OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: jds on March 18, 2019, 05:18:55 pm

Title: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 05:18:55 pm
I recently replaced my DOCSIS 3.0 cable model with DOCSIS 3.1 (Arris) modem, and the performance
actually got worse.  I wanted to look at the GUI for the modem and search for errors.  The only way to
do this was by plugging an ethernet cable from my laptop into the second port on the modem, and then
I could reach the modem at 192.168.100.1.  However, it would be better if I could just reach the cable
modem from my LAN.  I found a couple of posts on this for pfsense:

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html (https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html)
https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall (https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall)

but nothing on the forum, or online for OPNsense.

There are just a few steps, but I get hung up on the earliest one, assuming that something analogous would work for OPNsense. Namely, how to "create a new OPT interface, and assign it to the physical network card that is on WAN" ?  If I go to Interface -> Assignments, I could add a new interface, but it has to be attached to a NIC
different from the WAN.  I can do that, and go edit to try to assign it to the same NIC, but OPNsense complains.
I am guessing that it needs a bridge ?  But I am lost.

Can anyone point me in the right direction? Thanks.
 

Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 18, 2019, 05:27:15 pm
Interesting question! I never tried, but have the setup running with a DSL modem. Problem is: there is a PPPoE interface configured with DSL, but not with cabel modem (DHCP), where the physical interface is directly assiged to the WAN interface...   

Have you tried to simply NAT outbound the modems IP to WAN?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 06:12:36 pm
Yes, I did try that in fact. I just checked again, but I may be making a mistake:
I added a NAT outbound rule with WAN interface.  For protocol, source address,
source port, and destination port, I left as "any".  For Destination Address, I added
192.168.100.0/24 (also tried 192.168.100.1). For translation target, I tried both
"interface address" and the specific web gui address.  I also moved this rule to the
top of the list, to make sure that my VPN rules did not get in the way.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 18, 2019, 06:16:39 pm
... but there is no other 192.168.100.0/xy in your local/remote (VPN) LAN's?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 06:38:43 pm
No, the rest of the LAN is on 192.168.1.0
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: cguilford on March 18, 2019, 06:48:07 pm
Yeah I've noticed this as well.  Not sure why but can't seem to access the modem through opnsense.. I've done some tinkering and never made any headway.  It would be nice to have this, but never could figure out without disconnecting opn and connecting a laptop directly to the modem to access the cable modem these days.  I have the an e31u2v1 from Spectrum.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 18, 2019, 06:48:40 pm
"Block private networks" on WAN? The modems IP is allowed on LAN firewall rules? Might be that in the setup of the modem the concurrent use of the private address has to be configured?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: cguilford on March 18, 2019, 06:52:12 pm
I think the problem is the Modem is set to ONLY allow connections from a 192.168.100.x ip (as you have to hardcode a 192.168.100.x IP to the Laptop/device connecting to the modem) and since opnsense at least not that I can see allows us to create another "virtual" interface and assign it to the wan with a 192.168.100.x ip for routing it doesn't allow us to connect.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 07:10:50 pm
Neither can I see a way to create a virtual interface in OPNsense.
However, I don't believe that the first part is correct.  I recall being
able to connect to the cable modem when there was only my
router between it and the LAN, which is on 192.168.1.0. Also, the
instructions online for this modem say that should be the case.

There is an interesting comment on the pfsense page that would seem
to apply here too:

Quote
Some DSL or cable modems have web interfaces on private IP addresses. Since these sit outside the firewall and don’t have a public IP, accessing them isn’t as straight forward as it might seem. The firewall is typically assigned a public IP, and sends all outbound traffic upstream to the ISP. The ISP won’t route the private subnet back to the modem, leaving it unreachable. This page describes the work around needed to access the management interface on the modem from the inside of the network.

Note: The modem’s management IP must be on a different IP subnet than the internal network. If it is not, attempts to connect to it will never go to the firewall to be routed out to the modem, as hosts on the internal network would try to connect to it on the local network and fail.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: bartjsmit on March 18, 2019, 08:56:25 pm
What about running Squid on OPNsense? That would set the source IP for the traffic to the firewall 192.168.100.x address.

