Netgate SG-1000 microFirewall

Author Topic: Connect to bridged DSL modem (not PPPoE)  (Read 2656 times)

0 Members and 1 Guest are viewing this topic.

Offline new-to-netgate

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #15 on: May 08, 2017, 11:15:42 pm »


Edit: This will not work if the management IP is not set on the bridge interface on the modem but is instead only on the NAT'ed LAN ports of the modem.

I think that this is actually the case. 

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1791
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #16 on: May 09, 2017, 03:25:24 am »
I think that this is actually the case.

Ive heard there is one or two modems out there like this but Ive never run into any of them..   What model do you have?


P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline kpa

  • Hero Member
  • *****
  • Posts: 1232
  • Karma: +138/-6
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #17 on: May 09, 2017, 05:00:38 am »
I think that this is actually the case.

Ive heard there is one or two modems out there like this but Ive never run into any of them..   What model do you have?

This is actually very common on any modem/router that allows you to set the LAN ports individually as bridge or NAT. On the brigded ports the management interface which is the nat'ed LAN interface is completely hidden because it's behind the NAT and firewall from the perspective of the bridged network segment. There is no additional management IP set on the bridge because that would be reduntant.

Offline new-to-netgate

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #18 on: May 09, 2017, 02:32:52 pm »
I think that this is actually the case.

Ive heard there is one or two modems out there like this but Ive never run into any of them..   What model do you have?


Quote from: new-to-netgate
ISP (DSL provider, not PPPoE) > Actiontec T2200H modem / router > pfSense firewall router > LAN

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1791
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #19 on: May 09, 2017, 05:00:43 pm »
Yes, the modem (Actiontec) is bridged, and gets a public IP on its WAN interface.  Still has an address of 192.168.1.254 on its LAN interface.
If I connect a laptop to one of the LAN ports of the modem I can connect to the modem GUI no problem.

This would show that your modem is reachable in bridge mode.

And found this at DSLR..    take it for what it is worth. I don't know this posters knowledge to be accurate or not.. But based on your comment above it seems accurate.

Quote
RFC1483 bridging will bridge the WAN or DSL interface on the Actiontec device with all of the Ethernet ports on the LAN side of the device.

Once you enable bridging, one router that's connected to any of the ports on the device will become your new network gateway. After you do that, the only reason to plug anything else into the Actiontec device will be if it were on DSL service and you wanted to access the graphical statistics, at which point you'd configure a device manually (with some random IP like 192.168.1.152) so that you can go to the device's administration pages.

His comment was to someone on pppoe.

When I had "bridged service" from my ISP at one of our remote outposts (no pppo anything) I was able to reach the modems maintenance page from any computer on the network without any changes to the firewall. It just worked out of the box.  Modem was a bridge only device and had no on board router.   If you haven't tried (with the new address) this Id suggest you do.

All of our other dsl connections are pppoe and therefore the pfSense boxes need to be set up.
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline new-to-netgate

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #20 on: May 09, 2017, 05:39:47 pm »
Yes, the modem (Actiontec) is bridged, and gets a public IP on its WAN interface.  Still has an address of 192.168.1.254 on its LAN interface.
If I connect a laptop to one of the LAN ports of the modem I can connect to the modem GUI no problem.

This would show that your modem is reachable in bridge mode.

OK, one last attempt at explaining.  :D  The Actiontec modem has 4 "LAN" ports, but only 1 of these 4 ports can be configured (if the user so wishes - it's not by default), to be bridged with the WAN interfaces.  As I like to use my own router, and I do not like double NAT, I did use this option.  However, this "bridge" only works / affects LAN port 1.  The remaining 3 "LAN" ports (port 2, 3 and 4) still operate as you had not bridged port 1, and will NAT the WAN connection.

 So, for instance, if I now connect a laptop directly to "LAN" port 2 on the modem, I get a NATed address of 192.168.2.2 from the Actiontec, AND I'm able to access the modem GUI at 192.168.2.254.

Quote from: chpalmer
And found this at DSLR..    take it for what it is worth. I don't know this posters knowledge to be accurate or not.. But based on your comment above it seems accurate.

Quote
RFC1483 bridging will bridge the WAN or DSL interface on the Actiontec device with all of the Ethernet ports on the LAN side of the device.

Once you enable bridging, one router that's connected to any of the ports on the device will become your new network gateway. After you do that, the only reason to plug anything else into the Actiontec device will be if it were on DSL service and you wanted to access the graphical statistics, at which point you'd configure a device manually (with some random IP like 192.168.1.152) so that you can go to the device's administration pages.

His comment was to someone on pppoe.

When I had "bridged service" from my ISP at one of our remote outposts (no pppo anything) I was able to reach the modems maintenance page from any computer on the network without any changes to the firewall. It just worked out of the box.  Modem was a bridge only device and had no on board router.   If you haven't tried (with the new address) this Id suggest you do.

All of our other dsl connections are pppoe and therefore the pfSense boxes need to be set up.

No, that is NOT accurate - how old is that post?  It's not how the telus firmware works these days.  I posted a link from the ISP website earlier on how their modem works.  For a long while, the root password for the telus firmware was semi-public, and you could login as root and bridge all ports or whatever.

All that has been changed several years ago, when the telus decided to allow bridging "officially", but only for port 1.  Since then, if you like to use your own router, that's the best option you have. 

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1791
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #21 on: May 09, 2017, 07:57:06 pm »

OK, one last attempt at explaining.  :D  The Actiontec modem has 4 "LAN" ports, but only 1 of these 4 ports can be configured (if the user so wishes - it's not by default), to be bridged with the WAN interfaces.  As I like to use my own router, and I do not like double NAT, I did use this option.  However, this "bridge" only works / affects LAN port 1.  The remaining 3 "LAN" ports (port 2, 3 and 4) still operate as you had not bridged port 1, and will NAT the WAN connection.

