Outbound NAT to access WebUI of DSL Modem

[Bob.Dig]

They say the IP is 192.168.0.1 in router mode and 192.168.100.1 in modem mode.

What is your WAN-Address in OPNsense?

[dave79]

@meyergru Ok, let me start this again. With the VIP added, I logged into OPNsense and I can ping the modem:

Code Select Expand

root@OPNsense:~ # ping -c 10 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=4.667 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.575 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=5.996 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=4.854 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=4.588 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=4.569 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=4.573 ms
64 bytes from 192.168.100.1: icmp_seq=7 ttl=64 time=4.535 ms
64 bytes from 192.168.100.1: icmp_seq=8 ttl=64 time=4.606 ms
64 bytes from 192.168.100.1: icmp_seq=9 ttl=64 time=4.536 ms

--- 192.168.100.1 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.535/4.750/5.996/0.425 ms

I checked ifconfig:

Code Select Expand

em1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 00:1f:x:x:x:x
inet 82.x.x.x netmask 0xfffffc00 broadcast 82.x.x.x
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::x:x:x:ec81%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Then I added the outbound NAT:



But I am still unable to ping 192.168.100.1 from a machine on LAN or access the web UI. So I guess this is a firewall problem?

@Bob.Dig When port 4 of the modem is connected to OPNsense's WAN port, it shows my public IP, but if I unplug it (after setting up the VIP) it shows 192.168.100.2

[Patrick M. Hausen]

Do you have a rule on LAN that allows this traffic? If yes, does that rule explicitly set a gateway?

[dave79]

Yes I have a rule and no, the gateway is set as default:



Apart from default, the options I have in the drop down are:



I tried WAN and WAN - IP but there was no change. Have I messed something else up?

[Patrick M. Hausen]

Destination: 192.168.100.0/24 (should also be an automatic alias "DSL net" or whatever you named that interface) or 192.168.100.1/32 or as a host alias without a prefix length.

Also, why do you need a rule at all? Don't you allow destination "any" on the LAN interface, anyway?

[Bob.Dig]

Have I messed something else up?

I say yes because usually it works out of the box. So show all your LAN and Floating rules and maybe Outound-NAT if you changed something there.

[dave79]

Don't you allow destination "any" on the LAN interface, anyway?

Yes, I only ever added one rule to LAN before now.

So show all your LAN and Floating rules and maybe Outound-NAT if you changed something there.

Rules: https://ibb.co/Z1GRdWrY

Outbound NAT: https://ibb.co/S4BbN9r2

[Bob.Dig]

Are you using PPPoE or DHCP for your Internet? But at this point, I give up anyways.

[Bob.Dig]

usually it works out of the box

I have to correct myself, for a cable-modem it usually works out of the box but here the case is different, sry.

[dave79]

I am using DHCP on the WAN port.

In some the posts above I think I have said modem, but it's technically a router in modem mode.

Ok, thank you for taking the time to troubleshoot this, I really appreciate it.

Out of interest, I have seen some people say that double NATing isn't usually an issue - even for torrents and VPNs etc - could this be a possible workaround? Put it back in router mode, disable wifi then do it that way? The reason I am so keen to get this working is that I am having some latency issues at the moment, and I really need to be able to access the router to diagnose.

[EricPerl]

Given the penultimate rule (allow all), you don't need another FW rule. You should enable logging on that rule though (especially while troubleshooting).
VIP and Outbound NAT should be sufficient (hopefully force-gateway is not going to interfere).

At this point, you should check you FW live view filtered to dst is MODEM_IP
You should see in on LAN, out on WAN (you may need to visit FW > Settings > Advanced to tweak logging of default rules) as you try to access.

If you do see both green, check source and destination are as expected (on WAN side, source should be VIP).
If you don't, report with screenshot.
If you did, and it still doesn't work from the browser, you need to do a packet capture (LAN + WAN, filter to modem IP). Download and attach the results.

[meyergru]

The only thing I can imagine here that still causes problems would be an outbound firewall rule that blocks LAN IPs from ever leaving the WAN interface. I had this in place because my ISP reacts by cutting the connection if he sees outbound non-routeable IPs. I had to preceed that rule by one allowing the specific modem traffic.

[dave79]

Ok, just to make sure I didn't mess something up (which is not out the realms of possibility as this is totally out of my comfort zone) I restored from a snap before I even posted here. First I checked "Log packets that are handled by this rule" on the allow any LAN rule.

I pinged 192.168.100.1 from OPNsense and this is what I see: https://i.imgur.com/660OonZ.png

Unless I am wrong, this looks like the connection is allowed out of LAN in the logs?

