Accessing Modem from LAN with Public IP Assigned

Hello,

I would like to access the administration interface of my modem from my WRT3200ACM running 19.07. I did not setup the mode previously, so I no nothing regarding it's configuration.

Reading through the documentation here: https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat

and the linked blog post with modern GUI instructions: https://simplebeian.wordpress.com/2014/03/12/accessing-your-modem-from-openwrt-router/

In almost all cases the IPv4 upstream Address is a private IP. In my case, it is public (IP is 98.166.16.x and gateway is 98.166.16.1). I'm not familiar with this case of the the modem seemingly assigning my router a public IP directly. Does this change the requisite configuration of a virtual interface?

@jorymorrison, welcome to the community!

???

So how does it usually work then?

I thought that's what a modem did. :confused:

So you're telling us that you enter the IP issued to the client...but it opens the router admin page???

I doubt that...but if you mean a second public IP is used to access it, then you simply use that IP as normal - same as if it's a private IP.

What modem?

I think you are confusing the public IP address that your 3200 router has on the wan interface (most likely with pppoe protocol) with the private IP that the ISP modem would normally allocate to its lan.
In any case do the following;
Use ssh to connect to the device.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \

You do not need to do anything special in terms of accessing your modem's status/config page. In my case, I use an Arris cable modem, which has an address 192.168.100.1. My LAN is 10.0.1.0/24, and I have a public IP address on my WAN via DHCP.

All I need to do is enter the modem's address in my browser and I'm there. No special routes, networks, or any other configurations required.

1 Like
root@OpenWrt:~# uci export network; uci export wireless; uci export dhcp; uci ex
port firewall; head -n -0 /etc/firewall.user; ip -4 addr ; ip -4 ro li tab all ;
 ip -4 ru;
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd24:f6da:165a::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t 3 2 1 0'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'
	option vid '2'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '7777777-Client'
	option encryption 'psk2'


config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '7777777'
	option encryption 'psk2'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet3'
	option ssid '7777777-IOT'
	option encryption 'psk2'
	option device 'radio1'
	option mode 'ap'
	option network 'lan'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'tcp'
	option name 'Warzone 1'
	option src_dport '27014-27050'

config redirect
	option src 'wan'
	option name 'Warzone 2'
	option src_dport '3074'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option src 'wan'
	option name 'Warzone 3'
	option src_dport '27000-27031'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'udp'

config redirect
	option src 'wan'
	option name 'Warzone 4'
	option src_dport '27036'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'udp'

config redirect
	option src 'wan'
	option name 'Warzone 5'
	option src_dport '4379-4380'
	option target 'DNAT'
	option dest 'lan'
	list proto 'udp'
	option dest_ip '192.168.1.152'

config redirect
	option src 'wan'
	option name 'Warzone 6'
	option src_dport '3478'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'udp'

config redirect
	option src 'wan'
	option name 'Warzone 7'
	option src_dport '3074'
	option target 'DNAT'
	option dest_ip '192.168.1.152'
	option dest 'lan'
	list proto 'udp'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 98.166.16.xxx/24 brd 98.166.16.255 scope global eth1.2
       valid_lft forever preferred_lft forever
default via 98.166.16.1 dev eth1.2  src 98.166.16.xxx
98.166.16.0/24 dev eth1.2 scope link  src 98.166.16.xxx 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
broadcast 98.166.16.0 dev eth1.2 table local scope link  src 98.166.16.xxx
local 98.166.16.xxx dev eth1.2 table local scope host  src 98.166.16.xxx 
broadcast 98.166.16.255 dev eth1.2 table local scope link  src 98.166.16.xxx 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

How would I go about determining the local IP of my cable modem, in that case?

The cable modem manual may have the information in it, or do a google search for " <your cable modem brand (and/or model)> default IP"

1 Like

Sorry, I meant IP instead of gateway for the first instance of gateway.

Admittedly, this is my first time using a home router that is standalone from a modem. My understanding was that in most instances my Modem, which is a Surfboard SBG6700-AC would be performing NAT for my router which would have a private address. Perhaps, embarassingly, my understanding of modem function is not adequate.

When I enter the public IP into my browser, when connected to my router LAN, I get a response from the router citing RFC 1918(I think) protection as the request is coming from an internal address.

That device is a combination modem+router. I have not used that model, so I don't know if it is possible to switch between router and bridge modes. If it can be set to bridge mode, it will present a public IP address to the device connected via ethernet (i.e. your standalone router on the WAN port).

Do you know if you have the modem in bridge mode? What is the IP address reported by OpenWrt as the upstream IPv4 address (or that of the WAN)? What is your LAN address for your OpenWrt system?

According to a google search "Surfboard SBG6700-AC default IP" -- the default is 192.168.0.1 with username/password as admin/password. I don't know if that is the same when it is in bridge mode, but it is worth a try.

Correct, this is the OpenWrt. For security you are not allowed to use the WAN IP from LAN (a Private RFC1918 IP address) to access the web GUI.

I thought SurfBoard modems were accessed at http://192.168.200.1 or something like that???
:-1:

:+1:

https://arris.secure.force.com/consumers/articles/General_FAQs/SBG6700-AC-v8-6-x-Admin-Login-Setup/

Try: http://192.168.0.1

http://192.168.0.1 times out. I've tried that previously, and was sort of the catalyst for this post.

This is what is reported to me through the GUI, which matches what I see from running the aforementioned uci commands.

I don't know if it's in bridge mode or not.

Protocol: DHCP client
Address: 98.166.16.XXX/21
Gateway: 98.166.16.1
DNS 1: 68.105.28.11
DNS 2: 68.105.29.11
DNS 3: 68.105.28.12
Expires: 3h 20m 51s
Connected: 10d 20h 39m 9s

Assuming that output is from the OpenWrt router, that would confirm that your modem must be in bridge mode.

As long as your LAN address on the OpenWrt modem is not 192.168.0.1 (the default for OpenWrt is 192.168.1.1), you should be able to simply type in 192.168.0.1 into your browser and it will hopefully access your modem's status/admin page. If that doesn't work, it might be some other address (my modem-only model is 192.168.100.1).

There is a guide for accessing the modem if the wan interface is dhcp.
However from a quick search it seems that your modem is DOCSIS, so you can use the guide at the bottom.

3 Likes

Thank you for the help. I am seeing the following error on the iptables command for DOCSIS:

root@OpenWrt:~# iptables -t nat -I POSTROUTING -o eth0.2:1 -i eth0.1 -s $NET_LAN
 -d 192.168.100.1 -j SNAT --to-source 192.168.100.2

iptables v1.8.3 (legacy): Can't use -i with POSTROUTING

My modem IP ended up being 192.168.100.1. I am able to access the web UI using this IP.

1 Like

That's a valid point, I fixed it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.