Accessing Home Hub 5 bridged modem through a router

DrSamJames · August 12, 2022, 4:49pm

Hi

I've set up my BT home hub 5 as a ADSL bridge as laid out in the OpenWrt/LEDE Installation Guide for BT Home Hub 5A (section 9.8) then I've got a ASUS RT-AX53U also running OpenWrt as a router.

I would like to be able to access the modem bridge through the router. There is a section in the guide for setting up a static ip interface to access a modem (section 9.20).

The only problem is the Home Hub isn't set up to allow administration access on the bridge WAN port. I don't want to just let that through the fire wall as it is bridged to the DSL and I'm unsure how much of a security risk that would be.

Does anyone have a suggestion of how to set this up in a fairly secure way so I can only access the modem from my LAN?

Thanks

Sam

shdf · August 12, 2022, 5:08pm

maybe : [SOLVED] How to access the modem (which is in bridge mode)? - #11 by angelos

DrSamJames · August 12, 2022, 6:10pm

Hi

I don't think that answer my question. I can put the interface on the router to pass packet to the modem, but I need help with getting the modem to accept the connection.

I've got my router on 192.168.41.1 and the modem on 192.168.100.1. I've got the WAN port of my home hub connect to the WAN port of my router.

The other LAN ports of the modem are bridge together and the firewall is set to allow packets to be accepted form them, so I can log on to Luci by plugging into those ports.

My question is how can I security allow a connection to Luci form the router on the WAN port when it is bridged to the DSL line?

Sam

shdf · August 12, 2022, 6:21pm

Sorry then i don't understand what you're trying to do...

at this point, i realy realy don't understand.
if the BT home hub is the modem, then you have to connect one of its LAN port to the WAN port of the Router (ASUS). From my point of view, the way you're trying to do is not correct.

That's how things have to be connected, and that way you can follow the links i posted above. And everything will be secure.

bill888 · August 12, 2022, 7:02pm

If you followed the instructions in 9.8 to configure unused red WAN socket to become a dedicated bridge mode only socket, have you tried bridging the two VLANs for the WAN socket, so both bridged and LAN (from web UI) packets appear on same port like a 'regular' modem?

If your ISP uses DHCP, remember to disable the DHCP server etc on the HH5a !

I did see a topic on the forum where there are issues when using PPPoE, but I can't remember the outcome.

Alternatively, consider the 'crude' solution described at end of section 9.8 of the guide.

moeller0 · August 12, 2022, 7:51pm

What I did is I configured the modem to use the 192.168.100.0/8 network, then I configured two VLANs on the red WAN port, VLaN7 and VLAN2, let's call these red.7 and red.2. Then I bridged red.7 to dsl0.7. And added red.2 to br-lan.
On the PPPoE router I configured PPPoE to use eth2.7 (eth2 being that router's wan interface) and added another interface eth2.2 with a static address (192.168.100.2) and added that to the WAN zone. And now I can access the HH5A's GUI from my internal network simply by browsing to:
http://192.168.100.1.

I think this set-up meets your "fairly secure way" criterion....

nicefile · August 12, 2022, 8:28pm

My solution is simple but maybe less secure
All eth ports are Lan on router .same on VDSL modem . Then vlan9 bridged to dsl0 in modem . And same vlan9 is set as WAN device in router . This extend my LAN network to where modem is via single 1Gbit link.

root@router:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.packet_steering='1'
network.globals.ula_prefix='fd6d:54ca:77bf::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.1.2'
network.@device[1]=device
network.@device[1].name='lan4'
network.@device[1].mtu='1508'
network.@device[2]=device
network.@device[2].type='8021q'
network.@device[2].ifname='lan4'
network.@device[2].vid='9'
network.@device[2].name='lan4.9'
network.wan=interface
network.wan.proto='pppoe'
network.wan.username='name'
network.wan.password='password'
network.wan.mtu='1500'
network.wan.device='lan4.9'


