pfSense Static Route

By rancid-lemon
in Smart Home, Network & Security

 Share

Recommended Posts

Collaborator

rancid-lemon

Posted
Posted

I am having trouble with my internet connection at the moment and I would like to be able to reach my modem from the LAN to help diagnose problems with the connection.

I believe I need to setup a static route to get through the WAN interface to the modem and I have had a go at that, but I didn't manage to get something working.

 

I will try to explain my setup:

 

Draytek Vigor 130 @ 192.168.2.1 (Static) acting as a bridge passing VDSL to pfsense WAN.

pfSense WAN is DHCP to the ISP (Sky in the UK)

LAN being handled from pfSense DHCP server 192.168.1.0/24

 

I would like to be able to reach the DV130 from a (any) pfSense LAN client. I would appreciate some advice if anyone is able to help out!

 

 

Link to comment
Share on other sites
Grand Master

fusi0n

Posted
Posted
25 minutes ago, rancid-lemon said:

Draytek Vigor

 

If it is in bridge mode, you will not be able to access the model settings since it's being passed through your pfSense box. 

Link to comment
Share on other sites
Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

I take it you have sniffed the Sky router password with Wireshark to get that to work.... :shiftyninja:

 

Edit: Otherwise you would be Double NAT'ing with the Sky Modem if you are using it, You would need to port forward it on there ... I think!

 

Edit:Nope sorry, Read that wrong. You want to manage it internally so not on the Internet Per Se.

 

http://helpforum.sky.com/t5/Archived-Discussions/How-do-I-add-a-static-route-to-my-Sky-Hub/td-p/2286716

 

 

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted
19 hours ago, fusi0n said:

If it is in bridge mode, you will not be able to access the model settings since it's being passed through your pfSense box. 

My understanding was that it could still pass information through to the router. I was fairly sure it could do this when connected to a DratTek router, but I was hoping to find a way to connect with my pfSense box. I am now questioning my understanding...!

 

There is an option in the web GUI that states 'Broadcast DSL status to router in LAN', this seems to imply that it is able to pass some information through to the router?

 

 

 

18 hours ago, John Teacake said:

I take it you have sniffed the Sky router password with Wireshark to get that to work.... :shiftyninja:

 

Edit: Otherwise you would be Double NAT'ing with the Sky Modem if you are using it, You would need to port forward it on there ... I think!

 

Edit:Nope sorry, Read that wrong. You want to manage it internally so not on the Internet Per Se.

 

http://helpforum.sky.com/t5/Archived-Discussions/How-do-I-add-a-static-route-to-my-Sky-Hub/td-p/2286716

 

 

I don't know what you're on about :rofl:.

 

I would like keep the sky router in the box if at all possible. With it in the box my connection was rock solid for a couple of years with pfSense/DrayTek combo. In the last two months however I have been having serious problems with internet access. Unfortunately I was away for ~1 year, when I returned I updated all my systems, now I am struggling with the connection.

 

 

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"Broadcast DSL status to router in LAN"

 

There was just a thread on the pfsense forums that is going to flood your pfsense wan with NOISE...  I had a user turn it off on their that was in bridge mode.  You prob want to turn that off as well..

 

He was seeing flood of traffic broadcast to 4944

Aug 6 18:40:32    em0    0.0.0.0:15217      255.255.255.255:4944      UDP
Aug 6 18:40:22    em0    0.0.0.0:15154      255.255.255.255:4944      UDP
Aug 6 18:40:12    em0    0.0.0.0:15100      255.255.255.255:4944      UDP
Aug 6 18:40:02    em0    0.0.0.0:15055      255.255.255.255:4944      UDP
Aug 6 18:39:52    em0    0.0.0.0:15019      255.255.255.255:4944      UDP
Aug 6 18:39:42    em0    0.0.0.0:14992      255.255.255.255:4944      UDP
 

Which is what that option does..

http://just.draytek.com/index.php?option=com_k2&view=item&id=5617&Itemid=293&lang=en

 

Here is the thing - so your sure when in bridge mode its still on 192.168.2.1?  For example cable "modems" that all bridge - ie I have public on my pfsense wan 24.13.x.x and I can access my modem on 192.168.100.1 which is like default IP.  Maybe your router has a default IP when its in bridge mode?  Maybe it is 192.168.2.1??  Maybe it has nothing, I do believe you would have to go setup a specific IP once you enable bridge mode, etc.

