Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:wan:access.modem.through.nat [2018/03/03 20:35] – ↷ Links adapted because of a move operation docs:guide-user:network:wan:access.modem.through.nat [2024/10/30 00:44] – [Web interface instructions] Easier to assign the "modem" interface to the "wan" zone. lastedit
Line 1: Line 1:
-====== Accessing your modem ====== +====== Accessing the modem through the router ====== 
-Some DSL-/DOCSIS-Modems can be accessed by the end user. To do that, you have to find out which IP address the device has and on which port using which protocol you can access it. Sometimes you additionally need the correct username and the password to gain access or to apply changes.+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
-Once you have the information, you connect the router directly to your PC, give your PC an IP address from the same net and access it with the appropriate programEasy. To still be able to do that through NAT, follow the instructions:+===== Introduction ===== 
 +  * This how-to describes the method for accessing the modem connected to your OpenWrt router. 
 +  * It helps to reach the administrative interface of a DSL/DOCSIS modem operating in the bridge mode. 
 +  * The prerequisite is to know the modem's IP address, port/protocol and username/password.
  
-| {{:meta:icons:tango:48px-outdated.svg.png?nolink}} | The "config alias" approach is //deprecated//, according to a note on the [[docs:guide-user:network:basics|network configuration page]].  And the relevant bits of GUI are not present in Barrier Breaker r38392 If I find out how else to do this, I'll add it here. [[http://simplebeian.wordpress.com/2014/03/12/accessing-your-modem-from-openwrt-router|Possible resolution to configure from the GUI]] |+===== Goals ===== 
 +  * Access the modem operating in the bridge mode through the router.
  
-===== Through NAT =====+===== Web interface instructions ===== 
 +Assuming your modem's IP address is ''192.168.100.1'' and it is connected to the router's WAN interface.
  
-==== WAN by DHCP or static IP ====+  - Navigate to **LuCI -> Network -> Interfaces**. 
 +  - Click **Add new interface...** and specify: 
 +    * Name: ''modem'' 
 +    * Protocol: Static address 
 +    * Interface: ''@wan'' 
 +  - Click **Create interface**. 
 +  - On the **General Settings** tab specify: 
 +    * IPv4 address: ''192.168.100.2'' 
 +    * IPv4 netmask: ''255.255.255.0'' 
 +  - On the **Firewall Settings** tab assign the ''modem'' interface to the ''wan'' zone: 
 +    * Create / Assign firewall-zone: ''wan'' 
 +  - Click **Save**, then **Save & Apply**.
  
-=== UCI command line version === 
- 
-//Follow these instructions if you are using a default install of backfire and manage the firewall through UCI// 
- 
-An IP in the same net as the modem must be assigned to the //interface// which is connected to the modem. To do this, we create an alias as shown below.  
- 
-For this example we assume two things: that the modem's IP is ''169.254.1.8'', and that the interface "wan" we are adding an alias to is on eth1. 
- 
-Head towards /etc/config/network and add these lines. 
- 
-<code>config interface modem 
- option ifname eth1 
- option proto static 
- option ipaddr 169.254.1.1 
- option netmask 255.255.255.0</code> 
- 
-To exempt the internal modem address range from masquerading, add a "masq_dest" expression to the wan zone in /etc/config/firewall: 
- 
-<code>config zone 
-        option name             wan 
-        option network          'wan' 
-        option input            REJECT 
-        option output           ACCEPT  
-        option forward          REJECT 
-        option masq             1 
-        # The firewall will resolve the expression "!modem" to  
-        # "! -s 169.254.1.1/255.255.255.0" or whatever range  
-        # was configured in the modem alias. 
-        option masq_dest        '!modem' 
-        option mtu_fix          1</code> 
- 
-:!: If the modem should have an IP address like say ''192.168.1.8'', you could not use the network ''192.168.1.0/24'' for your LAN and at the same time access your modem with this method. Use any other network in that case, like ''192.168.0.0/24'' or ''192.168.33.0/24''. 
- 
-=== GUI version === 
- 
-** 1. Add alias** 
- 
-Navigate to Admin -> Network -> Interfaces -> WAN, fill in a name in the "IP-Aliases" add field and click "Add".\\ 
-{{:doc:howto:modem-step-1.png|}} \\ 
-\\ 
-Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply".\\ 
-In my case the modem is reachable via 192.168.100.1, so I've choosen 192.168.100.10 as alias address. \\ 
-After a while you should see the alias prefix appear in the interface status display (underlined red). \\ 
-{{:doc:howto:modem-step-2.png|}} \\ 
-\\ 
-Navigate to Admin -> Network -> Firewall and open the WAN zone properties (framed red).\\ 
-{{:doc:howto:modem-step-3.png|}} \\ 
-\\ 
-Switch to the "Advanced Settings" tab and enter ''!modem'' into the destionation restriction field, 
-this will tell the firewall to //not// NAT traffic directed at the modem address range.\\ 
-Hit "Save & Apply" to make the change effective.\\ 
-{{:doc:howto:modem-step-4.png|}} \\ 
-\\ 
 At this point the modem should be reachable from any host in the LAN. At this point the modem should be reachable from any host in the LAN.
  
