Private ip on public side / managing equipment / suggestions?



  • We have many pfsense boxes deployed with speedtouch modems on the wan. Some are static IP, some are DHCP, and some are PPPOE.

    The speed touch modem works in a bridging mode, HOWEVER it always listens to 192.168.1.254/24 and 10.0.0.138/8

    I have in the past manually added an alias to the interface facing the modem, and then used ssh to create a tunnel to the pfsense box allowing me to connect to the localhost:localport and to tunnel that through to the pfsense - where it connects to the modem on port 80.

    This is problematic though - it requires going outside the gui to configure it, and doesn't allow me a way to make the port acessible to a user on the lan without giving them ssh access to pfsense.

    Does anyone have a better way? Through use of VIP's / proxy arp or some kind of alias / nat rule / no-nat rule?

    I've tried a lot of combinations / running out of ideas. Thanks!

    PS - I love the book…

    I thought it might help visualize / clarify if I throw some ip's on an example...

    Pretend my pfsense box has LAN (rl0) 192.168.0.1/24 and WAN (rl1) 172.18.0.2
    The WAN is connected to my ADSL modem. Everything works as desired. EXCEPT, I want to retrieve information from the ADSL modem on it's operation - things like error rates, sync speed, etc. The ADSL modem listens on 192.168.1.254 and 10.0.0.138. If I resort to command line, I can do something like:
    ifconfig rl1 alias 10.0.0.138 netmask 0xff000000

    After this command, FROM PFSENSE SHELL I can ping 10.0.0.138. I can also connect to it's port 80. However I can't figure out how to add a nat / no nat / port forward / something to enable a user on the LAN subnet to connect to this host.

    I can use SSH port forward to create a tunnel L81 -> 10.0.0.138:80 - this does allow me to connect to http://localhost:81 (which ssh tunnels for me) and reach the page I need.

    But this is not ideal - I can't allow regular lan users (or WAN users) to reach this.

    I could run some sort of port proxy - I seem to recall various TCP remappers from the old FreeBSD 4 days, but I'm thinking there must be a more elegany built in solution using the tool properly (that I'm just missing).

    Hope the additional clarification helps.

    Thanks!





  • Thanks Chris! That did help. Sometimes my searching fails me - I should have just looked for "adsl modem" I was genericizing too much ;-) Instead of endless follow up's I'm editing this post as I find new information / clarify it.

    Anyways, I'm 99% the way there, and have compiled the various answers and updated them - some link to documents not currently available - some which do not seem to have a replacement:

    I drew on these posts:
    http://forum.pfsense.org/index.php/topic,6532.msg37466.html#msg37466
    http://forum.pfsense.org/index.php/topic,5727.msg34562.html#msg34562
    http://forum.pfsense.org/index.php?topic=22330.msg115472 **
    http://doc.pfsense.com/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

    **This post suggests a different method - after adding the alias, a proxy-arp virtual IP is added - and then a custom outbound NAT rule. I'll try these once I do the upgrade to current.

    I found MANY links to this post - which is not available any longer
    http://faq.pfsense.com/index.php?action=artikel&cat=10&id=38&artlang=en&highlight=hidden

    For those that come after me, I've included the config modification process in this summary, but I still have one problem remaining… SOMETIMES, my alias address shows up in the Interface Status screen as if it is the primary IP of the Interface - when that happens, traffic can not be routed out that interface - I am guessing that this is because every rule / option that refers to "interface ip" is similarly confused, and NAT etc. are trying to run on my additional IP. In my present scenario I am using a public static IP, so I am adding an alias to affect my change... please look at the below - tell me if you see the problem? For reference the firewall I am playing with is an older version - I will try updating to see if that fixes my issue - I'm overdue anyways.

    I'd also appreciate (for completeness - not my own use) any suggestion on how to handle a case where the WAN is DHCP assigned, and we need to "alias" a private IP on it as below...

