Access bridged FiOS router via LAN (pfSense) device



  • I've just finished configuring my new pfSense box on my home network.  I have Verizon FiOS so I have an ethernet cable going from my ONT to WAN interface in pfSense.  I then have a switch attached to my LAN interface and from that switch is an ethernet cable connecting to the WAN interface on my Verizon Actiontec router.  I've configured that WAN interface on the Actiontec with a static IP address of 192.168.4.10 (my LAN is 192.168.4.0/24).  The Actiontec also has a LAN interface of 192.168.1.1/22.  Everything is disabled on the Actiontec except for DHCP which allows it to give IPs out to my STB's for VOD and Guide info.

    However I have one issue.  I'm unable to access the LAN/remote management IP (192.168.1.1) of the Actiontec from my LAN (192.168.4.x).  What am I missing?



  • For starters, you need on pfSense:

    1. Gateway to the ActionTech - System->Interfaces, add a gateway there. But DO NOT also select it in Interfaces->LAN.
    2. Add a static route to 192.168.0.0/22 via that gateway (also I am a little surprised that the ActionTec LAN side is a /22 mask)
    3. To avoid asymmetric routing, switch to Hybrid Outbound NAT, and add an outbound NAT entry for traffic out of LAN with destination 192.168.0.0/22 - that will make the traffic all look like it comes from pfSense LAN.

    Now pfSense will know how to get your traffic to the ActionTec LAN side.

    The next challenge, which I am not familiar with, is to knobble any firewalling in the ActionTec that will block incoming connections arriving on the ActionTec WAN side (from pfSense LAN).



  • @phil.davis:

    For starters, you need on pfSense:

    1. Gateway to the ActionTech - System->Interfaces, add a gateway there. But DO NOT also select it in Interfaces->LAN.
    2. Add a static route to 192.168.0.0/22 via that gateway (also I am a little surprised that the ActionTec LAN side is a /22 mask)
    3. To avoid asymmetric routing, switch to Hybrid Outbound NAT, and add an outbound NAT entry for traffic out of LAN with destination 192.168.0.0/22 - that will make the traffic all look like it comes from pfSense LAN.

    Now pfSense will know how to get your traffic to the ActionTec LAN side.

    The next challenge, which I am not familiar with, is to knobble any firewalling in the ActionTec that will block incoming connections arriving on the ActionTec WAN side (from pfSense LAN).

    The Actiontec is a /22 mask because that's how I was instructed to set it up when I first installed a new DD-WRT router to replace the Actiontec and use it as strictly an ethernet bridge to serve my STB's.  I was under the impression it had to be a different mask than my regular router since both would be running DHCP to avoid any conflicts.

    What exactly should I be adding as the gateway address under System > Routing (there is no System > Interfaces)?



  • Yeh, it is System->Routing - my bad, my brain was obviously ahead of my fingers at that point.
    You do not have to use different a different mask, you just need subnets that do not overlap. In this case 192.168.1.1/22 happens to be 192.168.0.0 through to 192.168.3.255 which fits fine before 192.168.4.*

    192.168.4.10 is the IP of the ActionTec WAN that is sitting on pfSense LAN, so that is the gateway IP - that IP is the way to reach 192.168.0.0/22 which is siting behind it.



  • @phil.davis:

    Yeh, it is System->Routing - my bad, my brain was obviously ahead of my fingers at that point.
    You do not have to use different a different mask, you just need subnets that do not overlap. In this case 192.168.1.1/22 happens to be 192.168.0.0 through to 192.168.3.255 which fits fine before 192.168.4.*

    192.168.4.10 is the IP of the ActionTec WAN that is sitting on pfSense LAN, so that is the gateway IP - that IP is the way to reach 192.168.0.0/22 which is siting behind it.

    Ahh I see, that makes sense now.

    Doing that works in the sense that now I have a router (as seen by ping replies) but I still can't access the web login.



  • Ok I'm realizing the issue now.  When I originally replaced my Verizon Actiontec router with my own router, I gave the Actiontec a 192.168.1.1/22 address and configured DHCP on it in the range of 192.168.1.150-199 (only applies to the coax connections to my STB's).  My new router was configured for 192.168.2.1/22 so they were on the same LAN network which allowed me to access the webgui from anywhere on the 192.168.2.x network.  Now that my new router is on the 192.168.4.0/24 network, it's not the same subnet so when I try to connect to 192.168.1.1 it's technically coming from the "WAN" which means I have to configure remote access to the Actiontec.


Log in to reply