PfSense: How to route traffic out the WAN port


i want to create a route in pfSense that will send traffic out the physical WAN port, not the PPPoE WAN port. i want to talk to the web-server on my DSL modem; letting me see the current sync rate and SnR margins. The modem doesn't see packets destined for it, because they're being sent through the PPPoE tunnel.

My pfSense router is responsible for setting up the PPPoE connection over DSL to my ISP. When a machine on the LAN wants to sent packets to the internet, the default route sends packets out over the PPPoE connection. Those packets, wrapped in a PPPoE header, are sent on the ethernet cable to my DSL modem. From there they are sent the ISP, and the internet at large.

+----------------------+                  +----------------------+    
|IPv4 header (20 bytes)|    +--------+    |PPPoE header (8 bytes)|    +-----+    {‾‾‾‾‾‾‾‾}
|                      |===>|pfSense |===>|IPv4 header (20 bytes)|===>|Modem|===>{Internet}
|                      |    +--------+    |                      |    +-----+    {________}
|                      |                  |                      |
+----------------------+                  +----------------------+

i want a way to send a packet out the WAN port itself – not the PPPoE WAN port.

My modem is sitting out there, with a http interface where i can monitor

  • connection speed
  • signal-to-noise ratio
  • bandwidth
  • connection time

Whenever i try to set a route for destination of (the IP that the modem will listen to for HTTP requests) to go out the WAN port, they instead end up going out the PPPoE port.

The difference being that they're wrapped in a PPPoE protocol packet, and the modem isn't being sent the packet, it's being delivered to the ISP.

Given that pfSense has no ability to direct traffic out the physical WAN port: how can i direct traffic out the physical WAN port on pfSense?

Here's the exact same question i asked 3 years ago on the pfSense forum:

My modem has a web interface. It's handy because i can see if it's actually connected or not, line noise, error rates, etc.

If i connect the modem to my destop PC (rather than to the pfSense PC), i can ping and browse the modem's web interface fine. The modem's IP is, and listens on port 8080. i also can packet trace the activity from my PC:

Pinging modem

ARP REQ    Phalanx => Broadcast  -?-
ARP RESP   Phalanx <= Ovislink_LAN -!-
IP/ICMP    Phalanx => Ovislink_LAN  => ECHO
IP/ICMP    Phalanx <= Ovislink_LAN  <= ECHOREPLY

You can see my machine doing an ARP broadcast, asking for the MAC address of the modem (the Ovislink). The modem responds with its IP, the echo goes out, and i get a reply. Similar detail can be seen when i connect to the web port of the modem:

Connecting to web port 8080

ARP REQ     Phalanx => Broadcast       -?-
ARP RESP    Phalanx <= Ovislink_LAN      -!-
IP/TCP      Phalanx => Ovislink_LAN => SYN
IP/TCP      Plalanx <= Ovislink_LAN <= SYNACK
IP/TCP      Phalanx => Ovislink_LAN => ACK

After the ARP request, a TCP connection is established with the normal SYN, SYN ACK, ACK process. And all is well.

Now, rather than connecting the modem to my desktop PC, i connect it to the PC that is running pfSense.

Note: Previously, i had changed pfSense's LAN IP Address to be, rather than This is because my network was already

First thing i do is disable the "Block private networks" feature under Interfaces->WAN, since my modem's LAN interface is running as This removes the first firewall entry under Firewall->Rules that was blocking all RFC1918 traffic. Next i added a firewall rule:

Action: Pass
Interface: WAN
Protocol: TCP
Source: Single host or alias,
Destination: LAN subnet
Destination Port Range: any
Log Packets: Yes
Description: ADSL Modem

After saving and applying my changes i tried using the Diagnostics->Ping feature to ping on the WAN side. It, of course, didn't work.

i thought about it, and it seems to me that i can't just allow TCP packets in on the WAN from, i also need to allow ARP response packets (how else could pfSense find the MAC address of the hardware it's trying to send an IP packet to?). It also occurred to me that i can't say LAN as the destination, because it's actually the WAN interface that's pinging. So i updated the firewall rule to:

Action: Pass
Interface: WAN
Protocol: any
Source: Single host or alias,
Destination: any
Destination Port Range: any
Log Packets: Yes
Description: ADSL Modem

Now when i ping it…doesn't work. No real surprise there. So i decided to run a packet trace:

Interface: WAN
Host Address:
Count: 1
Level of Detail: Full

i started the trace, did a ping from Diagnostics->Ping, and get…nothing. No ping reply, and no packets in the trace.

So now it occurs to me that just because:

  • pfSense is on the subet
  • my desktop is on the subnet
  • my server is on the subnet

maybe the modem is not on the /16 subnet. i plug the modem back into my desktop, connect to the web interface and see that it's set for So i reconfigure the modem for i then reconfigure

  • my desktop to be,
  • the server to be,
  • and now the modem is
  • in addition to pfSense being

i reconnect the modem to the pfSense box, try to ping it and i get…no reponse. i do a packet trace for packets from and i see…none.

So now i'm stumped, and am asking for help.

Best Answer

I think I've managed to do what you requested. You will need to add a interface, gateway and a rule to route traffic to that gateway for the IP range of your modem.

So my setup: Billion router connected to telephone cable - set in bridge mode. pfsense router connected to billion router via lan cable. pfsense version 2.1.5

pfsense set up to have 3 interfaces:

  • WAN - PPPOE over re0 (setup as part of setup wizard)
  • LAN - dhcp host over em0 with dhcp assigning IPs between and (setup as part of setup wizard)
  • MODEMACCESS - dhcp client over re0 (had to be added manually after setup)


  • GW_WAN - interface = WAN ; Gateway IP address = dynamic ; default gateway
  • MODEMACCESS_DHCP - interface = MODEMACCESS ; Gateway IP address = dhcp; NOT default gateway


  • Under WAN i have the usual 2 blocks and a pass all, gatway = default
  • Under LAN I have source and destination lockout rule and a few queue assignment rules from 192.168.1.x to !192.168.1.x, gateway = default
  • Under MODEMACCESS source to destination with gateway MODEMACCESS_DHCP

IPs for devices:

  • billion router ip
  • pfsense LAN ip:
  • pfsense WAN public IP determined by PPPOE
  • pfsense MODEMACCESS IP determined by billion DHCP server

I can access the billion router web gui by typing (or the host name) into any browser on any pc on the LAN network. I can access the internet on any device connected on the LAN network (through the PPPOE connection on pfsense.

