Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wan:access.modem.through.nat [2021/03/04 11:44] – formatting vgaetera | docs:guide-user:network:wan:access.modem.through.nat [2024/10/30 00:44] – [Web interface instructions] Easier to assign the "modem" interface to the "wan" zone. lastedit | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Accessing | + | ====== Accessing |
| - | Some DSL-/ | + | {{section> |
| - | To do that, you have to find out which IP address the device has and on which port using which protocol you can access it. | + | |
| - | Sometimes you additionally need the correct username and the password to gain access or to apply changes. | + | |
| - | Once you have the information, | + | ===== Introduction ===== |
| - | To still be able to do that through NAT, follow | + | * This how-to describes |
| + | * It helps to reach the administrative interface of a DSL/DOCSIS modem operating in the bridge mode. | ||
| + | * The prerequisite is to know the modem' | ||
| - | ===== Through NAT ===== | + | ===== Goals ===== |
| - | ==== WAN by DHCP or static IP ==== | + | * Access |
| - | === Command-line interface === | + | |
| - | //Follow these instructions if you are using a default install of backfire and manage | + | |
| - | An IP in the same net as the modem must be assigned to the // | + | ===== Web interface instructions ===== |
| - | To do this, we create an alias as shown below. | + | Assuming your modem' |
| - | For this example we assume two things: that the modem' | + | - Navigate |
| - | + | - Click **Add new interface...** and specify: | |
| - | Head towards / | + | * Name: '' |
| - | + | * Protocol: Static address | |
| - | <code bash> | + | * Interface: '' |
| - | config | + | - Click **Create interface**. |
| - | option ifname eth1 | + | - On the **General Settings** tab specify: |
| - | option proto static | + | * IPv4 address: |
| - | option ipaddr 169.254.1.1 | + | * IPv4 netmask: |
| - | option netmask 255.255.255.0 | + | - On the **Firewall Settings** tab assign the '' |
| - | </ | + | * Create / Assign firewall-zone: '' |
| - | + | - Click **Save**, then **Save & Apply**. | |
| - | To exempt the internal modem address range from masquerading, | + | |
| - | + | ||
| - | <code bash> | + | |
| - | config zone | + | |
| - | option name wan | + | |
| - | option network | + | |
| - | option input REJECT | + | |
| - | option output | + | |
| - | option forward | + | |
| - | option masq 1 | + | |
| - | # The firewall will resolve the expression "!modem" to | + | |
| - | # "! -s 169.254.1.1/ | + | |
| - | # was configured in the modem alias. | + | |
| - | option masq_dest | + | |
| - | | + | |
| - | </ | + | |
| - | + | ||
| - | :!: If the modem should have an IP address like say '' | + | |
| - | Use any other network in that case, like '' | + | |
| - | + | ||
| - | === Web interface | + | |
| - | Add alias: Navigate | + | |
| - | {{: | + | |
| - | + | ||
| - | Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply" | + | |
| - | In my case the modem is reachable via 192.168.100.1, | + | |
| - | After a while you should see the alias prefix appear in the interface status display (underlined red). | + | |
| - | {{:doc: | + | |
| - | + | ||
| - | Navigate to Admin -> Network -> Firewall and open the WAN zone properties (framed red). | + | |
| - | {{:doc: | + | |
| - | + | ||
| - | Switch to the " | + | |
| - | this will tell the firewall to //not// NAT traffic directed at the modem address range. | + | |
| - | Hit "Save & Apply" to make the change effective. | + | |
| - | {{: | + | |
| At this point the modem should be reachable from any host in the LAN. | At this point the modem should be reachable from any host in the LAN. | ||
| - | === Raw iptables variant (required for pppoe setup) === | ||
| - | Let's configure source NAT. This is done with '' | ||
| - | You can add these custom rules to / | ||
| - | <code bash> | + | === NOTE === |
| - | iptables -t nat -I postrouting_rule -s 192.168.1.0/ | + | |
| - | iptables -I zone_lan_forward -s 192.168.1.0/ | + | |
| - | </ | + | |
| - | If you changed | + | If you are using the BanIP package, make sure to add the IP to the allowlist. Ex. '' |
| - | **NOTE:** Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT): | ||
| - | <code bash> | + | ===== Command-line instructions ===== |
