24.01.2015
Accessing your modem [OpenWrt Wiki]
http://wiki.openwrt.org/doc/howto/access.modem.through.nat
1/5
Accessing your modem
Some DSL/DOCSISModems can be accessed by the end user. To do that, you have to find out which IP address the device has and on which port using which protocol
you can access it. Sometimes you additionally need the correct username and the password to gain access or to apply changes.
Once you have the information, you connect the router directly to your PC, give your PC an IP address from the same net and access it with the appropriate program.
Easy. To still be able to do that through NAT, follow the instructions:
The "config alias" approach is deprecated, according to a note on the
[http://wiki.openwrt.org/doc/uci/network]
. And the relevant
Possible resolution to configure from the GUI
[http://simplebeian.wordpress.com/2014/03/12/accessingyourmodemfromopenwrtrouter]
Through NAT
WAN by DHCP or static IP
UCI command line version
Follow these instructions if you are using a default install of backfire and manage the firewall through UCI
An IP in the same net as the modem must be assigned to the interface which is connected to the modem. To do this, we create an alias as shown below.
For this example we assume two things: that the modem's IP is
169.254.1.8
, and that the interface "wan" we are adding an alias to is on eth1.
Head towards /etc/config/network and add these lines.
config interface modem
option ifname eth1
option proto static
option ipaddr 169.254.1.1
option netmask 255.255.255.0
To exempt the internal modem address range from masquerading, add a "masq_dest" expression to the wan zone in /etc/config/firewall:
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
# The firewall will resolve the expression "!modem" to
# "! ‐s 169.254.1.1/255.255.255.0" or whatever range
# was configured in the modem alias.
option masq_dest '!modem'
option mtu_fix 1
If the modem should have an IP address like say
192.168.1.8
, you could not use the network
192.168.1.0/24
for your LAN and at the same time access your modem
with this method. Use any other network in that case, like
192.168.0.0/24
or
192.168.33.0/24
.
GUI version
1. Add alias
Navigate to Admin → Network → Interfaces → WAN, fill in a name in the "IPAliases" add field and click "Add".
24.01.2015
Accessing your modem [OpenWrt Wiki]
http://wiki.openwrt.org/doc/howto/access.modem.through.nat
2/5
Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply".
In my case the modem is reachable via 192.168.100.1, so I've choosen 192.168.100.10 as alias address.
After a while you should see the alias prefix appear in the interface status display (underlined red).
Navigate to Admin → Network → Firewall and open the WAN zone properties (framed red).
24.01.2015
Accessing your modem [OpenWrt Wiki]
http://wiki.openwrt.org/doc/howto/access.modem.through.nat
3/5
Switch to the "Advanced Settings" tab and enter
!modem
into the destionation restriction field, this will tell the firewall to not NAT traffic directed at the modem address
range.
Hit "Save & Apply" to make the change effective.
At this point the modem should be reachable from any host in the LAN.
Raw iptables variant (required for pppoe setup)
Let's configure source NAT. This is done with
iptables
, see
. You can add these custom rules to /etc/firewall.user , or by using the LuCI interface (Network >
Firewall > Custom rules).
iptables ‐t nat ‐I postrouting_rule ‐s 192.168.1.0/24 ‐d 169.254.1.8 ‐j SNAT ‐‐to 169.254.1.1
iptables ‐I zone_lan_forward ‐s 192.168.1.0/24 ‐d 169.254.1.8 ‐j ACCEPT
If you changed the
lan
network from the OpenWrt default of
192.168.1.1
, you'll have to replace
192.168.1.0
with the net you've chosen.
NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the
SNAT):
iptables ‐I FORWARD ‐j ACCEPT ‐i br‐lan ‐o eth0.2
24.01.2015
Accessing your modem [OpenWrt Wiki]
http://wiki.openwrt.org/doc/howto/access.modem.through.nat
4/5
iptables ‐I FORWARD ‐j ACCEPT ‐m state ‐‐state ESTABLISHED,RELATED
This works because
pppd
(needed for PPPoE) spawns
pppoe‐dsl
, so eth0.2 remains freely usable. After testing the configuration changes, add all the necessary commands
to
/etc/firewall.user
. Now for example, you could use a GUI program to show some information about your DSL status:
NOTE: Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct
modems. It is very useful to track down connection problems and monitor your DSLconnection. But some modem even offer a WebUI so you can access them with your
web browser.
Advanced users
Follow these instructions if you don't use UCI to manage your firewall
Most of the Easy Version still applies. After assigning the modem interface an address,
you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE:
IF_LAN="br‐lan"
NET_LAN="192.168.1.0/24"
iptables ‐t nat ‐A POSTROUTING ‐o eth0.2 ‐i $IF_LAN ‐s $NET_LAN ‐d 169.254.1.0/8 ‐j SNAT ‐‐to‐source 169.254.1.1
WAN by PPPoE
UCI command line version
Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later
In this example the modem has
192.168.254.254
as default IP. Declare a new interface called "modem". An Alias is not needed anymore, as multiple interfaces can share
the same ifname. Make sure you use a different network than your existing LAN. Head towards /etc/config/network and add these lines:
config interface 'modem'
option ifname 'eth1'
option proto 'static'
option ipaddr '192.168.254.1'
option netmask '255.255.255.0'
Check if your interface is up with:
ifstatus modem
The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoewan is not allowed, now just simply stick the new
interface to the wan zone so it will be forwarded:
uci set firewall.@zone[1].network='wan modem'
uci commit firewall
fw reload
And thats really all to be done. You could also create a new zone called "modem" and make interzoneforwarding, but thats more work to do.
DOCSIS
With DOCSISModem, we do not use the pppd and do not spawn any additional interfaces, so the SNAThook need to be before the MASQUERADINGhook. Also, you
need to set an alias to the interface with which your Cable modem it connected.
First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address:
24.01.2015
Accessing your modem [OpenWrt Wiki]
http://wiki.openwrt.org/doc/howto/access.modem.through.nat
5/5
ifconfig eth0.2:1 add 192.168.100.2
With UCI you can accomplish this as well:
Then source nat packets to the IP address of the cable modem. Add the following line, before the MASQUERADE:
iptables ‐t nat ‐I POSTROUTING ‐o eth0.2:1 ‐i eth0.1 ‐s $NET_LAN ‐d 192.168.100.1 ‐j SNAT ‐‐to‐source 192.168.100.2
NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the
SNAT):
iptables ‐I FORWARD ‐j ACCEPT ‐i $IF_LAN ‐o $IF_DSL
iptables ‐I FORWARD ‐j ACCEPT ‐m state ‐‐state ESTABLISHED,RELATED
Now access you cable modem from your PC with a telnet program or with your browser:
doc/howto/access.modem.through.nat.txt · Last modified: 2014/03/19 04:36 by simplexion