Routing traffic from br-lan to Virgin Media Modem

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello there.

I am a somewhat newbie to OpenWrt and networking. I've been running OpenWrt on BTHH5A router for a few months. My ISP is Virgin Media UK. I am using SuperHub3 as a modem.

My OpenWrt router address is 192.168.n.1 ( n ≠ 100 ). The modem address is 192.168.100.1. The modem is ping4 reachable from the router. But I can't access it from wireless client laptop ( br-lan address 192.168.n.m, n ≠ 100 ). No pings, no http to 192.168.100.1:80.

As a workaround I put an L tunnel from my laptop port 8080 to the router and forwarded the destination to the modem's port 80. This way I could access the modem via http. It's still not ping4 reachable from the laptop. But that's fine. I can live without it.

The question is, is there any elegant way to route the traffic to the modem? I have a WireGuard vpn client running on the router. I also have a OpenVPN client on the router, which is down. I suppose vpn-policy-routing should help. However, the problem is which interface the modem is connected to? And how do I make that interface available in the interface list on vpn-policy-routing page?

My firewall settings :

-------------------------------
Zones     Input Output Forward
-------------------------------
lan       A     A      A
wan       R     A      A
tun0fwz   R     A      R
-------------------------------

Wireguard interface ( wg0if ) is included in wan firewall zone. tun0fwz is OpenVPN firewall zone. But I shut down the openvpn interface tun0.

Please let me know your views about routing the traffic to the modem from br-lan's member laptop.

Thank you.

-Gamma

2

Hi, did you try this?

3 Likes
3

Fellow Virgin Media UK customer here.

The link that @xorbug linked is what I do to have to the modem across any client, so that should work for you.

1 Like
4

Hi xorbug,

Thank you for the guide. I followed the steps. My browser is redirected to LuCI login page. Something ovious is missing.

Thank you.
-Gamma

5

@jamesmacwhite ,

Good to see a VM-UK customer. :slight_smile: If possible, could you please share your firewall settings?

Thanks,
-Gamma

6

This is what I have setup, to access the Hub3.

Network interface defined, using an alias to wan as per the docs linked by @xorbug.

config interface 'docsismodem'
        option proto 'static'
        option ifname '@wan'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'

Then in the firewall on the wan zone:

config zone 'wan'
    ...
     list network 'docsismodem'
    ...

The ellipsis dots are just to indicate whatever config you have set, you just basically need to add the name of the network interface created, which you can do via LuCI rather than modifying the /etc/config/firewall directly.

7

fwiw, I've amended the wiki page with clearer instructions on how to add the 'modem' interface to the 'wan' zone using LuCI.

https://openwrt.org/docs/guide-user/network/wan/access.modem.through.nat#web_interface_instructions

1 Like
8

@bill888 ,

Thank you for the updated instructions.

@jamesmacwhite ,

When I followed the CLI instructions to add list to firewall, I got an entry :

firewall.@zone[1].network='wan wan6 WG0IF' 'modem'

This line caused loss of internet. So I tried LuCI instructions. But http connection to address 192.168.100.1 is timing out. Here are my details :

---------------------------
~# uci show firewall | grep zone

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='1'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6 WG0IF modem'
firewall.@zone[2]=zone
firewall.@zone[2].name='tun0fwz'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='tun0 tun0if'
firewall.@zone[2].forward='REJECT'
---------------------------
~# uci show network.wan

network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.macaddr='96:11:22:33:44:55'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan.peerdns='0'
---------------------------
~# uci show network.modem

network.modem=interface
network.modem.ifname='@wan'
network.modem.proto='static'
network.modem.ipaddr='192.168.100.2'
network.modem.netmask='255.255.255.0'
---------------------------

But the L tunnel to modem's 443 port is working well. I am sure I am missing something obvious here ...!

Could you spot it?

