Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access modem on wan from lan on pfsense 2.2 rc

    Scheduled Pinned Locked Moved Firewalling
    39 Posts 5 Posters 8.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      So do a sniff on the interface you create - do you see the traffic go out or not?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • D Offline
        DemonfangArun
        last edited by

        updated to 2.2rc today to resolve broken apinger (needed for multi wan/load balancing to work right), in the process noting why i was having problems before with the firewall: when i set to manual rules it locks in my public ip addresses in the nat rules. i cannot do this because i have dynamic ip addresses meaning every reboot i would have to fiddle with nat. hybrid mode in 2.2 also doesn't work because it tries nating the created interface to public ip address. i'm thinking the guide for this is going to need rewritten because none of it works at all in 2.2, and it can't be used with dynamic ip's that change every login in any version of pfsense.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          Huh??  I think your not understanding the process of creating an opt interface connected to your wan.  You don't need to create any nats for this..

          You stated your PPPoE right - so while that IP can change whenever.  It has nothing to do with your rfc1918 address space on your modem.

          Your not putting a gateway on this new interface - so its not a wan, and would not be doing nat.  Its just like another lan segment. Your creating an OPT interface tied to your physical wan interface connected to your modem, putting a pfsense IP on it in a specific network.

          You don't nat between lan segments.  See drawing attached.

          Once you create your opt interfaces connected to the physical interfaces your modems are on - you just put a IP that interface that is on same network as your modems local IP.  PFsense would then route traffic to those networks.  You would only need to make sure that your lan rules allow the traffic to those network segments, which the default any any would do.

          connection-modems.png
          connection-modems.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • D Offline
            DemonfangArun
            last edited by

            assuming by talking about the default any any you mean the anti-lockout rule that is created, then i have tried what you suggested (i checked for connectivity to modem after every step in the 2.0 guide, including just creating an opt interface with an ip in range of the modem) and it isn't working for me.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              What dude – no not the anti lock out rule..  What are your rules on your lan segment?

              If its not working, then your modem doesn't have a gateway to talk back to your other network would be my guess..  In that case you would have to nat..  This is not rocket science -- its just like putting another lan segment on your network.  And simple routing.  For the modem to talk to 10.0.0.0/24 it would need to know that it needs to talk to pfsense IP on the 10.0.1.0/24 segment.

              If your modem on 10.0.1.1/24 does not know how to get to 10.0.0.14/24 then you would have to nat.  But again this has nothing to do wth any IPs changing.  So can pfsense ping your modems 10.0.1.1 address from its 10.0.1.2 IP on its opt interface you created?  If so and your client can not talk to it, then you most likely need a nat.

              If pfsense can not ping it - then you have something else wrong - like modem is not on the IP you think it is, you have not created the interface correctly on pfsense, etc..

              Lets see pfsense pinging the modem, then lets see your nat setup.  Keep in mind you would be natting to the your opt interface(s) you created.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              1 Reply Last reply Reply Quote 0
              • D Offline
                DemonfangArun
                last edited by

                sorry, whilst i am good with some areas of networking, i am not with others xD

                here is a screenshot of my lan rules (bridge is a combination of 3 ports to be on the same subnet): https://i.imgur.com/POG6VvO.png

                LB in the second entry is redirecting traffic towards a gateway group that does load balancing between my incoming two wan connections.

                as for modem ip's, i know they are right (i was just down in basement a couple days ago to check on some things manually) and i have to manually assign ip's in linux on laptop to gain access to modem when directly plugged in. as for rules on the modem there aren't any, but considering that i can access modems fine when using laptop with merely a manual ip assignment on the laptop i don't think they need any.

                as for pinging, i have not been able to ping either modem from my desktop.

                p.s. i apologize for seeming like a noob, i'm just trying to piece together why exactly it isn't working as it should be (i'm sitting here scratching my head a bit).

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Bridge???  Dude you said nothing of a bridge.. WHY do you have a bridge setup?  Pfsense is a ROUTER, if you need to switch ports then use a switch..  I really can see no reason to ever create a bridge.

                  And who said anything about pinging from your desktop.. SSH to pfsense, and ping the modem IP from there.  Or use the gui diag, ping

                  Until pfsense can ping the modems you can not expect anything behind pfsense to be able to do it.  If you want - setup team viewer and I will remote in and fix it.  This really is 2 minutes of setup.

                  Once you assign an opt interface to the physical interface connected to your modem.  You put an IP on it in the same segment as your modems IP, since your modem does not have route or gateway to get from its 10.0.1/24 network to your lan 10.0.0/24 network you would need to nat traffic coming from 10.0.0/24 to the opt interface on the modems segment.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    DemonfangArun
                    last edited by

                    reasoning behind bridge is for bandwidth: one lan port provides 1Gbps each way, which would be a bottleneck between devices (many gigabit computers, ac router in ap mode, and a deca bridge (directv stuff), so i put a bunch of ports on a bridge so each of the above three gets it's own dedicated bandwidth from the router, unless you know of a 10gig fiber switch that isn't mega expensive.

                    i can pm you teamviewer info if you wish, what would a good time be (following est)?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      So your wan is 3gig?  your lan port on your router doesn't do anything unless going to the wan..  So yes your lan port should = or exceed your wan bandwidth.  So you have a multi gb wan connection?