Bart...
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 10:29:40 pm
Don't know much about squid.  Do you mean under Services->Web Proxy ?
I have used that only for blacklists.  How would you set that up? 
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: RickNY on March 18, 2019, 10:58:11 pm

Ive always been able to access my modem's 192.168.100.1 address from the LAN through my OPNSense box.. These have included Arris TM802, Arris TM1602, Motorola SB6183, and now Netgear CM600.. The "block private networks" thing I believe only blocks incoming connections from source addresses that are RFC1918 on the WAN interface.

I do have a default IPv4 LAN outgoing rule that allows anything from "LAN Net" to go to ANY..  Have you tried adding in a LAN rule that allows anything from "LAN Net" to go to 192.168.100.1 if you dont already have an allow all outgoing rule?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 18, 2019, 11:23:46 pm
I do have a LAN interface rule that allows anything from LAN Net to go to ANY, but do not have any similar
NAT outbound rules.  Probably more relevant, I send everything out through a VPN. So, I added a rule to
the OpenVPNClient interface that allows any source to go to 192.168.100.1 on any port, and moved this rule
to the top.  But it still gave no access to the modem.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: Charles2019 on March 19, 2019, 01:33:31 am
Yes I'm able to reach my cable modem through OPNSense.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 19, 2019, 09:04:37 am
Yes I'm able to reach my cable modem through OPNSense.

How? :-D

PS: OK, I added an outbound NAT rule for the network my cable modem is running its web interface on, inserted the IP in the browser and was there. As I suggested in the beginning. ;-)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: cguilford on March 19, 2019, 12:27:47 pm
What rule did you add and where?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 19, 2019, 02:02:05 pm
Firewall -> NAT -> Outbound (set to Hybrid)

Interface WAN

Source "Network of your MODEM, e.g. 192.168.100.0/24"

Translation/target INTERFACE address


____________

Save, apply, works here...
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: cguilford on March 19, 2019, 03:00:49 pm
Odd still no good here ahh well I'll have to connect up directly later with a laptop make sure that mine is in the 192.168.100.x range like it should be.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 19, 2019, 09:47:18 pm
Still does not work for me: see my NAT outbound rules.  I also ssh into the
OPNsense box and try to ping 192.168.100.1, but no return.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 07:54:26 am
SOURCE, not Destination is 192.168.100.0/24 (if that's your modems network)...

Interfaces -> Diagnostics -> Ping is the direct way ;-) And you have to allow ICMP in the firewall rules for LAN to make a ping work. And http/https to reach the web interface of your modem

Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: cguilford on March 20, 2019, 12:53:12 pm
@chemlud can you provide a couple screenshots of what/how you have your rules setup, I've done the outbound Nat setup and I've created the LAN Rules to allow Network connectivity but something still appears to be missing.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 20, 2019, 01:05:32 pm
Unless the modem is configured in a "bridged" scenario (ie PPPoE on OPNSense), no other configuration is needed on OPNSense to access it.

If it's a double NAT scenario (which contrary to popular belief doesn't break *any* service, PAT does), and OPNSense has an IP in the modem's LAN subnet (ie gets it's IP directly from the modem/you have manually assigned an IP to OPNSense's WAN in the modem's LAN subnet), then it's routing 101: You are looking for the modem's IP, OPNsense answers "I see that IP, let me handle your packets for you" (=what a router does), you get connected, everything works.

Why it will not work:
1) you mess up with the outbound NAT rules.
2) you are blocking private/invalid on OPNSense's WAN
3) there isn't any rule that allows it (there should be, the default allow LAN to any, assuming you are connecting from OPNSense's LAN interface)
4) your modem is bridged, possibly using a specific port for the bridge, while leaving the rest as a "local tech support" access. ie port 1 is bridged, port 2+3 are not, port 4 is for a VOIP setup.

Works with cable, DSL, dialup, postal pidgeons, star trek communicators  ;)

Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 02:27:04 pm
Yepp, if I disable "Block private" on WAN, I can access the modem even without the NAT rule. However, with block private on WAN, the NAT rule takes over and allows the otherwise blocked private IP   of my modem...

fun!
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 03:27:27 pm
Clearly, I know far too little about networking.  I have "block private" disabled on WAN.
I have the WAN rules that chemlud suggests, and still cannot ping or reach the modem.
I have the allow all rule for LAN.  AFAIK the modem is not bridged or PPPoE.  I need a
more systematic way to study this stuff.  Or go back to something simpler.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 03:39:51 pm
do a package capture (Interfaces -Diagnostics), first on LAN then on WAN while you try to access the modiem via http or https (depends...) and see, where your packages go to.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 04:56:06 pm
LAN packet capture shows the only place my desktop goes is to the OPNsense box (on 443).
WAN packet capture did not show anything relevant that I can see: mostly packets between
my IP and the VPN IP, and the rest are ARP requests (for other IPs).
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 06:09:42 pm
So the traffic is apparently not leaving the LAN interface. Anything in the firewall logs?

