what is your gateway set as WAN or WAN2, have you also looked at your outbound NAT rules if you are using multiple WAN interfaces?

Can you ping from the firewall ping side?

ping from pfsense guy to 8.8.8.8 works

the modem does not use ssl

Globaltrader312 · Jun 22, 2024, 3:37 PM

@Globaltrader312 infos in screenshot login-to-view login-to-view login-to-view login-to-view

ping to 192.168.5.1 works

Globaltrader312 · Jun 22, 2024, 3:48 PM

@Globaltrader312 with my edge router, the sorce nat rule has always worked for modem access via SSH or GUI via browser to 192.168.5.1 not possible. when I make the ping from the LAN interface then 100 packetloss login-to-view

JonathanLee · Jun 22, 2024, 6:30 PM

@Globaltrader312 said in Access Modem GUI Behind Firewall:

@Globaltrader312 with my edge router, the sorce nat rule has always worked for modem access via SSH or GUI via browser to 192.168.5.1 not possible. when I make the ping from the LAN interface then 100 packetloss login-to-view

Do you have a static route set for this traffic, this is on a different subnet, you would an ACL for port 80 to access it. It’s gonna be blocked by default. What subnet do you attempt to access the modem from?

Globaltrader312 · Jun 22, 2024, 6:45 PM

@JonathanLee login-to-view login-to-view
login-to-view

I want to reach / access the subnet 192.168.5.0/24 to access the GUI of the modem at 192.168.5.1

I have configured the following interface bge 0 description Vigor this is the interface for the modem.

I have entered the following there

see screen shot

there I have entered a static IPV4 on the subnet of the modem 192.68.5.2/24

I then created the outbound nat rule

see screen shot 2

so exactly as in the instructions there was nothing about ACL etc.

I also tried the same with the firewall rule

johnpoz · Jun 22, 2024, 6:57 PM

@Globaltrader312 dude is the interface you created this 192.168.5.2 address connected to your modem?

What is pfsense wan?? What specific vigor "modem/router" do you have.. If the thing is doing nat already and pfsense gets a 192.168.5.x address there is NOTHING to do to access your modems interface from behind pfsense.. Any traffic coming from your lan would be natted to pfsense wan IP.

A simple drawing of your network and how the device connects to pfsense and what interface, and are you getting internet through this connection? Is pfsense wan a 192.168.5 network, or is pfsense getting a public IP because the device is bridge mode, or are you using PPPoe for the connection, etc..

patient0 · Jun 22, 2024, 9:08 PM

@Globaltrader312 said in Access Modem GUI Behind Firewall:

To add the NAT:
...
Interface Address here I have entered the INtefrace address 192.168.5.1/24
Click Save

I got the same configuration, PPPoE with an Vigor166.

For the NAT: Translation Address ("Interface Address" in the doc) is the IP of your pfSense interface in the modem network, "Vigor address" in your case or 192.168.5.2.

Globaltrader312 · Jun 22, 2024, 9:10 PM

@johnpoz said in Access Modem GUI Behind Firewall:

dude is the interface you created this 192.168.5.2 address connected to your modem?

What is pfsense wan?? What specific vigor "modem/router" do you have.. If the thing is doing nat already and pfsense gets a 192.168.5.x address there is NOTHING to do to access your modems interface from behind pfsense.. Any traffic coming from your lan would be natted to pfsense wan IP.

A simple drawing of your network and how the device connects to pfsense and what interface, and are you getting internet through this connection? Is pfsense wan a 192.168.5 network, or is pfsense getting a public IP because the device is bridge mode, or are you using PPPoe for the connection, etc..

An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 23.09.1 | Lab VMs 2.7.2, 24.03

i have put the digram online via link because i can't upload it
Network Diagram

dude is the interface you created this 192.168.5.2 address connected to your modem? yes

What is pfsense wan?? i have 3 WAN with Multiwan and Failover setup

WAN 1 Vodafone Cable DHCP Public IP static Per DHCP

WAN SVDL PPPOE Public IP Static per PPPOE

WAN 3 Mobile behind router Mikrotik Chateau 5G DHCP

all are in one gateway group Failover GW

What specific model vigor 167

the Vigor only does MODEM mode no VLAN tagging or anything else

the Vigor has only one subnet to access the subnet is 192.168.5.0/24 the GUI is reachable at 192.168.5.1

the interface Vigor at Assignments is the interface on bge1 which is only available for accessing the modem GUI.

this has the static IPV4 192.168.5.2/24

The following setup 2 modems 1 router

Multimedia socket Coax connection Technicolor TC4400
Modem connected via COAX cable to the multimedia socket and a Lan cable to bge 0 on the Pfsense establishes the connection via DHCP and gets the Static Public iPv4 and V6 via Static DHCP.

Telephone socket 1 TAE cable to Vigor then 1 LAN cable from Vigor to bge1 to pfsense pfsense dials in via PPPOE with Static IPV4 Public assigned by the provider's RAS server.

Router Mikrotik Chatau 5G with Sim card Telekom Germany connected via LAN cable to PFsense bge2 connection is established via DHCP only Private IPv4 address 192.168.88.0/24

Globaltrader312 · Jun 22, 2024, 9:21 PM

@patient0 I have now changed it but unfortunately I still cannot access the GUI of the Vigor.

login-to-view