pfSense and Accessing external cable modem UI

BCinBC · September 11, 2020, 4:20am

I think I’m up against some old documentation on Netgate.

I’m trying to connect to my external, bridged, Cable modem’s UI at 10.0.0.1.

The documentation found here:
https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

States:
Under Interfaces > (assign) , create a new OPT interface, and assign it to the physical network card that is on WAN. For example, if the WAN on the assignment page is “ PPPOE0(re2) ”, choose re2 , and Save the changes.

Then you set up an outbound NAT against the new interface. They mention PPPoE, but my cable modem isn’t this.

Except, of course, you can’t set two interfaces on the same physical NIC (VLANs, and a few other exceptions withstanding.)

It’s an external XB6 cable modem that’s in bridged mode, but I’d still like to be able to login to the modem’s interface found at 10.0.0.1.

Anyone else get this working?

sdfungi · September 11, 2020, 5:20am

This depends on the modem, some use one interface for both the bridge link and the internal UI, while others will use a second port for the internal web UI when in bridge mode. You would need to consult your modems documentation to know for sure.

BCinBC · September 11, 2020, 5:51am

It’s the same port, from the support page:

With bridge mode enabled, you will not be able to access or use BlueCurve Home. Ensure that bridge mode is disabled on your Gateway if you want to use BlueCurve Home.
The Admin Tool is still accessible on the Gateway at http://10.0.0.1 while bridge mode is enabled.
With bridge mode enabled, one (1) Ethernet port will be active on your modem (either port will work—whichever a device is plugged in to).
A factory reset will turn the WiFi router back on (disable bridge mode), as it will reset the modem back to the default settings.

sdfungi · September 13, 2020, 9:30am

Then the steps are the same as in the link you provided. Create an OPT interface bound to the same physical networks adapter as your WAN interface, and then create a NAT as they have stated.

Essentially what this does is bind 2 virtual adapters to the same Physical NIC, allowing you to use 2 separate networks on the same physical interface. The NAT then masks any traffic destined for 10.0.0.1 as a 10.0.0.0 address so the management interface responds correctly.

BCinBC · September 16, 2020, 12:31am

@sdfungi That’s the problem I’m having. I’m unable to create an interface and bind it to the same NIC. It says it’s already assigned.

I do not have a PPPoE interface, and it looks like that’s the only way you can create this interface:
https://forum.netgate.com/topic/140730/can-t-add-opt-interface

So their suggestion of a Virtual IP address, looks like the next thing to try? I’m not sure how to do that properly.

Caveats:

This is a dual WAN configuration with failover.
Only one of the interfaces needs this alias/forward (different ISPs)

BCinBC · September 17, 2020, 7:05am

Turns out I needed to:

Set a Virtual IP address to something like 10.0.0.2/24 within the same range as the Modem’s UI, but not the same as your required UI address. (desired UI target 10.0.0.1)
Firewall -> NAT -> Outbound: Interface (required WAN interface)
IPv4 (set protocols if necessary, I set to ‘any’)
Source Network: Network address of Internal network (usually LAN) to connect from, to the external (WAN) based device.
Destination Network: 10.0.0.0/24 (the network range of your external device.)
Translation set to: “Interface Address”

I was able to connect after I applied these rules. I then promptly deleted it as I was afraid I might have opened up pandora’s box with that big of a network range. (Edit: clarified interface names and rules)