Rubin Shrestha
Rubin Shrestha
Blog

pfSense+: Reaching Dual-WAN Modems from LAN with both at 192.168.100.1

by |Published

I have a Netgate 1100 router running pfSense+ version 25.07.1-RELEASE.

My router is configured in a dual-WAN configuration for failover (as opposed to load balancing). WAN is tier 1 and OPT is tier 2. Both WAN and OPT get configured via DHCP. WAN gets a CGNAT IP address. OPT gets a public IP address.

Both modems have a status page at http://192.168.100.1. This IP address is unchangeable on both modems. I have noticed that I do not need to set an alias IP of 192.168.100.X on either WAN or OPT to be able to reach the modem’s status page. The modems both intercept and respond to traffic destined to 192.168.100.1 even though that IP address is not on-link.

I would like to configure the Netgate to be able to reach either modem (while they’re both connected) from any host behind the LAN interface. To distinguish between the two modems, I’ve tried using “dummy” IP addresses as follows:

Modem behind WAN: 10.0.10.1
Modem behind OPT: 10.0.20.1

I have tried using policy routing to force traffic through the desired gateway depending on which of these IP addresses is used. The problem is that DNAT must be used to translate the “dummy” destination IP address from 10.0.10.1 / 10.0.20.1 to the real IP address of 192.168.100.1. DNAT occurs before policy routing, so by the time the policy routing rules are consulted, the destination IP has been changed to 192.168.100.1. This leaves no way to distinguish which modem was intended to be reached. The traffic simply gets routed to the default gateway and I reach whichever modem is currently handling traffic to / from the Internet.

The exact same problem occurs if I try to use “dummy” ports to distinguish between the two modems. For example:

WAN: 192.168.100.1:8081
OPT: 192.168.100.1:8082

DNAT converts either of these to 192.168.100.1:80 before policy routing occurs. Again, there is no way to distinguish which modem was intended to be reached.

I have also tried using the HAProxy package. This seemed to get me closer, but the problem then became that since the proxy connection is originated from the router, the policy routing rules are ignored since pfSense+ does not consult policy routing rules for traffic that is originated from the router.

I have considered putting a small, separate physical device between one of the modems and the Netgate. Its purpose would be to NAT the modem to a different IP address. If possible, I prefer not to introduce additional hardware.

In pfSense+, is there any way to reach both modems simultaneously, in separate browser tabs on the same machine, from behind the LAN interface?

You may also like