Accessing cable modem UI on 192.168.100.1 with policy based routing enabled

I have a ISP provided router/modem combo unit which has been placed in "modem mode". The modem is performing no routing functions and simply providing the upstream connection that is then going to my Linksys WRT3200ACM running OpenWRT 18.06. The web UI in modem mode is 192.168.100.1. Under normal circumstances this can be accessed even when the router subnet is outside of this. However with policy based routing and a VPN, the cable modem UI will not load, I'm aware this due to the request going through the VPN and not the LAN. I have also confirmed it's related to routing as a client not going through the VPN but on the same LAN can bring up the UI no problem

I first thought a static route would fix this, something like:

Interface: LAN
IP: 192.168.100.1
Mask: 255.255.255.255
Gateway: 192.168.1.1

However, this causes "destination unreachable" responses.

Short of accessing on a client that is not going through the VPN, is there a way to make all requests to 192.168.100.1 go through the LAN and not the VPN? Is additional configuration required with iptables?

If you are already using PBR, you need to make an exception there first, so it goes to WAN and not VPN.
Then there is a guide for accessing the modem, which I suppose you followed since you are able to access the modem.

I looked at the information on that guide, I have a DOCSIS modem, but the SNAT iptables rule doesn't seem to work. I have made an exception for 192.168.100.1 in my VPN PBR setup.

In my case the WAN interface with my public IPv4 is: eth1.2

Create new virtual interface/alias:

ifconfig eth1.2:1 add 192.168.100.2 (Not eth0.2 like the example says as I don't have eth0.2)

Trying to apply the iptables rule for SNAT stated returns an error, about the syntax:

root@linksys-wrt3200acm:~# iptables -t nat -I POSTROUTING -o eth1.2:1 -i eth1.2 -s 192.168.1.0/24 -d 192.168.100.1 -j SNAT --to-source 192.168.100.2
iptables v1.6.2: Can't use -i with POSTROUTING

Dropping the -i eth1.2 part allows the rule to be added, but that doesn't allow access to the DOCSIS modem web UI at 192.168.100.1. I've tested with the VPN off, to remove that layer as well.

Information in the page is rather old from what I see.
Create an IP alias by creating a new interface in Luci or uci and assigning to the wan interface with option ifname eth1.2
Then proceed with the SNAT rule.
I hope it works now, otherwise post here the following:

uci show network; uci show firewall; uci show ip -4 addr; ip -4 ro; ip -4 ru;\
uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing support

So interestingly, assigning the IP address of 192.168.100.2 to the virtual interface of eth1.2:1 and then restarting the firewall /etc/init.d/firewall, I can then ping and access the modem UI. The VPN doesn't seem to be the problem. It's enabled and I can still access the modem. Critically, it seems to be the restart of the firewall that allows access. This is without adding any further iptables rules.

I found a similar config approach from the DD-WRT forums as well:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1133845#1133845

I'm using the vpn-bypass package from Stangri https://github.com/stangri/openwrt_packages/blob/master/vpnbypass/files/README.md. It's basically routing all traffic through the VPN with ipset exceptions and adding local clients to the exception list if required.

Isn't the Cable Modem on WAN...?

Unless I'm lost, this is quite simple:

config route
	option interface 'wan'
	option target '192.168.100.1'
	option netmask '255.255.255.255'

You may need the gateway IP in the subnet of WAN; but I surmise a cable modem intercepts this anyways.

You are right! I originally tried adding a static route, I initially added it with the LAN interface, not realising it would need to be the WAN. This does indeed work with just a static route.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.