Accessing modem page behind pfSense firewall

Need some help from the most knowledgeable and awesome group of people on the internet. Since I upgraded to pfSense 2.4.2, I simply can no longer access my modem’s web interface. I am having internet issues since COX “upgraded” my service to gigabit and I can’t log into my modem to keep track of all the errors. This install of pfSense is brand new on a freshly formatted SSD because I couldn’t get the update to work for some reason.

Currently, I have a single 4 port gigabit intel NIC, can’t remember the chipset off the top of my head. I actually use the WAN in port one, Private Lan in port two, a guest isolated LAN in for three and both the fourth port on the Intel NIC and the gigabit port on the motherboard are all not connected to anything right now.

Port 1 = WAN Ip
Port 2 = 10.10.10.0/24
Port 3 = 10.10.20.0/24

I am guessing that my problem lies in the fact that the modem uses a fixed and unchangeable IP address of 192.168.100.1. This SHOULD be fine since I followed the instructions in the pfSense documentation detailing this exact situation and it simply did not work. I made a VLAN with the 192.168.100.0/24 subnet, made a NAT rule to automatically take any address coming from the 10.10.10.0/24 subnet and go right to the modems IP. I followed the instructions in the docs as well as I could and it simply failed spectacularly.

I have since removed all of the rules and the VLAN since it wasn’t working but it was just as the docs said but I have the notion that was not really a good solution anyway. Maybe use an alias? Either way I need help and appreciate any you people can send my way.

Thank you in advance!

Is this what you used?

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

When I had an ADSL modem I configured pfsense that way and it worked fine but I haven’t tried that since upgrading to 2.4 so it could be a problem with the new version

Yes, that is precisely what I used. I guess I could try doing it again and then I can post some pics of my config because it is entirely possible I got it all dead wrong. :stuck_out_tongue:

The configuration may have changed when you updated so doing it again may fix it

This was a new install from fresh so yeah, it changed. :smiley: I’ll report back in a couple hours. Thanks

K, so I decided to just try it now even though I have to get dinner made here really soon. The instruction on the DOC “Go to Interfaces > (new OPT interface)” there is no such “(new OPT interface)” at all so am I supposed to use a VLAN, Bridge or what? Sorry if I am supposed to know this but with 2.3 I never had to even do this at all since it always worked to my modem regardless if the subnet was different.

Are you having trouble getting the internet to pass through your firewall to your LANs? If not, what kind of error are you receiving when you try to access the Modem’s page? Also, are you sure that this upgrade to your service didn’t change something like the static IP or your modem?

No trouble with internet from the modem to my LAN at all. No error, I just get a general this site cannot be reached sort of thing. I am also sure it works because it does when I plug right into the modem directly for testing.

It just means a new interface, this will only work if you’re using PPPoE though, if it’s a cable modem or something like that then I’m not really sure how you would access it. You say it worked before using a VLAN? I’m guessing you tagged it as VLAN 1? You could try that instead.

Alas, I have tried that but in reality, I never had to change anything within pfSense because it always worked without any changes at all from the stock settings. I went to 2.4+ in order to have a few bugs with traffic shaping fixed but not being able to see my modem web interface is as close to a deal breaker as it gets, I need to figure something, anything out here. :frowning:

Okay, this probably won’t work but give it a shot. First make a bridge interface containing just the WAN interface. Then follow the instructions from before but use the bridge interface when creating the new OPT interface.

There’s a decent chance this will just make the WAN stop working though but it’s the only thing I can think of. Other than perhaps putting a switch in between the modem and router and connecting a second interface to the switch and configuring that (assuming the modem doesn’t have a switch built in, if it does connect that to a new interface on pfsense and manually configure it with an IP in the same subnet as the modem).

K, that didn’t work either. I absolutely refuse to believe that there is absolutely no way to do this within pfSense. I also can’t imagine this has never come up before…

I would Google around to see if Cox has somehow locked down the modem page with their latest update. The way this should work is,

Your computer requests 192.168.100.1 ->
Checks local routes ->
Doesn’t find a local route, heads to default gateway (presumably pfSense) ->
pfSense checks its local routes ->
Doesn’t find a local route, heads to default gateway, which is an IP address assigned to your modem, not to be confused with the internet addressable IP assigned to pfSense ->
Your modem picks up the request for 192.168.100.1 and says, “Oh shit, that’s me, yo!” and starts sending packets back through pfSense to your machine.