Have a look here again, it works for me just fine:


Why it will not work:
1) you mess up with the outbound NAT rules.
2) you are blocking private/invalid on OPNSense's WAN
3) there isn't any rule that allows it (there should be, the default allow LAN to any, assuming you are connecting from OPNSense's LAN interface)
4) your modem is bridged, possibly using a specific port for the bridge, while leaving the rest as a "local tech support" access. ie port 1 is bridged, port 2+3 are not, port 4 is for a VOIP setup.

Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 06:24:03 pm
The firewall shows that the destination to 12.168.100.1 is passed out.
But the source is my virtual IP for the VPN client.

Considering the list:
1) How would I know  :-\
2) No blocking, checked again from Interfaces
3) There is a LAN to any rule
4) Not bridged or PPPoE, as far as I know.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 07:18:26 pm
..post screenshot of NAT outbound... Again, here it works just fine ;-)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 07:43:05 pm
Strangely, I had posted this before, but it somehow disappeared.
Here it is again.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: chemlud on March 20, 2019, 08:10:24 pm
I don't get it, why is 127.0.0.0 in there? Why are 192.168.1.0/24 and 10.0.10.0/24 there twice?

What is in the "Automatic rules" (more south on the same page...)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 08:25:24 pm
I don't get it, why is 127.0.0.0 in there? Why are 192.168.1.0/24 and 10.0.10.0/24 there twice?

What is in the "Automatic rules" (more south on the same page...)

I don't remember anymore why 127.0.0.0 is there, and never really understood the logic of it.
The others are there because of the different interfaces ?

Is there a better way to do it?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 20, 2019, 09:48:15 pm
What the first rule of your NAT does: Take any packet from .100.0/24 (in which your cable modem is included) and translate it to .100.(OPNSense WAN IP). That's what's breaking it.

First rule on my list  ;)

Switch NAT to automatic, you don't need any manual rules. No you don't. Still don't need them  ;)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 20, 2019, 10:10:41 pm
Now I am more confused.  The first rule is what is supposed to be what allows me to reach the modem, and was added only recently in an attempt to reach it.  The other rules are necessary if I wish to go out through the VPN
client only (which is my goal), or so it was explained to me.  Or, there is a rule to work as a server.  I learned these
from the OPNsense documentation.  Are you saying that they are wrong?
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 21, 2019, 02:38:26 am
The first rule is a) wrong and b) not needed, so delete it. it is messing up everything in your modem's subnet. That's "a" reason for not reaching your modem. Planning ahead for "[citation needed]": You are taking the source subnet and translating it to the (same) destination or in simple words you are taking an orange and translating it to an orange.

VPN is another topic, for now we are talking about reaching your modem. Offtopic: you add a default route for your VPN, with exceptions for your local subnets (ie modem) as well as your remote endpoint (so it actually knows how to reach it when the tunnel is being established/off), not NAT. VPN endpoints are "routers", they understand routing in order for your packets to get from point A to point B. What I'm trying to say is you don't use NAT on the entry, you use it on the exit side, ie the server side. I doubt the OPNSense documentation said anything about adding NAT on your entry point.

Do me a favor, select automatic NAT (the first option), then post a screenshot of your modem's interface when it connects as a thanks  ;)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 21, 2019, 03:30:33 pm
Indeed if I replace all of my manual rules with automatic ones and reboot (necessary), I can access the
modem interface but not the intertubes.  If I also remove some of my firewall rules that block internet
access not through the VPN, then I can also access the intertubes, but  not through the VPN server.

It is not really off-topic to me (the OP) to say that I was looking for a way to access the cable modem without
destroying the other functionality, including VPN.  There is no official documentation on how to set up the
VPN client, just discussion in the forums (like here: https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771 (https://forum.opnsense.org/index.php?topic=4979.msg19771#msg19771)).