 

Anyhoo - are you using that IP on any network behind pfsense?  Or any network that would overlap that network?  What is your lan network for example??  So depending on the device as long as the network is not local pfsense would send that traffic out your wan.. So depending on the device and how it does bridge mode and will it answer when it sees its IP etc. etc.  You might be able to just access it like I access my cable modem gui.

modem.jpg

 

Not sure what timezone its in but its like hour behind from central - maybe they don't have daylight correct..  Just wanted to show that was current connection is all..  To access that I have done nothing on my pfsense.. I don't step on that network locally, etc. And I don't block rfc1918 outbound and the modem answers when it sees traffic to that IP, etc.

 

Does your "modem" have other lan ports?  If so I would plug in there set your ip to be on the 192.168.2 network and can you access what you believe its IP is 192.168.2.1 ??  If so then you prob have to create a vip for pfsense on that IP on its wan interface and then you be good to go

 

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

 

Once you create the vip for your IP on that nework, you would have to also create a nat rule to make sure when your trying to talk to your modem it nats to that vip IP, etc.

 

 

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted

 

4 hours ago, BudMan said:

"Broadcast DSL status to router in LAN"

 

There was just a thread on the pfsense forums that is going to flood your pfsense wan with NOISE...  I had a user turn it off on their that was in bridge mode.  You prob want to turn that off as well..

 

He was seeing flood of traffic broadcast to 4944

Aug 6 18:40:32    em0    0.0.0.0:15217      255.255.255.255:4944      UDP
Aug 6 18:40:22    em0    0.0.0.0:15154      255.255.255.255:4944      UDP
Aug 6 18:40:12    em0    0.0.0.0:15100      255.255.255.255:4944      UDP
Aug 6 18:40:02    em0    0.0.0.0:15055      255.255.255.255:4944      UDP
Aug 6 18:39:52    em0    0.0.0.0:15019      255.255.255.255:4944      UDP
Aug 6 18:39:42    em0    0.0.0.0:14992      255.255.255.255:4944      UDP

Yeah, I see this traffic too. It's just hitting the firewall and going nowhere, it's funny, I was looking at that traffic only yesterday and wondering what it was. I will switch it off too, thanks for pointing it out.

 

4 hours ago, BudMan said:

Here is the thing - so your sure when in bridge mode its still on 192.168.2.1?  For example cable "modems" that all bridge - ie I have public on my pfsense wan 24.13.x.x and I can access my modem on 192.168.100.1 which is like default IP.  Maybe your router has a default IP when its in bridge mode?  Maybe it is 192.168.2.1??  Maybe it has nothing, I do believe you would have to go setup a specific IP once you enable bridge mode, etc.

I'm not sure I can give you a definitive answer at the moment. The DV130 has only one ethernet port. So that goes straight to the pfSense WAN interface (which gets a public IP). To access the modem's web interface I have to connect ethernet direct to my laptop with a static IP in the 192.168.2.X subnet. This is whilst the modem is setup in bridge mode, although it is not connected to anything other than my laptop...obviously.

 

4 hours ago, BudMan said:

Anyhoo - are you using that IP on any network behind pfsense?  Or any network that would overlap that network?  What is your lan network for example??  So depending on the device as long as the network is not local pfsense would send that traffic out your wan.. So depending on the device and how it does bridge mode and will it answer when it sees its IP etc. etc.  You might be able to just access it like I access my cable modem gui.

 

Not sure what timezone its in but its like hour behind from central - maybe they don't have daylight correct..  Just wanted to show that was current connection is all..  To access that I have done nothing on my pfsense.. I don't step on that network locally, etc. And I don't block rfc1918 outbound and the modem answers when it sees traffic to that IP, etc.

I am not using that IP anywhere behind pfSense, nor in any other network. LAN is currently 192.168.1.0/24.

Not sure I follow what you mean, are you saying I should be able to access it as is? I can't ping 192.168.2.1 from LAN IP 192.168.1.X, nor can I get the web interface directly. I have only the default firewall rules at the moment, which presumably would need an edit to allow this access? I think you are saying that your modem is on the same subnet as your LAN network?