 So, for instance, if I now connect a laptop directly to "LAN" port 2 on the modem, I get a NATed address of 192.168.2.2 from the Actiontec, AND I'm able to access the modem GUI at 192.168.2.254.

I know my eyesight isn't as good as it used to be but this is the first time in this thread you have mentioned it this way. 

You actually have internet past your pfSense box and on ports 2-4 on your modem when both have the same public IP address??   :o   

What comes up if you try and access your public IP address from a browser?
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline new-to-netgate

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #22 on: May 09, 2017, 10:19:40 pm »

OK, one last attempt at explaining.  :D  The Actiontec modem has 4 "LAN" ports, but only 1 of these 4 ports can be configured (if the user so wishes - it's not by default), to be bridged with the WAN interfaces.  As I like to use my own router, and I do not like double NAT, I did use this option.  However, this "bridge" only works / affects LAN port 1.  The remaining 3 "LAN" ports (port 2, 3 and 4) still operate as you had not bridged port 1, and will NAT the WAN connection.

 So, for instance, if I now connect a laptop directly to "LAN" port 2 on the modem, I get a NATed address of 192.168.2.2 from the Actiontec, AND I'm able to access the modem GUI at 192.168.2.254.

I know my eyesight isn't as good as it used to be but this is the first time in this thread you have mentioned it this way. 

You actually have internet past your pfSense box and on ports 2-4 on your modem when both have the same public IP address??   :o   

What comes up if you try and access your public IP address from a browser?

I'm glad this helped.   :)  Just to make sure we're on the same page, as stated before, there is usually nothing connected to ports 2-4 on the modem (except when I connect my laptop to look at the modem GUI). 

Browsing to my public IP: From my LAN, I get the pfSense login.  From the outside, nothing.

kpa seems to have understood my setup correctly a while ago, he must be a mind reader.   ;D

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1791
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #23 on: May 10, 2017, 12:31:18 am »

he must be a mind reader.   ;D

Yea well my wife thinks Im one too once in a while.. Ive tried to tell here Im not.  :o ;)

So- same question..  If you plug something into 2-4 can you reach the internet?

If you plug a computer directly into port 1 can you reach the maintenance port?


Right now Im of the thought that you need a third interface on that pfSense box to make this work. Even if it were a USB ethernet adapter which I swore Id never use. But for a maintenance access interface I might consider it.   
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline new-to-netgate

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #24 on: May 10, 2017, 12:03:16 pm »

he must be a mind reader.   ;D

Yea well my wife thinks Im one too once in a while.. Ive tried to tell here Im not.  :o ;)

So- same question..  If you plug something into 2-4 can you reach the internet?

Yes, I can reach the Internet.  The laptop gets a NATted address of 192.168.2.2.

Quote from: chpalmer
If you plug a computer directly into port 1 can you reach the maintenance port?


Right now Im of the thought that you need a third interface on that pfSense box to make this work. Even if it were a USB ethernet adapter which I swore Id never use. But for a maintenance access interface I might consider it.

I have actually never tried that, but the more I think about the least I think it would work.  I might give it a shot when I'm back from work.

Other people on the telus forum are confirming that the GUI is not accessible from the bridged port, and are using a secondary wired connection to one of the non-bridged (2,3,4) modem LAN ports, which makes sense.  I think we can close the file on my original request as "not possible".

Offline chpalmer

  • Hero Member
  • *****
  • Posts: 1791
  • Karma: +93/-3
    • View Profile
    • Home of Cablenut
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #25 on: May 11, 2017, 11:57:58 am »

Then how Id do it if I was going to would be a third interface programmed with an address in the subnet of the modem maintenance address plugged into port 2-4 on the modem.

No firewall rules on that interface.

Let pfSense do the routing for you.    :)
P.S. statements made by me are not necessarily condoned by the management of this fine organization.  http://badmodems.com

Offline GlennNZ

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Connect to bridged DSL modem (not PPPoE)
« Reply #26 on: January 26, 2018, 11:11:14 pm »
You need to add an alias address to the WAN interface in the WAN interface setup page DHCP client section. Add an address from the 192.168.2.0/24 subnet, for example 192.168.2.200/24, renew the WAN DHCP lease to let the setting be applied.

Then you need to add an outbound NAT rule at Firewall->NAT->Outbound. Switch to manual mode first if you haven't and save settings. Then add a new outbound NAT rule with interface "WAN", source network "192.168.1.0/24" (your LAN), destination "192.168.2.254/32" (the modem), translation address "other network" and other subnet "192.168.2.200" (the alias address you entered above). This rule should be the first rule in the outbound NAT rule list.


If you ask me I would have renumbered the LAN and let the modem have its default management address, if you ever need to reset settings on the modem to factory defaults you'll have to go trough the IP address change again.

HTH

Edit: This will not work if the management IP is not set on the bridge interface on the modem but is instead only on the NAT'ed LAN ports of the modem.

Old thread I know. 
But many thanks for this advice - it is the only information I could find to set up a non PPPOE (DHCP Bridged NBN Modem)

Essentially to repeat: In my case Modem is 192.168.3.100
LAN is 192.168.1.0/24
WAN is DHCP assigned 121.223.12.21 etc

As you describe I added alias address to WaN interface DHCP client section.  Adding 192.168.3.200/24
Outbound NAT rules - Manual.
New Outbound NAT rule: Interface WAN, Source 192.168.1.0/24, destination 192.168.3.100/32 (the modem), translation 'other subnet' 192.168.3.200  (matching earlier WAN alias)
Moved to top of first rule.

Apply Changes

And can access the Modem GUI at 192.168.3.100 (!)

Glenn