Now I need to find reliable documentation on how to set up the VPN client.

Thanks!
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 21, 2019, 07:02:25 pm
Now that we fixed the modem access, on to fix the VPN:

Modify your "LAN to outside rule" so that the gateway used (there is a gateway option, you need to add the gateway's IP manually under  System > Gateways > Single) is the remote server's VPN address (the one you get *after* establishing the tunnel). That will force outgoing packets to go through that particular gateway and return packets (ie answers to *your* packets will have no other way but to flow through the VPN).

Make sure you don't get locked out. Check (and recheck) that there is a rule that allows OPNSense webgui access **BEFORE** your modified rule.

That modified gateway rule will direct everything over the tunnel. Assuming your provider (I see PIA mentioned there, so I'm going with private internet access) allows you to query DNS over the tunnel (it should) then the only thing left is to modify your DHCP server settings so that the DNS it gives is the PIA one and/or modify OPNSense's DNS (you really really should be using unbound in "full resolver" mode + have that go through the tunnel) and you have completed the circle. For unbound, create a rule to allow traffic from the firewall itself to the world + VPN gateway as before.

Feel free to adjust/add rules as you see fit for access. Also make sure that there is a rule that allows traffic from your LAN to your modem's subnet **before** the VPN rules.

Enjoy, you are welcome  :)
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 22, 2019, 03:08:02 pm
Now that we fixed the modem access, on to fix the VPN:

Great, thanks.

Modify your "LAN to outside rule" so that the gateway used (there is a gateway option, you need to add the gateway's IP manually under  System > Gateways > Single) is the remote server's VPN address (the one you get *after* establishing the tunnel). That will force outgoing packets to go through that particular gateway and return packets (ie answers to *your* packets will have no other way but to flow through the VPN).

Are you sure that I need to add that gateway manually?  There is already one there labeled  PENVPNCLIENT_VPNV4.  Besides, how do I automate retrieval of that IP address?  Surely, it does not need to be added by hand each time?  At any rate, I added a gateway manually using the IP address of the VPN server, and made it the gateway for the LAN rule, but no dice.

By "LAN to outside rule" I assume that you mean the firewall rule under
the LAN interface that is currently "default allow LAN to any" rule.  At any rate, I changed that rule to have the VPN gateway mentioned above.


Make sure you don't get locked out. Check (and recheck) that there is a rule that allows OPNSense webgui access **BEFORE** your modified rule.

I assume that this is the anti-lockout rule in the same LAN interface, which gives access from anywhere to the LAN on ports 22,80 and 443.  It is indeed the first rule.

That modified gateway rule will direct everything over the tunnel. Assuming your provider (I see PIA mentioned there, so I'm going with private internet access) allows you to query DNS over the tunnel (it should) then the only thing left is to modify your DHCP server settings so that the DNS it gives is the PIA one and/or modify OPNSense's DNS (you really really should be using unbound in "full resolver" mode + have that go through the tunnel) and you have completed the circle. For unbound, create a rule to allow traffic from the firewall itself to the world + VPN gateway as before.

This is a little trickier, since I use a pihole for my DNS.  The DHCP server gives the IP of the pihole as the DNS server.  The pihole uses the OPNsense box on port 53 as its DNS server.  Then, I set the DNS server on the OPNsense box (under System->Settings->General) as the VPN DNS servers).  This is the only way that I could get it to work and not have DNS leaks anywhere.  I do have unbound enabled, but am not sure about "full resolver mode".

Feel free to adjust/add rules as you see fit for access. Also make sure that there is a rule that allows traffic from your LAN to your modem's subnet **before** the VPN rules.

Enjoy, you are welcome  :)

Not sure about where the last rule goes.  Well, I did the above.  The VPN logs shows that the "Initialization sequence is completed".  So the OpenVPN client is communicating fine with the
server.  From the OPNsense box, I can ping the outside world.  However, I then have no internet access from th LAN.  Only, if I change the gateway for "default allow LAN to any" rule back to default, do I get access, but not through the VPN.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 24, 2019, 02:51:47 pm
Are you sure that I need to add that gateway manually?  There is already one there labeled  PENVPNCLIENT_VPNV4.  Besides, how do I automate retrieval of that IP address?  Surely, it does not need to be added by hand each time?  At any rate, I added a gateway manually using the IP address of the VPN server, and made it the gateway for the LAN rule, but no dice.