 

5 hours ago, BudMan said:

Does your "modem" have other lan ports?  If so I would plug in there set your ip to be on the 192.168.2 network and can you access what you believe its IP is 192.168.2.1 ??  If so then you prob have to create a vip for pfsense on that IP on its wan interface and then you be good to go

 

https://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall

 

Once you create the vip for your IP on that nework, you would have to also create a nat rule to make sure when your trying to talk to your modem it nats to that vip IP, etc.

The modem doesn't have any other LAN ports. Please see explanation above for details of how I connect to the modem interface.

 

I had a quick look at the pfSense link, but got lost straight away! :blush: How do I create an OPT interface on pfsense 2.3.X? Under --> Interfaces / Interface Assignments I don't see an option to create an interface as the instructions said. My attempt at VIP didn't go much better, I managed to send 192.168.2.1 to my pfSense box...

 

Seems like VIP might be the simplest route, would you be able to explain how to implement?

 

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Create a vip on your wan interface..  Firewall, virtual IP - click add.. pick ip alias  Your not doing pppoe are you - that is a bit different....

 

This is really basic basic stuff here..

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

 

Here as example I created one for my modems 192.168.100 address - keep in mind this a bit different you doing pppoe on pfsense - or do you just have wan set to dhcp??

vip.jpg

 

Put this IP in the 192.168.2.0/24 network which I assume is the mask your using.. Then create an outbound nat for this network.. Here is my example of my 100 using my 192.168.9 lan network as the source.

nat.jpg

 

Keep in mind using your own networks - I just did this as example for you..

 

No 192.168.100 is not on my network -- here is what I am talking about, I can access my modem that is on my wan via its 192.168.100.1 without having to do anything it talks to it from my wan IP.. Here is packet capture on pfsense wan with me accessing http of my modem.

trafficwithoutnat.jpg

 

internet - cablemodem - 192.168.100.1 --- publicIP pfsense -- I have multiple networks on this side 192.168.9/24 is my lan, 192.168.2/24 wlan, etc. etc. etc...

 

Here is how it looks when I do a nat and create a vip of 192.168.100.2 on my wan interface..  You see pfsense says Its coming from the vip of 192.168.100.2 not its public IP..

trafficwnat.jpg

 

Is that more clear now??

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted

thanks BudMan. I given this a quick go and not had success. Currently 192.168.2.1 redirects to my pfSense web interface!?

 

Not sure how Ive managed that! Before you say anything, let me investigate a little tomorrow. It's late here so I need sleep but I will have a play after work tomorrow, I would like to understand what's happening myself if I can.

 

Will update with progress tomorrow.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Your 100% sure pfsense has public IP on its wan.. And not 192.168.2.1 while your router is 192.168.2.254 or something..

 

See my wan has public!!

interfaces.jpg

 

Do you have any port forwards setup on your old router??  Say for port 80?

 

Link to comment
Share on other sites
Grand Master

+John Teacake MVC

Posted
  • MVC
Posted
On 14/08/2016 at 0:26 PM, rancid-lemon said:

My understanding was that it could still pass information through to the router. I was fairly sure it could do this when connected to a DratTek router, but I was hoping to find a way to connect with my pfSense box. I am now questioning my understanding...!

 

There is an option in the web GUI that states 'Broadcast DSL status to router in LAN', this seems to imply that it is able to pass some information through to the router?

 

 

 

I don't know what you're on about :rofl:.

 

I would like keep the sky router in the box if at all possible. With it in the box my connection was rock solid for a couple of years with pfSense/DrayTek combo. In the last two months however I have been having serious problems with internet access. Unfortunately I was away for ~1 year, when I returned I updated all my systems, now I am struggling with the connection.

 

 

Its weird, When I had the Sky Router, My advertised speed was in the high 18's and 19's but when I put my own gear on the end even though my own gear is MUCH better (Enterprise stuff) I struggle to get over 16.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

what stuff?  How is your connection setup?

