Question about NAT to access DSL modem
Hello everyone. I'm new to the forums and have a few questions about setting up pfSense to access my dsl modem web gui on my wan interface. I've followed the guide here: https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall and it seems to be working fine however I would like to have the automatic nat rule generation enabled if possible. As an experiment after I switched to manual nat rule creation and created my dsl modem access rule I then switched to hybrid nat mode. All seems well and I am able to access my modem fine. Is this a possible solution to keeping automatic nat creation while allowing me to create manual nat rules such as the one I created to allow me access to my modems web gui as per the guide linked above? Also I'll attach a screenshot of my outbound nat rules as I'm not completely sure if there is anything to delete or optimize. It auto created some rules from my modem access interface to wan so I'm not sure I need those. Sorry if this post is hard to understand I try my best to explain everything correctly but at the moment I'm a little scatter brained from no sleep and being at the hospital with my daughter. Thanks in advance for all the help and look forward to hearing your replies. :)
As already noted on another thread today, the article is outdated and the NAT is in my experience completely useless. No such thing needed here. (Plus, should use Hybrid instead of Manual NAT on 2.2.x if any such thing is needed.)
Thanks for your quick reply. I tried searching the forum but everything I read I couldn't fully understand. I'm familiar with networking and etc but probably not as familiar as I need to be. Can you describe a better way to accomplish what I'm trying to do? If so I'm all ears. To sum it up I'm basically trying to retain access to my dsl modems web gui for diagnostics when my link goes down. I can supply more details if needed.
Really, just do the "Configure a new Interface" part, and create a GW for this, the GW IP being the modem's LAN port. Done.
Awesome! Thanks for clarifying for me. So since I have no need for any manual nat rules at the moment I should be able to do as you said and flip it back to automatic nat creation and all is good correct? Also any chance of an admin updating the article I referred to before since it is outdated?
Yeah, stick it back to auto. I have no idea who's doing the wiki stuff ATM. :)
I was about to have the same question, as well.
My modem is slightly different, though: it's a DSL modem, but I'm not running PPPoE. It's static. So, I couldn't create a new interface for it, because it already was connected to a real interface (WAN). I created a Virtual IP subnet on WAN for it, though, and that worked.
My modem is at 192.168.1.1, so I assigned the pfSense box at 192.168.1.2/24 when making the Virtual IP. I could ping the modem from the pfSense box itself, so that worked. However, none of the clients behind the pfSense box could ping it.
I added an outbound NAT rule, from my LAN (private) IP address range, to WAN but only for destinations within 192.168.1.0/24 range, and set the NAT translation IP address to be 192.168.1.2. That worked for some clients, but not all of them! Some clients could ping the DSL modem (and access its administrative webpage), but others could not.
Upon further investigation, I found that when a LAN IP address is designated as a 1:1 NAT to a public IP address, this overrides the other outbound NAT rules! This is unfortunate.
I worked around this by editing the 1:1 NAT entry to have a destination that is "Not 192.168.1.0/24" instead of the default "All". That seemed to work! Now, even those clients with 1:1 NAT can access the DSL modem webpage just fine. I'll just have to repeat that edit for all of the 1:1 NAT entries that I have.
So, that's an interesting gotcha. Anybody else run into that?
I'll just have to repeat that edit for all of the 1:1 NAT entries that I have.
Not really sure why exactly is that needed. Why should everyone have access to your modem? How often are you accessing it? Once a year?