If that all happens through your WAN port, maybe the block bogons option on your WAN interface is getting in the way? I’ve never had to disable that before to hit 100.1, but maybe it’s a “feature” of newer versions of pfSense (I haven’t touched pfSense in almost 2 years)

Cox does not block it seeing as it worked right before the reinstall of pfSense to the new version.

Yeah, I wish it did work the way you say as I would expect there to be something ANYTHING set up to allow people to access their modem web interfaces. This makes no sense and I have just about had it. Maybe it’s time to look into other alternatives to pfSense. I mean, it has worked quite well but this is not the first time that something super simple that should be easy as pie to get working has simply not functioned at all no matter what I did. I don’t expect it to be easy as a consumer router but I do expect it to be usable without a PHD in computer science and a few weeks to delve into the code to figure out how pfSense actually works because they can’t be bothered to make a couple of turnkey features for ease of use. I still want this to work though…

You say you haven’t touched pfSense in a while, what do you use?

Well, unfortunately I switched to CenturyLink’s fiber option, which requires that I use their modem/router combo. I could dual NAT it if I were adventurous, but honestly I would be at a loss as to what to use.

pfSense irritates the crap out of me for most use cases (and don’t even get me started on their toxic community, it’s almost as bad as the FreeNAS community), but unfortunately as an overall product, they’re the best out there right now. I’ve used Untangle, they spent far too much time developing their pretty GUI and not enough time developing the user experience, and the functionality. Untangle was really the most notable after pfSense.

This would only be the case if the modem was acting as a router and pfsense (or any other router) had an ip on the same subnet as the modem and not a public IP. The problem is that if the router has a public IP then it’s gateway is the ISP gateway so when you try to access the modem that traffic is sent to the ISP and their gateway is not configured to access the modem webui.

There’s really no way to do it in this configuration unless your modem supports VLANs so you can have one interface for internet and another for management. It’s possible to do it with a DSL modem because in that instance the wan is using a pppoe interface so the physical interface can be used to access the modem, like in the documentation.

This is true of any router and is not unique to pfsense.

This doesn’t make any sense to me at all. How can I access the modem page from behind a consumer router then? it is literally only pfSense that is having this problem. I have an Asus AC5300 and an old Linksys WRT610N and they work. The older version of pfSense 2.3.x worked fine it is only this new install of pfSense 2.4.2. There has never been one case where a router or firewall I have had in place in my network has ever restricted access to the modem WebUI until now. The modem I have has a second gigabit port on it but it is disabled by COX. Even if it did work, pfSense would still be blocking the traffic from 10.10.10.15 <MyIP to 192.168.100.1 <Modem WebUI. It would just end up being the same problem over again. This is not a problem with any other appliance I have ever used so I simply refuse to believe that it cannot be done since it obviously can and is done all the time. I just need to know how to configure it to work since it seems they have changed something and broken this. I can’t use the pfSense community because they simply refuse to answer any question I have ever had no matter what. The one response I have ever gotten was literally telling me I wasn’t smart enough for pfSense and shouldn’t use it.

Look like it’s time for me to install something else, anything else that will work properly and I can get some kind of meaningful support for from its own community.

This is not to say I am not grateful for you guys attempting to help but sadly it just isn’t working and I have no idea why. I may even try wiping it again and starting from scratch one more time before I call it quits. It’s not like my box will be able to work past 2.5 anyways when they force hardware encryption on us to even be able to use it anyway.

Does pfsense have a public IP on wan or is it an ip in the 192.whatever range?

It was the private ip of 162.168.x.x but at some point between it working and then now not working, approximately an hour after I installed it, it switched to the public ip 66.x.x.x.

Right well that’s why you can’t access the modem anymore. You really want it to have the public IP so that the modem is just acting as a bridge and not doing any routing/firewall work, and it wouldn’t be worth it in my opinion to switch it back the other way. Not sure why it happened without you changing the modem in to bridge mode or whatever though, that’s pretty unusual.