| - | iptables -I FORWARD -j ACCEPT -i br-lan -o eth0.2 | + | Assuming your modem' |
| - | iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED, | + | |
| - | </ | + | |
| - | This works because '' | + | Set up a static WAN [[docs: |
| - | + | ||
| - | {{doc:howto: | + | |
| - | + | ||
| - | **NOTE:** Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct modems. It is very useful to track down connection problems | + | |
| - | + | ||
| - | === Advanced users === | + | |
| - | // Follow these instructions if you don't use UCI to manage your firewall // | + | |
| - | + | ||
| - | Most of the **Easy Version** still applies. After assigning the modem interface an address, | + | |
| - | + | ||
| - | you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE: | + | |
| <code bash> | <code bash> | ||
| - | IF_LAN="br-lan" | + | # Configure network |
| - | NET_LAN=" | + | uci -q del network.modem |
| - | iptables -t nat -A POSTROUTING -o eth0.2 -i $IF_LAN -s $NET_LAN -d 169.254.1.0/8 -j SNAT --to-source 169.254.1.1 | + | uci set network.modem="interface" |
| - | </ | + | uci set network.modem.proto=" |
| + | uci set network.modem.device=" | ||
| + | uci set network.modem.ipaddr=" | ||
| + | uci set network.modem.netmask=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| - | ==== WAN by PPPoE ==== | + | # Configure firewall |
| - | === Command-line interface === | + | uci del_list firewall.@zone[1].network=" |
| - | //Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later// | + | uci add_list |
| - | + | ||
| - | In this example the modem has '' | + | |
| - | + | ||
| - | <code bash> | + | |
| - | config interface ' | + | |
| - | option ifname ' | + | |
| - | option proto ' | + | |
| - | option ipaddr ' | + | |
| - | option netmask ' | + | |
| - | </ | + | |
| - | + | ||
| - | Replace eth1 with whatever interface pppoe uses. eg eth0.2 | + | |
| - | + | ||
| - | Check if your interface is up with: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | ifstatus modem | + | |
| - | </ | + | |
| - | + | ||
| - | The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoe-wan is not allowed, now just simply stick the new interface to the wan zone so it will be forwarded: | + | |
| - | + | ||
| - | <code bash> | + | |
| - | uci set firewall.@zone[1].network=' | + | |
| uci commit firewall | uci commit firewall | ||
| - | fw reload | + | service firewall restart |
| </ | </ | ||
| - | And that's really all to be done. | + | Make sure the modem subnet doesn't overlap with your LAN, otherwise change the LAN subnet. |
| - | You could also create a new zone called " | + | |
| - | ==== DOCSIS ==== | ||
| - | With DOCSIS-Modem, | ||
| - | Also, you need to set an alias to the interface with which your Cable modem it connected. | ||
| - | |||
| - | First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address: | ||
| <code bash> | <code bash> | ||
| - | ifconfig eth0.2:1 add 192.168.100.2 | + | # Configure network |
| + | uci set network.lan.ipaddr=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| </ | </ | ||
| - | With UCI you can accomplish this as well: [[docs: | ||
| - | <code bash> | ||
| - | uci set network.CM_ACCESS=interface | ||
| - | uci set network.CM_ACCESS.proto=' | ||
| - | uci set network.CM_ACCESS.ifname=' | ||
| - | uci set network.CM_ACCESS.ipaddr=' | ||
| - | uci set network.CM_ACCESS.netmask=' | ||
| - | </ | ||
| - | |||
| - | Replace '' | ||
| - | Then source nat packets to the IP address | + | If the WAN L2 device doesn' |
| - | Add the following line, before the MASQUERADE: | + | |
| <code bash> | <code bash> | ||
| - | iptables -t nat -I POSTROUTING -o eth0.2:1 -s $NET_LAN -d 192.168.100.1 -j SNAT --to-source 192.168.100.2 | + | # Fetch WAN L2 device |
| - | </ | + | . / |
| + | network_flush_cache | ||
| + | network_find_wan NET_IF | ||
| + | network_get_physdev NET_L2D " | ||
| - | **NOTE:** Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT): | + | # Configure network |
| - | + | uci set network.modem.device=" | |
| - | <code bash> | + | uci commit network |
| - | iptables -I FORWARD -j ACCEPT -i $IF_LAN -o $IF_DSL | + | service network restart |
| - | iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED, | + | |
| </ | </ | ||
| - | |||
| - | Now access you cable modem from your PC with a telnet program or with your browser. | ||