Accessing modem via LAN device -> router -> modem

I've read through a variety of articles on this however I haven't been able to connect to my modem from my PC. My modem (Netgear CM1200, default IP 192.168.100.1) is on a different subnet than my openwrt router (192.168.1.1). I followed the guides (using LuCl) as follows:

  • Added an interface 'modem' (static address) at ipv4 address 192.168.100.10, netmask 255.255.255.0
  • Set firewall zone to wan

Some variants end here (e.g. https://ciphermenial.github.io/access-your-modem-through-openwrt-router/), others detail the necessity of

  • going into network->firewall, editing the WAN and under advanced settings, 'Restrict Masquerading to given destination subnets', add '!modem'.

I don't fully understand the necessity of this, but it's in multiple threads and the guide itself on https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat which is a little dated. After doing this, I still cannot access my modem via 192.168.100.1. Am I missing something?

If I go to diagnostics via my router, I can ping 192.168.100.1 and get returned packets. Does this mean the problem lies within some sort of firewall on my PC?

Please show the actual configuration you're running now:

  • at least the modem interface from /etc/config/network (everything you changed in order to get that working)
  • please also paste all stanzas containing from modem from /etc/config/network

Ideally both complete files, make sure to obfuscate sensitive information (login data, MAC addresses etc.), but at the very least the corresponding changes/ snippets dealing with the modem interface.

--
I do access my VDSL modem's management interface as well, so it's very well possible.

1 Like

I'm able to log into my Ariss sb6183 without changing anything, meaning comp on 192.168.1.*** and Ariss on 192.168.100.1 (no new interface etc), but it can take up to a minute sometimes and occasionally require power cycling the Ariss, so you might try a power cycle of th cm1200 and then just give it a while if you haven't already (didn't see anything on the cm1200 guide to suggest any changes are necessary).

All of the changes I made were through LuCI, so my experience with sshing into the router and editing the files which the UI changes and all that is a bit poor. The only lines pertaining to modem are at the end of /etc/config/network, if you want me to grab from somewhere else let me know.. (also I don't think there is any text editor other than vi on my current build of openwrt and I'm not sure how to copy from within vi). Like I said I also added that bit from the destination subnets as found in the openwrt docs, but I don't know what file that edit would have added onto.

config interface 'modem'
   option ifname 'eth0.2'
   option proto 'static'
   option ipaddr '192.168.100.10'
   option netmask '255.255.255.0'

Both complete files referring to which two files? I only see you mentioning the file named network.

I suppose the only other thing I have changed that has anything to do with the modem is the /etc/config/firewall file, which has the wan configuration. Also, I have some of the banIP lists and BCP38 enabled.

config zone
   option name 'wan'
   option input 'REJECT'
   option output 'ACCEPT'
   option forward 'REJECT'
   option masq '1'
   option mtu_fix '1'
   option network 'modem wan wan6'
   option masq_dest '!modem'
  • Disable BCP38 for testing.
  • Remove the masq_dest option from the wan zone.
  • Make sure your LAN and WAN subnets don't overlap with the modem subnet.
1 Like

I disabled BCP38, removed masq_dest, I'm not exactly sure how to make sure that my WAN subnet doesn't overlap with my modem subnet? To be honest, I'm a bit unclear on exactly how each subnet is differentiated; from reading other posts, I understand that 192.168.100.X is on a different subnet than 192.168.1.X. My WAN subnet is essentially my outward facing IP, correct? This is what I would read from my WAN ipv4 address under interface? If so, they are on separate subnets. When I try to connect to 192.168.100.1 through my browser (chrome), it sits there, then after a while I get ERR_CONNECTION_TIMED_OUT.

Like I said, I can successfully ping 192.168.100.1 using the network diagnostics within LuCI. But I can't ping from my PC, it tells me that the Destination port is unreachable. So is this for sure a router setting thing and not somehow a firewall on my PC?

Collect the diagnostics and post it to pastebin.com redacting the private parts:

ip address show; ip route show table all; ip rule show; iptables-save

https://openwrt.org/docs/guide-quick-start/sshadministration

1 Like

Sorry, do you mean for me to run these commands from a ssh into my router? I'm a complete noob when it comes to this stuff.

1 Like

Okay. So I think I've redacted anything private. Please alert me if otherwise.

By the way, is it supposed to look like such a mess?

1 Like

banIP is still working.

Right, you told me to turn off BCP38. I'll turn off banIP as well.

1 Like

BanIP off, it allows me to access the modem. So which of the BanIP lists is causing the issue? Or should I just leave it off? I don't really know how important it is, but when I have access to a security feature I figure for the most part I should make use of it.

1 Like
uci show banip

https://pastebin.com/0aeNgg3y

Sorry, cannot open the link:

Error, this is a private paste or is pending moderation

You can also paste to paste.centos.org.

Ah, sorry. I don't know what triggered that.

I have bogon, DoH, tor, threat, debl, myip, yoyo, sslbl, ransomware, feodo, dshield, drop, edrop, firehol1/2/3/4 enabled. Which of these would be blocking access?

https://paste.centos.org/view/3fe31ec2

1 Like
cat << EOF >> /etc/banip/banip.whitelist
192.168.100.0/24
EOF
uci set banip.global.ban_enabled="1"
uci set banip.whitelist.ban_src_on="1"
uci commit banip
/etc/init.d/banip restart
sleep 30
ipset list whitelist
2 Likes

So this adds my modem subnet to the whitelist for banIP, correct? Fixing the issue :slight_smile:

Thanks for your help. I probably should have turned off banIP and BCP38 to test it retrospectively, but I don't quite understand why it would block the IP in the first place (allowing pings to the modem from within the router but not from my PC?)

1 Like

The firewall FORWARD chain is completely separate from the OUTPUT chain.
So, the rules for transit and outgoing traffic are different in general case.

1 Like