1) Where did that gateway come from?
2) I'm willing to bet you used the public IP of the VPN server instead of the tunnel IP.

Not sure about where the last rule goes.  Well, I did the above.  The VPN logs shows that the "Initialization sequence is completed".  So the OpenVPN client is communicating fine with the
server.  From the OPNsense box, I can ping the outside world.  However, I then have no internet access from th LAN.  Only, if I change the gateway for "default allow LAN to any" rule back to default, do I get access, but not through the VPN.

The OPNSense box doesn't go through the VPN tunnel, that's why you can ping outside. Can you ping the VPN gateway (the remote server's tunnel IP, not the public IP) from the LAN?

WRT the DNS: your setup is a disaster, let's get the VPN fixed first then we'll worry about the DNS.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 24, 2019, 05:35:40 pm
1) Where did that gateway come from?
2) I'm willing to bet you used the public IP of the VPN server instead of the tunnel IP.
WRT the DNS: your setup is a disaster, let's get the VPN fixed first then we'll worry about the DNS.
I don't know, it was probably generated automatically when setting up the client, since I don't recall
ever modifying the gateway. It does report using the tunnel IP, though it is not put in manually in the settings.
It is set up as "dynamic".  I have modified it to be the manual tunnel IP: 10.x.x.x, and then made the
other changes as you suggest (automatic NAT outbound rules, LAN rule to use the new manually set gateway to the VPN tunnel).  There was no connectivity outside, so I reset the VPN connection.  Still no connectivity, though my OPNsense box is connected to the VPN server.  So, I rebooted the OPNsense box, checked that the tunnel IP is correct in the manually set single gateway (it had changed on reboot, of course), and then checked connectivity.  No. So then I tried to ping the tunnel IP, and yes I could.  I also discovered that from my LAN client I could ping 8.8.8.8 but not www.google.com, so it is now probably just a DNS problem, from my crazy set up.

I think that this is great progress, and once the DNS is working, it will all be working.




Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 24, 2019, 11:55:36 pm
Verify that ping is indeed going through the tunnel by capturing some traffic (interfaces > diagnostics > packet capture > your VPN interface) while pinging from your LAN.

If pinging with an IP works but not with the hostname, it's a DNS issue. Is the ahole, pardon pihole, on a different interface other than LAN by any chance?

I'm assuming you are using windows, so do an "nslookup www.google.com" from a command line when it's not working.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 25, 2019, 04:39:39 pm
No, when I ping from my LAN client, the ping is just being returned from the OPNsense box for some reason.

I have also simplified my DNS service by making it the PIA DNS servers in the DHCP server, and eliminated everything that refers to the pihole.  This allows me to ping either 8.8.8.8 or www.google.com from the OPNsense box, but have no connectivity to outside for the LAN clients.  I have been experimenting with lots of other things,
but no progress, so won't even detail those.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 25, 2019, 05:08:29 pm
BTW, I did use nslookup (on linux), but nothing returns.

Now I am not so sure that there is any progress here. My original setup (that I keep returning to),
at least gives me internet connectivity on all clients through the VPN, no DNS leaks, and allows me
to use the pihole (which I could maybe accomplish with BIND).  The downsides are that it is complicated
on the firewall and DNS settings, and that I cannot reach the cable modem. 

So far, the only other option I have is to drop VPN, and then sometimes reach the outside world without
VPN.  I write "sometimes" because that is actually not even reproducible, as I learned today.  I follow what
seem to be identical steps, but no longer reach the outside world without VPN for the LAN client.  Who knows, maybe I am forgetting to reboot the OPNsense box at the right moment, or not restarting my LAN client connection to get some new DNS server instruction at the right moment, or not dancing with a chicken today, or
who knows what.  In reality, I probably need to know a great deal more about networking in order to use
this tool.  Maybe it would be better for me to go to something simpler, like openwrt.  Yeah, I am sure that you can
tell that I am getting frustrated working on this problem without progress for almost a week. 