The ping looks like this:

Code Select Expand

root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.100.1 ping statistics ---
11 packets transmitted, 0 packets received, 100.0% packet loss
Then I added the VIP (IP Alias, WAN, 192.168.100.2/24 - nothing else) and looked again: https://i.ibb.co/hFQNhdm0/wan.png

Shouldn't the LAN also be listed in the logs once the VIP is added?

This time the ping doesn't time out (from OPNsense again):

Code Select Expand

root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=4.617 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.555 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=4.469 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=4.502 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=4.565 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=4.554 ms
^C
--- 192.168.100.1 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss

Now I added the outbound NAT: https://i.ibb.co/Fqqr9HqF/outbound-nat.png (but logging was checked too, this is a screenshot from earlier)

Firewall logs: https://i.ibb.co/rGLZx6jw/nat-logs.png

Ping from OPNsense:

Code Select Expand

root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=6.595 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=3.008 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=2.870 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=2.950 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=2.897 ms
64 bytes from 192.168.100.1: icmp_seq=7 ttl=64 time=2.916 ms
^C
--- 192.168.100.1 ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.870/3.384/6.595/1.214 ms

Ping from machine on LAN:

Code Select Expand

/ # ping -c 4 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
From 192.168.1.10 icmp_seq=1 Destination Host Unreachable
From 192.168.1.10 icmp_seq=2 Destination Host Unreachable
From 192.168.1.10 icmp_seq=3 Destination Host Unreachable
From 192.168.1.10 icmp_seq=4 Destination Host Unreachable

--- 192.168.100.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3068ms
pipe 3

When I ping from the LAN machine, there is no additional entries in the firewall log.. also not sure why the ping shows it's trying to ping the LAN machine itself.. something is very wrong.

[meyergru]

Unless I am wrong, this looks like the connection is allowed out of LAN in the logs?

No, it just shows that nobody answers. Since you did not define a 196.168.100.0/24 net yet, this was expected, but tells nothing at all.

Then I added the VIP (IP Alias, WAN, 192.168.100.2/24 - nothing else) and looked again: https://i.ibb.co/hFQNhdm0/wan.png

Shouldn't the LAN also be listed in the logs once the VIP is added?

This time the ping doesn't time out (from OPNsense again):

Code Select Expand

root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=4.617 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.555 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=4.469 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=4.502 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=4.565 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=4.554 ms
^C
--- 192.168.100.1 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss


No, only the main IP/Network is listed in the GUI. You can see additional VIPs in the CLI via "ifconfig".

Now I added the outbound NAT: https://i.ibb.co/Fqqr9HqF/outbound-nat.png (but logging was checked too, this is a screenshot from earlier)

Firewall logs: https://i.ibb.co/rGLZx6jw/logs.png

Ping from OPNsense:

Code Select Expand

root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=6.595 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=3.008 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=2.870 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=2.950 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=2.897 ms
64 bytes from 192.168.100.1: icmp_seq=7 ttl=64 time=2.916 ms
^C
--- 192.168.100.1 ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.870/3.384/6.595/1.214 ms

Ping from machine on LAN:

Code Select Expand

/ # ping -c 4 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
From 192.168.1.10 icmp_seq=1 Destination Host Unreachable
From 192.168.1.10 icmp_seq=2 Destination Host Unreachable
From 192.168.1.10 icmp_seq=3 Destination Host Unreachable
From 192.168.1.10 icmp_seq=4 Destination Host Unreachable

--- 192.168.100.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3068ms
pipe 3

When I ping from the LAN machine, there is no additional entries in the firewall log.. also not sure why the ping shows it's trying to ping the LAN machine itself.. something is very wrong.

As told, for getting to this IP from the LAN, you need:

1. A working network connection from OpnSense to the modem (which you have). This includes a route to the 192.168.100.0/24 network.
2. A outbound NAT rule from the LAN to the WAN. This is to assure that the sender address is your VIP, because your modem does not know the route back to your LAN, it can only address IPs in the 192.168.100.0/24 network.
3. A firewall rule allowing the traffic from your LAN to the modem. You do not need a reverse rule, since the responses are allowed automatically.

You seem to have that all, yet it does not work. Proof for the first step being carried out correctly is given by the working ping, so it seems that the other two steps - which seem correct, too - fail somehow.

P.S.: How did you configure your LAN client? I assume that OpnSense's LAN IP is the gateway? Because if it is not, then obviously, it will not be reached for IPs outside the LAN network... Can you ping 8.8.8.8 from your LAN client? Or did you assign a 192.168.100.0/24 IP on a second network card? Essentially: Does the routing for the target network from your LAN client work at all?

[Bob.Dig]

I am using DHCP on the WAN port.

Maybe you shouldn't. WAN should be PPPoE in your case.