I've read through a variety of articles on this however I haven't been able to connect to my modem from my PC. My modem (Netgear CM1200, default IP 192.168.100.1) is on a different subnet than my openwrt router (192.168.1.1). I followed the guides (using LuCl) as follows:
Added an interface 'modem' (static address) at ipv4 address 192.168.100.10, netmask 255.255.255.0
going into network->firewall, editing the WAN and under advanced settings, 'Restrict Masquerading to given destination subnets', add '!modem'.
I don't fully understand the necessity of this, but it's in multiple threads and the guide itself on https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat which is a little dated. After doing this, I still cannot access my modem via 192.168.100.1. Am I missing something?
If I go to diagnostics via my router, I can ping 192.168.100.1 and get returned packets. Does this mean the problem lies within some sort of firewall on my PC?
Please show the actual configuration you're running now:
at least the modem interface from /etc/config/network (everything you changed in order to get that working)
please also paste all stanzas containing from modem from /etc/config/network
Ideally both complete files, make sure to obfuscate sensitive information (login data, MAC addresses etc.), but at the very least the corresponding changes/ snippets dealing with the modem interface.
--
I do access my VDSL modem's management interface as well, so it's very well possible.
I'm able to log into my Ariss sb6183 without changing anything, meaning comp on 192.168.1.*** and Ariss on 192.168.100.1 (no new interface etc), but it can take up to a minute sometimes and occasionally require power cycling the Ariss, so you might try a power cycle of th cm1200 and then just give it a while if you haven't already (didn't see anything on the cm1200 guide to suggest any changes are necessary).
All of the changes I made were through LuCI, so my experience with sshing into the router and editing the files which the UI changes and all that is a bit poor. The only lines pertaining to modem are at the end of /etc/config/network, if you want me to grab from somewhere else let me know.. (also I don't think there is any text editor other than vi on my current build of openwrt and I'm not sure how to copy from within vi). Like I said I also added that bit from the destination subnets as found in the openwrt docs, but I don't know what file that edit would have added onto.
I suppose the only other thing I have changed that has anything to do with the modem is the /etc/config/firewall file, which has the wan configuration. Also, I have some of the banIP lists and BCP38 enabled.
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'modem wan wan6'
option masq_dest '!modem'
I disabled BCP38, removed masq_dest, I'm not exactly sure how to make sure that my WAN subnet doesn't overlap with my modem subnet? To be honest, I'm a bit unclear on exactly how each subnet is differentiated; from reading other posts, I understand that 192.168.100.X is on a different subnet than 192.168.1.X. My WAN subnet is essentially my outward facing IP, correct? This is what I would read from my WAN ipv4 address under interface? If so, they are on separate subnets. When I try to connect to 192.168.100.1 through my browser (chrome), it sits there, then after a while I get ERR_CONNECTION_TIMED_OUT.
Like I said, I can successfully ping 192.168.100.1 using the network diagnostics within LuCI. But I can't ping from my PC, it tells me that the Destination port is unreachable. So is this for sure a router setting thing and not somehow a firewall on my PC?
BanIP off, it allows me to access the modem. So which of the BanIP lists is causing the issue? Or should I just leave it off? I don't really know how important it is, but when I have access to a security feature I figure for the most part I should make use of it.
I have bogon, DoH, tor, threat, debl, myip, yoyo, sslbl, ransomware, feodo, dshield, drop, edrop, firehol1/2/3/4 enabled. Which of these would be blocking access?
So this adds my modem subnet to the whitelist for banIP, correct? Fixing the issue
Thanks for your help. I probably should have turned off banIP and BCP38 to test it retrospectively, but I don't quite understand why it would block the IP in the first place (allowing pings to the modem from within the router but not from my PC?)