Bridged modem: connection tip
-
Let me first of all thank the pfsense developers, the book authors and all of you here in the forum; without you I would still be stuck in the router middle ages :-) I'd like to give a little bit back to anyone who may stumble on this post.
The connection from LAN to a bridged modem behind pfsense is covered in the pertinent wiki howto http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall. Having established the connection I could access the web GUI of the modem from the LAN, but two things bothered me. Since the modem is bridged it has no IP address and cannot connect to an Internet time server to keep the correct time. This makes the logs somewhat useless. The lack of an IP also means the logs cannot be mailed.
Some time later it dawned on me. The modem and pfsense share the same subnet. What if the modem could ask pfsense for the time? Well, it can and it works, just allow TCP/UDP 123 (ntp) on the modem interface. But now a vague notion, that somehow there must be a way for the logs too, entered my mind, though me being so dense it took some time for it to permeate :-) After considering, and discarding, the options of running a mail server on pfsense and of keeping (or relaying) the modem logs on (or from) pfsense I remembered NAT. What if I could set the modem to use remote syslog sending the data to pfsense, and have pfsense redirect it with inbound NAT (port forwarding) to the log keeping server on LAN? Again, it works, provided you put in place a firewall rule for UDP 514 (syslog) in the log keeping server.
Firewall rules
pfctl -sr pass in log quick on vr1 inet proto tcp from <modem> to <pfsense> port = ntp flags S/SA keep state label "USER_RULE: MODEM -> PFSENSE, allow ntp" pass in log quick on vr1 inet proto udp from <modem> to <pfsense> port = ntp keep state label "USER_RULE: MODEM -> PFSENSE, allow ntp" pass in log quick on vr1 inet proto udp from <modem> to <server> keep state label "USER_RULE: NAT modem logs redirection"</server></modem></pfsense></modem></pfsense></modem>
NAT
pfctl -sn rdr on vr1 inet proto udp from [modem IP] to [pfsense IP] port = syslog -> [server IP]
Just in case what I came up with is not considered safe, feel free to correct me.