-=== Raw iptables variant (required for pppoe setup) === 
  
-Let's configure source NAT. This is done with ''iptables'', see [[docs:guide-user:firewall:netfilter]]. +=== NOTE ===
-You can add these custom rules to /etc/firewall.user , or by using the LuCI interface (Network > Firewall > Custom rules).+
  
-<code> +If you are using the BanIP package, make sure to add the IP to the allowlistEx''192.168.100.0/24''
-iptables -t nat -I postrouting_rule -s 192.168.1.0/24 -d 169.254.1.8 -j SNAT --to 169.254.1.1 +
-iptables -I zone_lan_forward -s 192.168.1.0/24 -d 169.254.1.8 -j ACCEPT +
-</code>+
  
-If you changed the ''lan'' network from the OpenWrt default of ''192.168.1.1'', you'll have to replace ''192.168.1.0'' with the net you've chosen. 
  
-**NOTE:** Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT): +===== Command-line instructions ===== 
-<code> +Assuming your modem's IP address is ''192.168.100.1'' and it is connected to the router's WAN interface.
-iptables -I FORWARD -j ACCEPT -i br-lan -o eth0.+
-iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED +
-</code>+
  
-This works because ''pppd'' (needed for PPPoE) spawns ''pppoe-dsl'', so eth0.2 remains freely usable. After testing the configuration changes, add all the necessary commands to ''/etc/firewall.user''. Now for example, you could use a GUI program to show some information about your DSL status: +Set up a static WAN [[docs:guide-user:network:network_interface_alias|alias]] and assign it to the WAN zone.
- +
-{{doc:howto:speedmodem.200.png|}} +
- +
-**NOTE:** Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct modems. It is very useful to track down connection problems and monitor your DSL-connection. But some modem even offer a WebUI so you can access them with your web browser. +
- +
-=== Advanced users === +
- +
-// Follow these instructions if you don't use UCI to manage your firewall // +
- +
-Most of the  **Easy Version** still appliesAfter assigning the modem interface an address,  +
- +
-you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE:+
  
 <code bash> <code bash>
-IF_LAN="br-lan" +# Configure network 
-NET_LAN="192.168.1.0/24+uci -q del network.modem 
-iptables -t nat -A POSTROUTING -o eth0.2 -i $IF_LAN -s $NET_LAN -d 169.254.1.0/8 -j SNAT --to-source 169.254.1.1 +uci set network.modem="interface
-</code> +uci set network.modem.proto="static" 
- +uci set network.modem.device="@wan" 
-==== WAN by PPPoE ===+uci set network.modem.ipaddr="192.168.100.2" 
- +uci set network.modem.netmask="255.255.255.0" 
-=== UCI command line version === +uci commit network 
- +service network restart
-//Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later// +
- +
-In this example the modem has ''192.168.254.254'' as default IP. Declare a new interface called "modem". An Alias is not needed anymore, as multiple interfaces can share the same ifname. Make sure you use a different network than your existing LANHead towards /etc/config/network and add these lines: +
- +
-<code>config interface 'modem+
-        option ifname 'eth1' +
-        option proto 'static' +
-        option ipaddr '192.168.254.1' +
-        option netmask '255.255.255.0'</code> +
- +
-Replace eth1 with whatever interface pppoe uses. eg eth0.2 +
- +
-Check if your interface is up with: +
- +
-<code>ifstatus modem</code> +
- +
-The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoe-wan is not allowed, now just simply stick the new interface to the wan zone so it will be forwarded:+
  
-<code>uci set firewall.@zone[1].network='wan modem'+# Configure firewall 
 +uci del_list firewall.@zone[1].network="modem" 
 +uci add_list firewall.@zone[1].network="modem"
 uci commit firewall uci commit firewall
-fw reload+service firewall restart
 </code> </code>
  
-And thats really all to be done. You could also create a new zone called "modem" and make interzone-forwardingbut thats more work to do.+Make sure the modem subnet doesn't overlap with your LANotherwise change the LAN subnet.
  
-==== DOCSIS ==== 
-With DOCSIS-Modem, we do not use the pppd and do not spawn any additional interfaces, so the SNAT-hook need to be before the MASQUERADING-hook. Also, you need to set an alias to the interface with which your Cable modem it connected. 
- 
-First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address: 
 <code bash> <code bash>
-ifconfig eth0.2:1 add 192.168.100.2+# Configure network 
 +uci set network.lan.ipaddr="192.168.2.1" 
 +uci commit network 
 +service network restart
 </code> </code>
-With UCI you can accomplish this as well: [[doc:uci:network#aliases]]. 
  
-Then source nat packets to the IP address of the cable modem. Add the following line, before the MASQUERADE:+If the WAN L2 device doesn't match L3 device like in case of PPPoE, change the modem interface. 
 <code bash> <code bash>
-iptables -t nat -I POSTROUTING -o eth0.2:1 -i eth0.1 -s $NET_LAN -d 192.168.100.1 -j SNAT --to-source 192.168.100.2+# Fetch WAN L2 device 
 +/lib/functions/network.sh 
 +network_flush_cache 
 +network_find_wan NET_IF 
 +network_get_physdev NET_L2D "${NET_IF}" 
 + 
 +# Configure network 
 +uci set network.modem.device="${NET_L2D}" 
 +uci commit network 
 +service network restart
 </code> </code>
-**NOTE:** Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT): 
-<code bash> 
-iptables -I FORWARD -j ACCEPT -i $IF_LAN -o $IF_DSL 
-iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED 
-</code> 
- 
-Now access you cable modem from your PC with a telnet program or with your browser: 
- 
-**Insert picture** 
- 
  
  • Last modified: 2024/10/30 06:14
  • by lastedit