                      How does interfaces 3 gig interfaces in a bridge = 10gig fiber switch?

                      If you need more bandwidth or you want failover for an interface you would LAGG them..
                      https://doc.pfsense.org/index.php/LAGG_Interfaces

                      I am in Chicago area so Central time for me - I don't have any thing planned today.. On vac til end of the year – yeah!!  So PM the info, we can exchange personal email and we can chat over the teamviewer.  But until you can get pfsense to ping your modems, nothing behind pfsense is going to be able to get to them.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        DemonfangArun
                        last edited by

                        wan is 2 3Mbps/768kbps (down/up) connections. it's more for inter lan stuff than anything else. as for the fiber switch thing 3Gbps is more than 1Gbps. and i wish i had multi gig incoming, but then i probably would be just using the ac router i got with a not crappy firmware, and would not be here.

                        as for lagg, the load balancing i do is a basic round robin thing with no isp end support (ie: throw things onto whichever connection and go). also, going into lagg only shows one interface (em0/wan1), so i don't think i could program it right either.

                        teamviewer stuff will be pm'd momentarily.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          What??  you have a 3mbps connection on the wan.. WTF you trying to use 3 gig connections to your router for??  Complete pointless!!

                          Draw up this network where you think 3 interface in a bridge is buying you anything??  When your internet connection is 6mbps total??

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Dude I pinged and emailed, nobody on machine - but you had password saved for pfsense.  So fixed it for you.  All of 1 minute

                            So you had no firewall rule off your bridge (10.0.0/24) to allow traffic to 10.0.2/24 - you were sending all traffic to your GW with your rules.. I mentioned if you had default any any rule you would already allow this traffic.

                            Also you had no nat created for your opt interface on em1 so modem would not know how to get back (unless it had a gateway of your 10.0.2.5 address on pfsense or route to 10.0.0/24, so created that for you.

                            Do the same thing for mdm1 on em0, but would really like to discuss why you think bridging makes sense??

                            I waited dude and pinged you, hope you don't mind that I fixed it for you.  I did not look or touch anything else..  The instructions are fine as written in docs, maybe some clarification of having to have rules that allow the traffic, and if device your trying to talk to doesn't have route back to your other lan you have to create a nat on that interface.. But to be honest this all pretty basic stuff.

                            Let me know when you want to discuss your bridge setup, I just can not see how that would ever make sense to do ;)

                            accesstomodem.png
                            accesstomodem.png_thumb
                            askingforauth.png
                            askingforauth.png_thumb
                            pfsensecanping.png
                            pfsensecanping.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              DemonfangArun
                              last edited by

                              @johnpoz:

                              What??  you have a 3mbps connection on the wan.. WTF you trying to use 3 gig connections to your router for??  Complete pointless!!

                              Draw up this network where you think 3 interface in a bridge is buying you anything??  When your internet connection is 6mbps total??

                              perhaps this example will show what i mean: transferring multiple large files from lan to wireless (ac 1900 ap), then streaming a video from sat equipment to tablet (or from internet for that matter). that would total over the 1Gbps that the link from the router to the switch has.

                              as for accessing modem, it looks like i was doing it right, but just not creating the firewall rule (guide never mentioned this). (the nat thing wasn't there when you got on because i was a tad confused, but the first time around i did have one there).

                              another thing about me is i'm more of a hands on learner, and learn stuff well when doing trial and error and reverse engineering what someone has done to understand how it ticks.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                "transferring multiple large files from lan to wireless (ac 1900 ap), then streaming a video from sat equipment to tablet (or from internet for that matter). that would total over the 1Gbps that the link from the router to the switch has."

                                Well 1900 is total for both bands, so your not getting 1900 mbps ;)  Also how many streams does wifi client have?  Are you on the 2.4 or 5 band, are you using 20, 40 or 80mhz channels.  Just because your AC does not even mean you clients are, etc..  Sorry but wifi just doesn't do gig..  AC 5 with 80mhz 3x3 client I see real world about 500, maybe 600 with 1300 data rate connection.

                                As to from the internet to anything - yes that would use the lan port of pfesnse..  But that 1,000,000,000 bps, your internet total is 6,000,000

                                You do undstand everything talking to each other on the switch use their own path through the switch.. You sending to pfsense is slowing it down!!!  pfsense for one sure isnt forwarding packets at wire speed in a bridge.. ;)  And your forcing traffic through its interface that really never should go there.

                                You have a gig switch. Connect your devices to the gig switch.. It should have a backplane of double its ports..  So for example my sg300 with 10 ports has a 20GB backplane - it can switch 20GBs of traffic at the same time.  It was designed to "switch"  pfsense is meant to route - completely different!!

                                The only thing that goes to pfesnse would be traffic to or from the internet.  Traffic between devices on your network would never even talk to pfsense, other than maybe for dns, etc..