I am also sure that you see progress, but it is hard to tell from this end.  Despite my frustration, I do greatly
appreciate your efforts.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 25, 2019, 06:36:35 pm
You are changing too many things and I can't keep track. Doing this without being in front of the screen to properly troubleshoot it is already confusing.

Recap:
1) Set up your VPN tunnel (check that auto NAT is enabled)
2) Change the "LAN to any" allow rule to gateway > VPN.
3) Then actually post the output for:
3a) ping from your LAN to your OPNSense
3b) ping from your LAN to the VPN gateway (the PIA server's VPN IP)
3c) ping from your LAN to 8.8.8.8
3d) ping from your LAN to www.google.com
3e) On OPNSense Interfaces > Diagnostics > DNS lookup for www.google.com
3f) You mentioned linux, so I'm assuming that you are using linux instead. Do a "dig www.google.com" from your LAN.
3g) Post your OPNSense routes when the tunnel is established (System >  Routes> Configuration), redact if necessary.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 25, 2019, 10:55:31 pm
3a) Ping from LAN client to OPNsense box:
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=6.30 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=3.73 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=64 time=2.77 ms

3b) Ping from LAN client to the VPN gateway:
PING 199.116.115.133 (199.116.115.133) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=3.47 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=4.39 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=64 time=2.53 ms

or if I use the tunnel IP
PING 10.83.10.6 (10.83.10.6) 56(84) bytes of data.
64 bytes from 10.83.10.6: icmp_seq=1 ttl=64 time=3.28 ms
64 bytes from 10.83.10.6: icmp_seq=2 ttl=64 time=8.03 ms
64 bytes from 10.83.10.6: icmp_seq=3 ttl=64 time=7.03 ms
64 bytes from 10.83.10.6: icmp_seq=4 ttl=64 time=6.86 ms

3c) Ping 8.8.8.8 from LAN:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=4.01 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=3.12 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=64 time=3.70 ms

3d) ping from LAN to www.google.com
ping: www.google.com: Name or service not known

3e) DNS lookup of www.google.com using the Interfaces Diagnostic returns nothing.

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 23 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Mar 25 16:40:25 CDT 2019
;; MSG SIZE  rcvd: 43

3f) System:Routes:Configuration
No results found!
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 26, 2019, 11:01:24 pm
3f: that's how it's supposed to be

3e is interesting: The server that answered your query was 127.0.0.53. That's the local subnet. I thought you changed the DNS servers to PIA's ones. Can you double check the DHCP DNS settings + the DNS settings for opnsense?

Before you double check the servers, from your LAN: "dig www.google.com @{your actual dns server or 1.1.1.1}" ie "dig www.google.com @1.1.1.1". I'm betting a banana that it will answer correctly.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 27, 2019, 02:45:07 pm
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
I guess you owe me a banana.

The DHCP DNS settings are for the pihole: 192.168.1.53
The DNS settings under System:Settings:General are 1.1.1.1 using the gateway OPENVPNCLIENT_VPN4,
which, remember, is set to "dynamic", and is always on the subnet of the VPN tunnel's virtual IP.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 27, 2019, 07:02:45 pm
Slowly getting somewhere... (there is an issue with your routes)

Which of the following is true?
1) You want everything to go over the tunnel, except "local" destinations (ie your cable modem)
2) You want only specific traffic from specific interfaces to go over the tunnel (ie everything from LAN to the internet goes over the VPN)

Skimming the thread, I'm under the impression that it's 1 from above, so to save some time I'll use that:
1) add a route for your VPN provider's public network:
Network address: 10.0.0.0/24 (example, adjust for your provider's public IP range, ie the IP you connect to before the tunnel is up)
gateway: WAN_DHCP
Description: Finding the VPN provider (to make it easier on you in the future)
2) system > gateways >  OPENVPNCLIENT_VPN4 > make it the default
3) Edit the LAN rule (any to any) and change gateway to default.
4) Make sure NAT is auto
4) Repeat all the pinging, DNS resolving posting the results.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 27, 2019, 10:25:09 pm
Yes, my current set up is 1), although I would like to modify it so that tunneling happens according to destination domain (for example, make an exception for Netflix).  For the moment, though, I would be happy with 1).

So here is what I did/got:

1) reverted back to suggested (nonworking) configuration: automatic outbound NAT rules; manually set LAN gateway to VPN tunnel virtual IP;
set LAN outbound rules to that gateway; also disabled the OpenVPNClient rules that blocked 443 and 80 if it does not go out the VPN.