root@modem:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd38:14e1:71f6::/48'
network.globals.packet_steering='1'
network.dsl=dsl
network.dsl.annex='b'
network.dsl.tone='av'
network.dsl.ds_snr_offset='-41'
network.dsl.firmware='/lib/firmware/vdsl.bin'
network.dsl.xfer_mode='ptm'
network.dsl.line_mode='vdsl'
network.@device[0]=device
network.@device[0].name='lan1'
network.@device[0].macaddr='08:96:D7:xx:xx:xx'
network.@device[0].mtu='1508'
network.@device[1]=device
network.@device[1].name='lan2'
network.@device[1].macaddr='08:96:D7:xx:xx:xx'
network.@device[2]=device
network.@device[2].name='lan3'
network.@device[2].macaddr='08:96:D7:xx:xx:xx'
network.@device[3]=device
network.@device[3].name='lan4'
network.@device[3].macaddr='08:96:D7:xx:xx:xx'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.5'
network.lan.netmask='255.255.255.0'
network.lan.ipv6='0'
network.lan.gateway='192.168.1.2'
network.lan.dns='192.168.1.2'
network.@device[4]=device
network.@device[4].name='dsl0'
network.@device[4].macaddr='08:96:D7:xx:xx:xx'
network.@device[4].mtu='1508'
network.@device[5]=device
network.@device[5].name='dsl0.35'
network.@device[5].type='8021q'
network.@device[5].ifname='dsl0'
network.@device[5].vid='35'
network.@device[6]=device
network.@device[6].name='br-lan'
network.@device[6].type='bridge'
network.@device[6].ipv6='0'
network.@device[6].ports='wlan0' 'lan1' 'lan2' 'lan3' 'lan4'
network.@device[7]=device
network.@device[7].name='br-wan'
network.@device[7].type='bridge'
network.@device[7].mtu='1508'
network.@device[7].ipv6='0'
network.@device[7].ports='dsl0.35' 'lan1.9'
network.@device[7].multicast='0'
network.@device[8]=device
network.@device[8].type='8021q'
network.@device[8].ifname='lan1'
network.@device[8].vid='9'
network.@device[8].name='lan1.9'
network.brwan=interface
network.brwan.proto='none'
network.brwan.device='br-wan'
network.brwan.mtu='1508'

moeller0 · August 13, 2022, 6:35am

If you connect from a router LAN port directly to a modem LAN port, this is indeed less secure. The described method will not expose the home network behind the router to any entity that managed to take over the modem (however who ever took over the OpenWrt modem might also be able to repeat that feat for the OpenWrt router).

DrSamJames · August 15, 2022, 11:10am

Hi

Ok so the consensus seems to be to use a VLAN tag to run two connection on the same physical port (WAN).

I'll try and explain in a little more detail what I had setup, sorry I confused people:

HH5A (bridged modem):

I had the DSL port bridged to the WAN port unmanaged and not assosated with any firewall zone. Then I had the 4 LAN ports bridged together running a stactic address protocol (192.168.1.1) along with a DHCP server and assigned to a LAN firewall zone.

I had the standard firewall setings of:
General: input accept, output accept, forward reject
Lan -> Reject: input accept, output accept, forward accept.

My hope is that should let any packets from the WAN port be passed directly to the DSL modem and I can plug in to the LAN ports to do administration with the HH5A having an IP of 192.168.1.1, which did all seem to work.
Although I am worred I've got my firewall set up wrong as I don't see why someone couldn't access the router from the WAN port.

ASUS RT-AX53U (router):

Has the LAN ports bridged together with standard firewall settings as the LAN zone. Then a PPPoE interface running on the WAN port as the LAN zone for the firewall, all setting normal.

I could then add a static interface on the WAN port to allow forwarding of packets for 192.168.1.1 to the HH5A, however it's firewall setting wouldn't allow this to go further. assuming my understanding of the firewall setting on the HH5A is correct.

I think I understand that I can set the WAN port to keep the VLAN tags on the packets and then set up a new firewall zone on the HH5A to allow administration from the WAN port.

Sam

moeller0 · August 15, 2022, 11:53am

Yes that should work, and since the WAN and DSL ports are their own independent bridge there is no real security issue with this setup. I had misunderstood what you did with the WAN port.

However you need to run a second cable which can or can not be a problem. (My modem sits around 12m away from my router so running a second cable was something I wanted to avoid since I did not have that long a cable sitting around).

DrSamJames · August 15, 2022, 12:15pm

Hi

Well I've set my switch on the HH5A and router to keep the VLAN tags on the WAN ports. I've then set up a new VLAN and added devices so that I can send the PPPoE data on one VLAN and use the other for administation. This all seems to be working just fine now.

My hope and undersanding is that someone would still need phyical access to the WAN port of the HH5A to log on with this set up.

Thanks for everyones help!!!

Sam

system · August 25, 2022, 12:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.