Virtual ip to manage UBNT Radio – newbie



  • scenario:

    internet  router –--ubnt AP --- 5 km link-- ubnt client --- WAN pfsense  --> LAN 172.26.26.0 subnet

    192.168.2.0/24                                                          192.168.2.250

    ive been banging my head working on this one..i just want to access my ubnt radio's gui/ssh through my lan..ubnt has 192.168.1.20 management ip.I created a virtual ip alias on wan inertace which is 192.168.1.10,so pinging/ssh my ubnt works inside pfsense but not on my Lan subnet..i created manual nat translating it to vip..but i cant access my radio's on my laptop,,hope someone could help me..


  • Rebel Alliance

    Are you able to access your "internet router" menu (on 192.168.2.x) ?

    IF, yes, then why not change the UBNT radios IP to that segment (192.168.2.x) instead the 192.168.1.x ?


  • Netgate Administrator

    I agree, why not just access it on 192.168.2.X?

    If you can access it from the pfSense box but not from LAN side clients then one odf two things is happening.
    1. Your LAN firewall rules are blocking traffic from LAN subnet to the VIP subnet.
    2. There is a routing issue.

    It's probably 2 since the default LAN rule should allow that traffic. The issue here is that the ubnt does not have a route back to your LAN clients because it doesn't know about the LAN subnet. There are several ways around that. You can can NAT the connection so that traffic appears to be coming fro the pfSense VIP which it can see in its own subnet. You've tried that and it should work, check your NAT settings. You can add a gateway to the VIP inteface so that pfSense will NAT the traffic with outbound NAT set to automatic. You can add a route to the ubnt. You can fudge the ubnt subnet to include the LAN side subnet (not a nice option but sometimes the only one).

    Steve



  • This process is documented here:
    https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

    Per 'Note 2' on that page, the IP alias approach was recommended for 1.2.3, and 'could be considered harmful' for 2.x.

    Recommended approach is to create an OPT interface and then create outbound NAT rule for OPT (not WAN).  Worked for me to get to my cable modem web page (192.168.100.1 in my case).

    I'm also confused by your 192.168.2.x subnet with 192.168.1.x addresses.


  • Netgate Administrator

    It's not quite the same as accessing a modem where the PPPoE interface doesn't use the actual ethernet interface. In this case the interface connecting to the ubnt device is already in use so a virtual IP must be used.

    Steve


Log in to reply