2) System: Routes: Configuration: added a route to the public server of the VPN server. Made the gateway WAN_DHCP.

3) made the OpenVPNClient gateway default (System:Gateways:Single)

4) changed the "any to any" LAN rule to default gateway.

From LAN client:

ping 8.8.8.8 -> returns no packets.

ping www.google.com -> likewise

dig www.google.com @1.1.1.1:
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

ping from OPNsense box:
# /sbin/ping -c '3' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.107 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.089 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.081/0.092/0.107/0.011 ms

or:
# /sbin/ping -c '3' 'www.google.com'
ping: cannot resolve www.google.com: Host name lookup failure

So, now the OPNsense box cannot reach outside.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 28, 2019, 10:31:06 am
You missed pinging the VPN gateway's private IP (after the tunnel is set up) from opnsense + LAN.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 28, 2019, 03:23:54 pm
3a) ping from your LAN to your OPNSense:
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=2.12 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=2.00 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=64 time=7.66 ms

3b) ping from your LAN to the VPN gateway (the PIA server's VPN IP):
PING 104.200.153.72 (104.200.153.72) 56(84) bytes of data.
64 bytes from 104.200.153.72: icmp_seq=1 ttl=55 time=10.0 ms
64 bytes from 104.200.153.72: icmp_seq=2 ttl=55 time=13.0 ms
64 bytes from 104.200.153.72: icmp_seq=3 ttl=55 time=10.3 ms

3c) ping from your LAN to 8.8.8.8
returns nothing

3d) ping from your LAN to www.google.com
ping: www.google.com: Name or service not known

3e) On OPNSense Interfaces > Diagnostics > DNS lookup for www.google.com:
returns nothing

3f) You mentioned linux, so I'm assuming that you are using linux instead. Do a "dig www.google.com" from your LAN.
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 100 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Mar 28 09:11:13 CDT 2019
;; MSG SIZE  rcvd: 43

dig www.google.com@1.1.1.1 :
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 28, 2019, 07:02:20 pm
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 100 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Mar 28 09:11:13 CDT 2019
;; MSG SIZE  rcvd: 43

What is that server? I talked about it a couple of replies back.

Feels that there are other things fighting the configuration. Assuming the gateway (the PIA one) is correctly set up, I don't see why it wouldn't work. Also assuming a default configuration + customizations that I mentioned, the gateway is there, the routes are there, the rules are there, dunno why it's not cooperating.

Other than mtr'ing the entire network to see why and where packets gets stuck, I don't think there is any other solution.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: Bonkerton on March 28, 2019, 09:35:08 pm
On recent Ubuntu version (the ones using systemd) the command to see Ubuntu's DNS setup is

systemd-resolve --status

Maybe there's some info in there.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 29, 2019, 03:11:47 pm
MTR?  What is that?  Resetting to factory defaults?

I did check what my LAN client thinks is the DNS, and it is correct, the pihole IP.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: mitsos on March 30, 2019, 01:27:18 pm
https://linux.die.net/man/8/mtr
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: jds on March 30, 2019, 09:59:46 pm
That looks analogous to a colonoscopy, and about as pleasant.

Since I have my current configuration saved, I am thinking about starting from factory defaults, and rebuilding everything, but with the openvpn client set up more rationally this time.  This seems slightly less painful.
Title: Re: Can anyone reach their cable modem through OpnSense?
Post by: Bonkerton on October 31, 2019, 10:22:34 pm
I know this is old but the thread came up as the first result when googling for this problem.

Even going to 'Automatic outbound NAT rule generation' as suggested above did not allow me access to my cable modem admin page.

But I got it to work using the method described here:
https://forum.opnsense.org/index.php?topic=8616.0 (https://forum.opnsense.org/index.php?topic=8616.0)

In short:
- cable modem and own network (from which you want to access the cable-modem) need to be on different subnets
- create a Virtual IP (in OPNsense 19.7.5 under Firewall->Virtual IPs) in the same subnet as the cable modem
- create a floating firewall rule and a corresponding NAT outbound rule
- profit

My home network is 192.168.0.0/24
My modem is a Linksys CM3008 on 192.168.100.1 - created the Virtual IP as 192.168.100.2