Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:user-guide:network:wan:access.modem.through.nat [2018/03/03 16:49] – ↷ Page moved from docs:user-guide:wan:access.modem.through.nat to docs:user-guide:network:wan:access.modem.through.nat bobafetthotmail | docs:guide-user:network:wan:access.modem.through.nat [2024/10/30 00:44] – [Web interface instructions] Easier to assign the "modem" interface to the "wan" zone. lastedit | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Accessing | + | ====== Accessing |
| - | Some DSL-/ | + | {{section> |
| - | Once you have the information, | + | ===== Introduction ===== |
| + | * This how-to describes | ||
| + | * It helps to reach the administrative interface of a DSL/DOCSIS modem operating in the bridge mode. | ||
| + | * The prerequisite is to know the modem' | ||
| - | | {{: | + | ===== Goals ===== |
| + | * Access | ||
| - | ===== Through NAT ===== | + | ===== Web interface instructions |
| + | Assuming your modem' | ||
| - | ==== WAN by DHCP or static IP ==== | + | - Navigate to **LuCI -> Network -> Interfaces**. |
| + | - Click **Add new interface...** and specify: | ||
| + | * Name: '' | ||
| + | * Protocol: Static address | ||
| + | * Interface: '' | ||
| + | - Click **Create interface**. | ||
| + | - On the **General Settings** tab specify: | ||
| + | * IPv4 address: '' | ||
| + | * IPv4 netmask: '' | ||
| + | - On the **Firewall Settings** tab assign the '' | ||
| + | * Create / Assign firewall-zone: | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| - | === UCI command line version === | ||
| - | |||
| - | //Follow these instructions if you are using a default install of backfire and manage the firewall through UCI// | ||
| - | |||
| - | An IP in the same net as the modem must be assigned to the // | ||
| - | |||
| - | For this example we assume two things: that the modem' | ||
| - | |||
| - | Head towards / | ||
| - | |||
| - | < | ||
| - | option ifname eth1 | ||
| - | option proto static | ||
| - | option ipaddr 169.254.1.1 | ||
| - | option netmask 255.255.255.0</ | ||
| - | |||
| - | To exempt the internal modem address range from masquerading, | ||
| - | |||
| - | < | ||
| - | option name wan | ||
| - | option network | ||
| - | option input REJECT | ||
| - | option output | ||
| - | option forward | ||
| - | option masq 1 | ||
| - | # The firewall will resolve the expression " | ||
| - | # "! -s 169.254.1.1/ | ||
| - | # was configured in the modem alias. | ||
| - | option masq_dest | ||
| - | option mtu_fix | ||
| - | |||
| - | :!: If the modem should have an IP address like say '' | ||
| - | |||
| - | === GUI version === | ||
| - | |||
| - | ** 1. Add alias** | ||
| - | |||
| - | Navigate to Admin -> Network -> Interfaces -> WAN, fill in a name in the " | ||
| - | {{: | ||
| - | \\ | ||
| - | Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply" | ||
| - | In my case the modem is reachable via 192.168.100.1, | ||
| - | After a while you should see the alias prefix appear in the interface status display (underlined red). \\ | ||
| - | {{: | ||
| - | \\ | ||
| - | Navigate to Admin -> Network -> Firewall and open the WAN zone properties (framed red).\\ | ||
| - | {{: | ||
| - | \\ | ||
| - | Switch to the " | ||
| - | this will tell the firewall to //not// NAT traffic directed at the modem address range.\\ | ||
| - | Hit "Save & Apply" to make the change effective.\\ | ||
| - | {{: | ||
| - | \\ | ||
| At this point the modem should be reachable from any host in the LAN. | At this point the modem should be reachable from any host in the LAN. | ||
| - | === Raw iptables variant (required for pppoe setup) === | ||
| - | Let's configure source NAT. This is done with '' | + | === NOTE === |
| - | You can add these custom rules to / | + | |
| - | < | + | If you are using the BanIP package, make sure to add the IP to the allowlist. Ex. '' |
| - | iptables -t nat -I postrouting_rule -s 192.168.1.0/ | + | |