                                Here is how you should have your network setup.  See attached.  When devices talk to each other they go through the switch at full wire speed between each other, they do not even need to talk to pfsense.  Pfsense is only gateway OFF that local network - ie the internet, you only have 6mpbs to the internet.  The gig connection pfsense has on its lan is more than enough to handle that.  If you were printing for example - that doesn't even go through pfsense, if you were watching a movie on your tablet off your dvr/mediaplayer that is full speed between those devices.  Whle your laptop is using the internet for example - those converstations have nothing to do with each other and the switch can handle it without any problems at full speed.

                                You do understand you can get a gig switch for pennies ;)  If you don't have one
                                http://www.amazon.com/TRENDnet-Unmanaged-Gigabit-GREENnet-TEG-S80g/dp/B001QUA6RA
                                8 Port gig switch $29 to your door!

                                You putting traffic through a bridge is only going to slow it down in the big picture.

                                So would love to see way your network is physically connected, so we can go over the different paths and bandwith, etc.

                                networkwithswitch.png
                                networkwithswitch.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  DemonfangArun
                                  last edited by

                                  eh, i might end up doing it your way eventually. if you really want to see a pic that is the mess of cables going all over i can do that. (will also include a visio drawing if i do this because it will look neater)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    visio, paint, crayon and napkin that you take picture of with your phone..  Some sort of diagram that shows your connection.  As I said before it would be RARE that you would ever use a bridge..  There just really is not reason for it these days.

                                    Only time I would think you might do it is when different media types - say you had a fiber card in pfsense and you wanted this fiber network to be on the same network as your normal copper network.  In that case you might leverage pfsense to bridge your fiber network to your copper network.

                                    But it would not be best choice - best choice would be to add a fiber connection to your switch where your copper is, etc.

                                    I really can not think of when it would be good idea to bridge vs use a switch to be honest.

                                    Did you get your other modem working.  If not I can TV in again and fix it up.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    1 Reply Last reply Reply Quote 0
                                    • D Offline
                                      DemonfangArun
                                      last edited by

                                      i got other modem working once i looked at what you did (and namely the firewall rule that you added). i'm a bit new to pfsense, closest thing i've used to it before would be dd-wrt but that's miles behind what pfsense can do

                                      (links because forum ![](resizer is broken)<br />here's images of setup: https://i.imgur.com/xMenQdj.jpg | https://i.imgur.com/ZDlTEkT.jpg<br /><br />and here's a dia drawing to follow along with: https://i.imgur.com/IY8VJSx.png)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        Yeah that setup makes no sense..  If you want to leave your AP connected, I would put it on its own segment so you can firewall your wifi from the rest of the network.  Your sending all your broadcast/multicast traffic out your wifi for no point.  And you have no security between wifi and your wired unless your wanting to to be transparent?

                                        If you want it on the same broadcast domain then just plug it into the switch.

                                        As to the deca, again pointless to bridge it to your lan.  Why not put that on its own segment as well if you want to have better setup and you have the interfaces..  It is only 100mbps connection as well - what does it talk to on your network?  If it does talk to stuff on your network then just connect it to your switch.

                                        You could use a bridge if you wanted to have a transparent firewall between devices on each side of the bridge..  But in your setup I would break put those on their own segments wireless and wired.  As to the deca, not sure what use there is of putting that on same segment as your lan or wifi - from my understand it only uses that ethernet connection for internet.

                                        "With DECA coax networking, the DVRs only use your home network for internet access"

                                        So that really should just be on its own segment, bridging it to your network would only slow down your other networks.

                                        So you could still leverage your nics on your pfsense, but just segment your 3 networks..  So you would have LAN network, say 10.0.0/24 and your modem networks (10.0.1,2/24) and then your deca could be 10.0.4/24 and your wifi could be 10.0.5/24 – this gives you easy to mange filewall controls and 3 different broadcast domains to keep the broadcast and multicast noise off those other networks.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        1 Reply Last reply Reply Quote 0
                                        • D Offline
                                          DemonfangArun
                                          last edited by

                                          reason it's all the same is because any device on any of the three networks has to be able to talk to any device on any other network (for instance remote monitoring of applications on wifi devices from a wired desktop. i'm not sure exactly what all the deca bridge does, supposedly it's supposed to allow devices on the network to stream from it, but i've not had much luck with that (also not had the best of luck keeping the receiver from locking up, and that's after updating it). i'll probably stuff everything on the switch once i build a smaller computer that will sit where the ap is now and get some shorter cords so it's less of a mess.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            "reason it's all the same is because any device on any of the three networks has to be able to talk to any device on any other network"

                                            Then they should all be connected to switch, your bridge is not buying you anything but slower connectivity.  My wifi devices can talk to my wired devices - but I have them on 2 segments because my wifi devices sure an the hell don't need to see my wired networks broadcast or multicast traffic.

                                            Everything I read about the deca stuff is your whole home dvr stuff is on the coax network..  The ethernet is just for internet..  What equipment do you have, I am directv user for example - both of my dvrs are on network just from from connection on the back of them.  To stream recorded shows to your mobile I do believe you need genie to go..  I don't have genie yet - but I can watch recorded shows from my dvrs on my PC and they are not on the same network segment, etc.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.