Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual ip to manage UBNT Radio – newbie

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jly2680
      last edited by

      scenario:

      internet  router –--ubnt AP --- 5 km link-- ubnt client --- WAN pfsense  --> LAN 172.26.26.0 subnet

      192.168.2.0/24                                                          192.168.2.250

      ive been banging my head working on this one..i just want to access my ubnt radio's gui/ssh through my lan..ubnt has 192.168.1.20 management ip.I created a virtual ip alias on wan inertace which is 192.168.1.10,so pinging/ssh my ubnt works inside pfsense but not on my Lan subnet..i created manual nat translating it to vip..but i cant access my radio's on my laptop,,hope someone could help me..

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        Are you able to access your "internet router" menu (on 192.168.2.x) ?

        IF, yes, then why not change the UBNT radios IP to that segment (192.168.2.x) instead the 192.168.1.x ?

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          I agree, why not just access it on 192.168.2.X?

          If you can access it from the pfSense box but not from LAN side clients then one odf two things is happening.
          1. Your LAN firewall rules are blocking traffic from LAN subnet to the VIP subnet.
          2. There is a routing issue.

          It's probably 2 since the default LAN rule should allow that traffic. The issue here is that the ubnt does not have a route back to your LAN clients because it doesn't know about the LAN subnet. There are several ways around that. You can can NAT the connection so that traffic appears to be coming fro the pfSense VIP which it can see in its own subnet. You've tried that and it should work, check your NAT settings. You can add a gateway to the VIP inteface so that pfSense will NAT the traffic with outbound NAT set to automatic. You can add a route to the ubnt. You can fudge the ubnt subnet to include the LAN side subnet (not a nice option but sometimes the only one).

          Steve

          1 Reply Last reply Reply Quote 0
          • C
            charliem
            last edited by

            This process is documented here:
            https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

            Per 'Note 2' on that page, the IP alias approach was recommended for 1.2.3, and 'could be considered harmful' for 2.x.

            Recommended approach is to create an OPT interface and then create outbound NAT rule for OPT (not WAN).  Worked for me to get to my cable modem web page (192.168.100.1 in my case).

            I'm also confused by your 192.168.2.x subnet with 192.168.1.x addresses.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              It's not quite the same as accessing a modem where the PPPoE interface doesn't use the actual ethernet interface. In this case the interface connecting to the ubnt device is already in use so a virtual IP must be used.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.