Thank you!
-Gamma

9

fwiw, I'm no expert and someone will correct me if I'm wrong, but as you have VPN client(s) set up and working, isn't all the LAN traffic going to go via the VPN tunnel, unless you implement policy based routing or vpn bypass etc?

10

Like @bill888 said, if you have a VPN client running on that is redirecting your default gateway by default, all traffic is going through your VPN. This traffic will essentially be swallowed by your VPN client, you will need to implement a PBR rule to essentially stop requests to 192.168.100.1 being routed via the VPN and instead use your WAN interface. This can be done via the vpnbypass package which is handy for managing a few rules or perhaps VPN Policy Routing for more control.

The loss of internet was likely a syntax issue with the firewall config. You'll notice that your interfaces were all under a single variable in quotes, but the additional interface was added outside of this, where as my example uses the list format. Depending on what process modifies this firewall interfaces, it can produce different results.

11

Hi @jamesmacwhite and @bill888

Thank you for pointing out the vpn factor. I switched off all my vpns, made their interfaces not come up on boot, disabled the vpn-policy-routing service, and rebooted. The only interfaces are br-lan, wan and modem.

I get a "404 Not Found" error upon connection to https://192.168.100.1:443 . But the L tunnel works well. " tcpdump | grep 192.168.100.1 " shows data packets going forward and backward between my laptop on br-lan and modem over direct https as well as L tunnel.

I've changed to most generous firewall choices as :

-------------------
~# uci show firewall|grep forwarding

firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[1].src='wan'
-------------------
~# uci show firewall|grep zone

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].masq='1'
firewall.@zone[1].network='wan wan6 WG0IF modem'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='tun0fwz'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].network='tun0 tun0if'
firewall.@zone[2].forward='REJECT'
-------------------

I intend to debug by comparing and contrasting the two cases. How can I do that? Any ideas?

Thank you.

-Gamma

12

:warning:You've basically exposed your entire network and your router to the internet.:warning:

The above is very very bad. Remove this forwarding rule immediately.

Again, bad situation here. input and forward should be REJECT.

13

Done that straightway. Thanks @psherman ! :slightly_smiling_face:

-Gamma

14

A 404 Not Found response on https://192.168.100.1, that won't be the Hub3 responding, something else in the path is there.

To confirm you've got your modem interface configured with a static IP of 192.168.100.2? Can you ping that from a LAN client?

Without any VPN active I'm not seeing why you can't get to 192.168.100.1

Does traceroute provide any clues?

traceroute 192.168.100.1
15

Yes, something is in between. The http browser attaches "/cgi-bin/luci/" to make the url look "https://192.168.100.1/cgi-bin/luci/". Don't know how or why.

Anyways, the tracert from my laptop (192.168.0.11) shows :


C:\Windows\System32>tracert 192.168.100.1

Tracing route to 192.168.100.1 over a maximum of 30 hops

  1     5 ms     1 ms     1 ms  iStation.lan [192.168.0.1]
  2     7 ms     *        2 ms  192.168.100.1

Trace complete.

And yes, 192.168.100.2 is ping4 reachable from my laptop ( lan client ).

How do I proced from here...? Thanks.

-Gamma

16

Usually cable modems (and possibly also DSL modems) are just plain http (port 80) as follows: http://192.168.100.1 (note that there is nothing appended to the end).

Try using a different browser, an incognito window, or clearing your browser history+cache and that should hopefully solve the issue.

17

I can confirm being a Virgin Media UK customer that the Hub 3 does listen on TCP 443, but a bit strange how LuCI is getting involved with the request.

As advised clearing cache and cookies is a good step, the fact your traceroute was able to get to 192.168.100.1, that suggests there is a route to it with the steps you've done, if there wasn't it would timeout.

18

@psherman and @jamesmacwhite ,

Aha yes, clearing the browser cache and using incognito mode worked. Should have realised that before. I will enable vpns one by one and keep testing at every step.

Thank you for your advice. :slight_smile:

-Gamma

19

great! Glad it worked.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.