    THANKS FOR YOUR HELP

    #THESE COMMANDS ARE FROM A SHELL PROMPT - NOT THE GUI!
    #IF YOU ARE USING A CF BASED INSTALL YOU NEED TO:
    /etc/rc.conf_mount_rw

    #INSTALL REDIR
    pkg_add -r redir
    #IF THIS FAILS, TRY TO FIND A SOURCE OF THE PACKAGE / DOWNLOAD MANUALLY:
    cd /tmp
    #THE URL USED DEPENDS ON YOUR PFSENSE VERSION – USE “uname –a” TO SEE THE UNDERLYING OS VERSION – USE A PORT THAT MATCHES!
    #FOR EXAMPLE:
    fetch ftp://SOMEMIRRORSITE/pub/mirror/bsd/FreeBSD/ports/i386/packages-XX-stable/Latest/redir.tbz

    #ADD AN ALIAS OR IP ON THE INTERFACE CONNECTED TO THE EQUIPMENT TO BE MANAGED:
    #FOR PPPOE (no IP on the interface) I HAVE NOT TESTED THIS MYSELF YET
    ifconfig fxp0 10.0.0.1/24
    #OR FOR A STATIC IP INTERFACE
    ifconfig fxp0 alias 10.0.0.1/24
    #I HAVE NO IDEA HOW TO HANDLE A DHCP ASSIGNED WAN INTERFACE

    #TEST YOUR CONNECTION TO THE DEVICE:
    ping 10.0.0.138

    #START REDIR – LPORT IS LOCAL LISTEN PORT – CPORT IS PORT CONNECTED TO:
    /usr/local/bin/redir –lport 8989 --cport 80 --caddr 10.0.0.138 &

    #NOW BROWSE TO YOUR PFSENSE LAN IP:LPORT LIKE:

    http://192.168.0.1:8989

    #IF YOU ARE USING A CF BASED INSTALL YOU NEED TO:
    /etc/rc.conf_mount_ro

    TO MAKE THE CHANGE PERMANENT ADD COMMANDS TO CONFIG FILE (DOWNLOAD, EDIT, RESTORE) JUST BEFORE SECTION

    <shellcmd>/sbin/ifconfig fxp0 10.0.0.1/24</shellcmd>
    OR
    <shellcmd>/sbin/ifconfig fxp0 alias 10.0.0.1/24</shellcmd>
    AND
    <shellcmd>/usr/local/bin/redir --lport 8989 --cport 80 --caddr 10.0.0.138 &</shellcmd>



  • bb-mitch,

    Thanks for this post - I searched over a couple of different days for the solution of accessing my modem which is in front of my pfSense box that connects through it to the internet via PPPoE.

    @bb-mitch:

    TO MAKE THE CHANGE PERMANENT ADD COMMANDS TO CONFIG FILE (DOWNLOAD, EDIT, RESTORE) JUST BEFORE SECTION

    <shellcmd>/sbin/ifconfig fxp0 10.0.0.1/24</shellcmd>
    OR
    <shellcmd>/sbin/ifconfig fxp0 alias 10.0.0.1/24</shellcmd>
    AND
    <shellcmd>/usr/local/bin/redir –lport 8989 --cport 80 --caddr 10.0.0.138 &</shellcmd>

    This section was especially helpful to me to get the settings to survive reboots.  I'm sure after 2.0 is deemed "stable", this procedure will become a bit redundant, but until then, this is GOLD! :)

    Thanks again,

    – Phob



  • Hi again,

    Under 1.2.3-RELEASE, it seems that when I edit the config.xml with the following :

    @bb-mitch:

    TO MAKE THE CHANGE PERMANENT ADD COMMANDS TO CONFIG FILE (DOWNLOAD, EDIT, RESTORE) JUST BEFORE SECTION

    <shellcmd>/sbin/ifconfig fxp0 10.0.0.1/24</shellcmd>
    OR
    <shellcmd>/sbin/ifconfig fxp0 alias 10.0.0.1/24</shellcmd>
    AND
    <shellcmd>/usr/local/bin/redir –lport 8989 --cport 80 --caddr 10.0.0.138 &</shellcmd>

    … the SNMP daemon fails to start properly.  If I stop then restart the daemon from the GUI, all returns to normal, but ideally I'd like to be able to have the additional IP and the REDIR happening on startup without any other complications.

    It also occurs to me that if this interferes with SNMP, it might also interfere with other processes I haven't yet detected.

    Any thoughts?

    -- Phob


Locked