| - | iptables -I zone_lan_forward -s 192.168.1.0/24 -d 169.254.1.8 -j ACCEPT | + | |
| - | </ | + | |
| - | If you changed the '' | ||
| - | **NOTE:** Depending on how restrictive | + | ===== Command-line instructions ===== |
| - | < | + | Assuming |
| - | iptables -I FORWARD -j ACCEPT -i br-lan -o eth0.2 | + | |
| - | iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED, | + | |
| - | </ | + | |
| - | This works because '' | + | Set up a static WAN [[docs: |
| - | + | ||
| - | {{doc:howto: | + | |
| - | + | ||
| - | **NOTE:** Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct modems. It is very useful to track down connection problems | + | |
| - | + | ||
| - | === Advanced users === | + | |
| - | + | ||
| - | // Follow these instructions if you don't use UCI to manage your firewall // | + | |
| - | + | ||
| - | Most of the | + | |
| - | + | ||
| - | you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE: | + | |
| <code bash> | <code bash> | ||
| - | IF_LAN=" | + | # Configure network |
| - | NET_LAN="192.168.1.0/ | + | uci -q del network.modem |
| - | iptables -t nat -A POSTROUTING -o eth0.2 -i $IF_LAN -s $NET_LAN -d 169.254.1.0/8 -j SNAT --to-source 169.254.1.1 | + | uci set network.modem="interface" |
| - | </ | + | uci set network.modem.proto=" |
| - | + | uci set network.modem.device="@wan" | |
| - | ==== WAN by PPPoE ==== | + | uci set network.modem.ipaddr="192.168.100.2" |
| - | + | uci set network.modem.netmask="255.255.255.0" | |
| - | === UCI command line version === | + | uci commit network |
| - | + | service network restart | |
| - | //Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later// | + | |
| - | + | ||
| - | In this example the modem has '' | + | |
| - | + | ||
| - | < | + | |
| - | option ifname ' | + | |
| - | option proto ' | + | |
| - | option | + | |
| - | | + | |
| - | + | ||
| - | Replace eth1 with whatever interface pppoe uses. eg eth0.2 | + | |
| - | + | ||
| - | Check if your interface is up with: | + | |
| - | + | ||
| - | < | + | |
| - | + | ||
| - | The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoe-wan is not allowed, now just simply stick the new interface to the wan zone so it will be forwarded: | + | |
| - | < | + | # Configure firewall |
| + | uci del_list firewall.@zone[1].network=" | ||
| + | uci add_list | ||
| uci commit firewall | uci commit firewall | ||
| - | fw reload | + | service firewall restart |
| </ | </ | ||
| - | And thats really all to be done. You could also create a new zone called "modem" and make interzone-forwarding, but thats more work to do. | + | Make sure the modem subnet doesn' |
| - | ==== DOCSIS ==== | ||
| - | With DOCSIS-Modem, | ||
| - | |||
| - | First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address: | ||
| <code bash> | <code bash> | ||
| - | ifconfig eth0.2:1 add 192.168.100.2 | + | # Configure network |
| + | uci set network.lan.ipaddr=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| </ | </ | ||
| - | With UCI you can accomplish this as well: [[doc: | ||
| - | Then source nat packets to the IP address | + | If the WAN L2 device doesn' |
| <code bash> | <code bash> | ||
| - | iptables -t nat -I POSTROUTING -o eth0.2:1 -i eth0.1 -s $NET_LAN -d 192.168.100.1 -j SNAT --to-source 192.168.100.2 | + | # Fetch WAN L2 device |
| + | . / | ||
| + | network_flush_cache | ||
| + | network_find_wan NET_IF | ||
| + | network_get_physdev NET_L2D "${NET_IF}" | ||
| + | |||
| + | # Configure network | ||
| + | uci set network.modem.device=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| </ | </ | ||
| - | **NOTE:** Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT): | ||
| - | <code bash> | ||
| - | iptables -I FORWARD -j ACCEPT -i $IF_LAN -o $IF_DSL | ||
| - | iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED, | ||
| - | </ | ||
| - | |||
| - | Now access you cable modem from your PC with a telnet program or with your browser: | ||
| - | |||
| - | **Insert picture** | ||
| - | |||