 

I am running pfsense on getting long in the tooth hp microserver N40L which isn't much at all from horse power standards even when it was new.. And have no issues maxing out my paid for internet connection of 75/12 and I normally see 80+ down and 12 up when using speedtest.. And other tests of downloads from server on the other side of the globe shows yeah getting great speeds right in that ballpark, etc.

 

If you can not manage to get your very low speeds of 20mbps with anything close to current hardware you have something wrong with your isp or your connection or your testing methods, etc.

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted
4 hours ago, BudMan said:

Your 100% sure pfsense has public IP on its wan.. And not 192.168.2.1 while your router is 192.168.2.254 or something..

Screen Shot 2016-08-15 at 16.29.34.png

 

4 hours ago, BudMan said:

Do you have any port forwards setup on your old router??  Say for port 80?

I don't know what you mean by my old router. Either way, the answer is no. No port forwards set up on 80. I used to have ports forwarded prior to my reinstall of pfSense. Now I have no forwards set up.

 

I suspect that my issues might be coming from automatic rules, but I don't seem to be able to edit/disable them. See below for what my NAT mappings looks like:

Screen Shot 2016-08-15 at 16.41.22.png

 

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted
15 minutes ago, John Teacake said:

Its weird, When I had the Sky Router, My advertised speed was in the high 18's and 19's but when I put my own gear on the end even though my own gear is MUCH better (Enterprise stuff) I struggle to get over 16.

I had no problems prior to my current issues. Line speed was what I was paying for without problems. Sadly now its a different story!

 

4 minutes ago, BudMan said:

what stuff?  How is your connection setup?

 

I am running pfsense on getting long in the tooth hp microserver N40L which isn't much at all from horse power standards even when it was new.. And have no issues maxing out my paid for internet connection of 75/12 and I normally see 80+ down and 12 up when using speedtest.. And other tests of downloads from server on the other side of the globe shows yeah getting great speeds right in that ballpark, etc.

 

If you can not manage to get your very low speeds of 20mbps with anything close to current hardware you have something wrong with your isp or your connection or your testing methods, etc.

This is actually the exact same hardware I am running my pfSense VM on :)

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Why is 192.168.2.0/24 in your automatic rules?  That shouldn't be there you created the 192.168.2 on your wan as a vip..  To me that shows you have 192.168.2.0/24 on your lan/private side of pfsense.

 

So for example when I create that 192.168.100 vip for my example setup you can see its not listed in my automatic rules.

 

Pfsense would not create an automatic rule for 192.168.2.0 unless you have it setup on some lan/opt interface..

 

 

modemaccess.jpg

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted
10 minutes ago, BudMan said:

Why is 192.168.2.0/24 in your automatic rules?  That shouldn't be there you created the 192.168.2 on your wan as a vip..  To me that shows you have 192.168.2.0/24 on your lan/private side of pfsense.

 

So for example when I create that 192.168.100 vip for my example setup you can see its not listed in my automatic rules.

 

Pfsense would not create an automatic rule for 192.168.2.0 unless you have it setup on some lan/opt interface..

Found the problem. I still had a static route setup from when I was experimenting earlier. Deleted that and now mappings look like this:

 

Screen Shot 2016-08-15 at 17.11.05.png

 

192.168.2.1 is still sending me to pfSense web interface though. I reloaded the filters, is there anything else I need to do to update?

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Your nat address is 192.168.2.1??  How would that work if that is the IP address of your daytek - your vip should be say 192.168.2.2 not same address as your daytek ;)

Link to comment
Share on other sites
Collaborator

rancid-lemon

Posted
  • Author
Posted

Budman, you champ, that did the trick. Straight through and working. Thanks for the assistance!

 

Screen Shot 2016-08-15 at 22.36.16.png

 

Now to try to find out whats wrong with my internet! I think that will call for a different thread though. This one is complete :)

Link to comment
Share on other sites
  • 6 months later...
Collaborator

rancid-lemon

Posted
  • Author
Posted

Hey budman, are you still about these parts?

 

I wonder if you could provide some assistance on this topic again. I've just changed ISP and am now connecting via PPPOE. You said that was different a different case, would you be able to elaborate, am I still able to achieve the same result using this WAN connection method?

 

rancid

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Yeah I am still around.. PPPoE is a different interface.  But still same sort of thing.. Read the pfsense doc on the subject.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing