Cant see modem using static address on wan.



  • I have two setups.

    1.2.3 at my tiny datacenter in my basement with a cable modem… Linksys modem interface address 192.168.100.1

    2.0 at my office with a bridge only dsl modem and a static IP no ppp no login ect... Zoom 5615 modem interface address 10.0.0.2

    I can see my cable modem at home using its address with no changes to the firewall.

    I cannot see the dsl modem.

    Both modems are bridges with static addresses on the wan of the firewall.

    Search only brings up info on pppoe systems so far...

    Any ideas?

    Thanks!



  • @chpalmer:

    I cannot see the dsl modem.

    How are you looking and what response do you get to your attempt to see the DSL modem?



  • Cant ping it nor see it using my browser.

    Net connectivity is fine but it would be nice to be able to watch my signal levels for changes without having to take things down.



  • @chpalmer:

    Cant ping it nor see it using my browser.

    By name or IP address? What is reported on an access attempt?

    What do you see in a packet trace on pfSense WAN interface while you attempt a ping to the modem?



  • Sorry long week so far…

    By IP.

    Firefox can't establish a connection to the server at 10.0.0.2.

    Lan trace
    21:54:59.859269 IP (tos 0x0, ttl 128, id 6340, offset 0, flags [DF], proto TCP (6), length 48)
        172.25.125.53.3620 > 10.0.0.2.80: Flags ~~, cksum 0x8de8 (correct), seq 3214275548, win 65535, options [mss 1460,nop,nop,sackOK], length 0

    Wan trace
    22:03:05.640036 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
    22:03:08.567771 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
    22:03:14.603369 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0~~


  • Netgate Administrator

    So in both locations your pfSense WAN address is a publicly addressable IP passed to it by your ISP? Or are you manually assigning static IP's?
    If that's the case then I'm surprised you can access the modem at either end as I would expect there to be no route.

    Have you unchecked 'block private networks' on WAN?

    Try adding a route manually to the modem IP via WAN.

    Steve



  • Yes- public IP on the wan port that I have set static on the interface…

    Not sure what caused those lines on my last post to be struck out- not intended...

    Ive tried unchecking the block private network option with no success...

    Tried a static route but may need to tweak on it some more...

    Oh well, Ill keep trying and report back.

    Thanks!



  • @chpalmer:

    Ive tried unchecking the block private network option with no success…

    I suspect that it you fiddle with that setting and expect it to take effect without a reboot you will also need to reset firewall states.

    @chpalmer:

    Wan trace
    22:03:05.640036 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
    22:03:08.567771 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0
    22:03:14.603369 IP x.249.55.x.21963 > 10.0.0.2.80: tcp 0

    This is your system on the LAN side attempting to access the web GUI on your modem?

    How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.

    Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.



  • This is your system on the LAN side attempting to access the web GUI on your modem?

    Right.

    How will the modem know where to send replies to x.249.55.x? I'm guessing x.249.55.x is not on the same subnet as the modem. If that is so, the modem will need some sort of static route so it knows where to send its reply.

    Correct- it is not on the same subnet. Im going to run these same traces when I get home on my 1.2.3 box. I can see my cable modem under the same circumstances there and thats where Im confused.

    Alternatively, you will have to configure pfSense so it NAT's the access to the modem (in which case the modem should see the web access attempt coming from an address on its subnet.

    I understand why thats needed. But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?  Ill post the results later from those traces…



  • @chpalmer:

    But then why if I have not done this on my 1.2.3 box can I see that modem also not in my wan ip subnet?

    I don't know enough about your configurations or their history to answer.



  • 1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

    18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
    18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
    18:54:46.861100 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 349
    18:54:46.864786 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 256
    18:54:46.881655 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
    18:54:46.882129 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
    18:54:46.883453 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 188
    18:54:46.900938 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
    18:54:46.901400 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
    18:54:46.902723 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 228
    18:54:46.917539 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460
    18:54:46.917965 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0
    18:54:46.919252 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 76
    18:54:46.934230 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 1460

    Driving me nuts for sure...   192.168.100.1 is a private address right??   doing a web search now....

    Once again from the other box...  
    19:05:51.751588 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
    19:05:54.612605 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0
    19:06:00.648228 IP x.249.55.x.39272 > 10.0.0.2.80: tcp 0



  • What I thought I knew…

    NetRange: 192.168.0.0 - 192.168.255.255
    CIDR: 192.168.0.0/16
    OriginAS:
    NetName: PRIVATE-ADDRESS-CBLK-RFC1918-IANA-RESERVED



  • @chpalmer:

    1.2.3 can see it right out of the box no mods, port forwarding, nat, rules or otherwise…

    18:54:46.857157 IP 192.168.100.1.80 > 24.113.x.x.43833: tcp 0
    18:54:46.857413 IP 24.113.x.x.43833 > 192.168.100.1.80: tcp 0

    But where was this trace taken? WAN on pfSense? If so, suggests this modem has a route to 192.168.x.y/z
    Does the modem in your "pfSense 2.0" configuration have a route to x.249.55.x/y?

    Also this modem clearly has a public address. In your other configuration the modem has a private address. But I don't know enough about what you have configured or your equipment to judge if this difference is significant.



  • both modems are bridges… that have available maintenance ips...

    both pfsense boxes have public ip addresses on their wan interface.

    cable modem------24.113.x.x-----------wan pfsense 1.2.3 lan-----172.31.125.0/24

    dsl modem-------65.249.55.x-----------wan pfsense 2.0b5 lan------172.25.125.0/24



  • Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall? This shows how to configure pfSense so that it has an additional WAN address on the modem's subnet. If pfSense is configured as suggested in the article it removes the need for a route on the modem.



  • Thanks for working with me on this wallabybob!  I think I found my answer of why one works and the other does not…

    From http://homepage.ntlworld.com/robin.d.h.walker/cmtips/ipaddr.html

    The IP address 192.168.100.1 will be present even if no web diagnostics are offered on that address.

    The cable modem IP address 192.168.100.1 is not in the same sub-net as the user's PC. So, when trying to send to 192.168.100.1, the user PC's IP stack will normally route the packet to the Default Gateway address at the UBR. Since no routes exist to the private address 192.168.100.1 (and there are multiple instances of this IP address on any one CATV segment), the UBR drops the packet. This would mean that in theory the PC could never talk to the cable modem. However, the Surfboard, the 3Com Tailfin, and the ntl:home 100/120 are capable of sniffing the passing traffic through the transparent bridge to intercept any packets addressed to themselves. This only works when the bridge is open, so the cable modem diagnostics cannot be read when the cable modem is booting up or failing to remain in contact with the UBR.

    Obviously the Linksys brand cable modems such as the befcmu10 has this feature…  And obviously the Zoom brand DSL modem does not...



  • @chpalmer:

    I think I found my answer of why one works and the other does not…

    Thanks for the explanation.

    And you can now access your DSL modem?



  • @wallabybob:

    @chpalmer:

    I think I found my answer of why one works and the other does not…

    Thanks for the explanation.

    And you can now access your DSL modem?

    Havent got that far yet…

    I have to be on site to play with that system to make sure I dont take it offline inadvertently... Tends to piss everyone off...  ;D  But the weekend is still young.



  • @wallabybob:

    Have you read the article Accessing modem from inside firewall at http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall?

    I cant assign a second interface to the same network port as my static wan port…



  • @chpalmer:

    I cant assign a second interface to the same network port as my static wan port…

    So your modem is doing ppp and not pfSense? (called 'half bridge' mode by some.)



  • dsl modem is a bridge only. No login of any kind available on it.  http://www.zoomtel.com/techsupport/adsl/adsl_5615.shtml

    ISP has me set up as static "bridge mode".

    They provide me an address, subnet and gateway to configure on my interface.

    No ppp of any kind.



  • I  guess you will have to use something like the "option 1" in the document.



  • @wallabybob:

    I  guess you will have to use something like the "option 1" in the document.

    Im working on it…  Ill come back and share how I did it if it works...

    Thanks man!



  • I have just replaced my Zyxel ADSL modem/router by a Tenda D820 ADSL modem/bridge. The Tenda doesn't do ppp.

    Here's how I setup my pfSense 2.0 BETA 5 snapshot build:
    rl0 has two VLANs. OPT5 is VLAN 10 on rl0.  pppoe1 is on OPT5. The modem has static IP 192.168.1.1.

    I configured OPT5 with static IP 192.168.1.2/24.

    A ping from the LAN side of pfSense didn't elicit a response from the modem. A tcpdump on OPT5 (# tcpdump -i rl0_vlan10 host 192.168.1.1) showed the ping going to the modem but with a source IP address on the pfSense LAN subnet. Since the modem didn't have any static routes configured (there didn't seem to be any way to configure routes in the modem) the modem probably didn't know where to send the replies. Since I saw ping replies when I ping'd from pfSense, the missing route back to the LAN IP address was probably the reason I couldn't see replies to a ping from the LAN.

    As explained in the document I referred to earlier, enabling NAT on the OPT5 should fix the source IP address problem. In the pfSense web GUI: Firewall -> NAT I clicked on the Outbound tab, added a rule Interface=OPT5 Protocol=Any Source=LAN subnet  Destination=192.168.1.0/24     Translation Address=Interface Address     No XMLRPCSync: Unticked, clicked on button Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) then clicked Save. I don't know if it was necessary but I also went to Diagnostics -> States, clicked on the Reset States tab then the Reset button.

    Then I restarted the ping from the pfSense LAN subnet and it reported a response. The tcpdump on the rl0_vlan10 interface showed the ping with source address 192.168.1.2.

    Attempts to access the web GUI of the modem time out so I still have a problem but seem to be closer to its solution.

    It wasn't particularly obvious to me what the difference between the two Outbound NAT buttons ( Automatic outbound NAT rule generation (IPsec passthrough included)   Manual Outbound NAT rule generation  (AON - Advanced Outbound NAT)). They seem to mean "Disable the following mappings" and "Enable the following mappings" respectively.


Log in to reply