PfSense blocking password access to my modem?



  • Hi,
    I think pfSense is stopping me logging into my modem's password?
    I access my modem with a password when the modem is connected directly to my local computer (when local computer is in DHCP mode).
    When I connect the modem back into pfSense, I can browse to the modem, however the same password won't allow login.

    pfSense is on subnet 255.255.255.0 with IP address 192.168.1.155 and
    the modem is on subnet 255.255.0.0 with IP address 192.168.0.50.
    My local computer is on subnet 255.255.255.0 with IP address 192.168.1.120 and can browse to the modem on 192.168.0.50, but not login with the correct modem password?

    pfSense > Interfaces > WAN > Private networks > Block private networks: is unticked.

    Modem in pfSense, computer can browse to 192.168.0.50, but not login with modem's password.
    When I plug the modem out of pfSense and into the computer, the computer (now in static IP mode) cannot ping or browse to 192.168.0.50.

    Any suggestions on how to fix this?


  • Netgate Administrator

    @eiger3970:

    When I plug the modem out of pfSense and into the computer, the computer (now in static IP mode) cannot ping or browse to 192.168.0.50.

    What IP/subnet is the client machine using when statically configure as above? If its still the same as behind pfSense then it's in a different subnet so it won't be able to connect to the modem.

    Is the modem in bridge mode? Is the pfSense WAN receiving a public IP or using one in the 192.168.0.X subnet?
    If it's public then you should have another interface (on the same NIC) to connect to the modem.

    None of that really explains why you are able to connect but not login to the modem.  :-\ Perhaps it is redirecting you to an https page and trying to open a new connection. Check the firewall logs for blocked traffic coming from the modem IP.

    Steve


  • Banned

    @eiger3970:

    pfSense is on subnet 255.255.255.0 with IP address 192.168.1.155 and
    the modem is on subnet 255.255.0.0 with IP address 192.168.0.50.

    Whut?

    192.168.1.155/24 is a part of 192.168.0.0/16


  • Netgate Administrator

    Indeed.
    I use this little trick to access the DSL modem my WAN uses here at home.
    The modem has very little by way of networking options especially when it's in bridge mode. There is no way to add a downstream gateway to its LAN interface. I the WAN interface running PPPoE and the same NIC running as a local subnet in order to access the modem. In order to leave outbound NAT as auto and not add any superflouos gateways in pfSense I set the subnet mask of the modem LAN to /16. That includes all my local subnets on various interfaces. Doing that gives the modem a route back so it can reply to connections to its webgui.
    It's a bit of a horrible hack but works fine. I assume that's what the OP is doing but we'll find out.

    Steve



  • The local machine is on IP 192.168.1.102.
    The local machine's subnet is 255.255.255.0.

    pfSense machine is on LAN IP 192.168.1.155 on NIC 2 of 2.
    pfSense machine's subnet is 255.255.255.0.

    The modem doesn't have bridge mode. I forward all packets to 192.168.0.2 which is pfSense's WAN IP on NIC 1 of 2.
    pfSense WAN is not receiving a public IP.
    Yes, pfSense WAN is set to 192.168.0.2, to received the modem 192.168.0.50 on the subnet 255.255.0.0.
    pfSense has 2 NICs for WAN 192.168.0.2 and LAN 192.168.1.155.


  • Netgate Administrator

    In that case Doktornotor is right. The pfSense WAN subnet mask should be /24 (255.255.255.0).

    Steve



  • Thank you for the reply.

    I'm not sure how to change pfSense's WAN IP to Subnet 255.255.255.0 as pfSense's WAN IP is DHCP and receives the WAN IP 192.168.0.2 from the modem.

    I checked the settings in pfSense > Interfaces > WAN > DHCP Client Configuration > Alias IPv4 address: 192.168.0.2/24.

    Is there another configuration that could fix this issue?


  • Banned

    So why don't you move your LAN to something from the 10/8 or 172.16/12 range? Your LAN machines are effectively on the modem's WAN IP range, nothing good can come out of this and frankly whether you can or cannot logon to the modem would be the least of my concerns here.  :o

    Note #1: Do NOT use /8 or /12, create a normal /24 subnet.
    Note #2: I'd honestly get rid of the garbage modem, this is insane.



  • @doktornotor:

    So why don't you move your LAN to something from the 10/8 or 172.16/12 range? Your LAN machines are effectively on the modem's WAN IP range, nothing good can come out of this and frankly whether you can or cannot logon to the modem would be the least of my concerns here.  :o

    Note #1: Do NOT use /8 or /12, create a normal /24 subnet.
    Note #2: I'd honestly get rid of the garbage modem, this is insane.

    This.

    Addressing the original "stopping me logging into my modem's password", that's impossible, either you can reach it our you can't. Or in the case of this messed up network, maybe intermittently either way. Fix the subnets and your problem likely goes away.



  • Well spent a bit of time with some help, on this issue and it seems the modem may need a replacement, so waiting for this Friday for a technician to come out.

    Fully reinstalled pfSense and tested on multiple computers and the modem seems to be the issue.
    The weird thing is that now, nothing can get onto the Internet when connected via pfSense, but can get onto the Internet when directly connected to the modem.

    With pfSense connected, computers can ping others on the network, can ping pfSense, can ping the modem, but can't ping the Internet.

    I hope a new cable modem will fix this.


  • Banned

    Your computers are assigned IPs that are on WAN. Until you have fixed that completely invalid configuration, there is no point in messing with cables, modems or anything else.


  • Netgate Administrator

    @eiger3970:

    With pfSense connected, computers can ping others on the network, can ping pfSense, can ping the modem, but can't ping the Internet.

    A common cause of that is adding a gateway to the LAN interface. You should have only one system gateway and it should be on WAN and set as default. Check in System: Routing Gateways:

    Steve