mk24
May 4, 2020, 10:34pm
19
Identify the IP address needed to log into the modem, that is the one that the modem holds for http / TCP connections outside the public IP and pppoE protocol. For cable modems it is usually 192.168.100.1, for DSL it can be others typically 192.168.0.1
If this IP overlaps and conflicts with your LAN you will need to change one of them.
Once that is sorted, create a dummy interface to reach the modem as described in the "WAN via PPPoE" section of the guide that @trendy linked. It needs a static IP and netmask that covers the modem's adminstration network but is not the same (e.g. 192.168.0.2, netmask 255.255.255.0). As the guide describes, place this network in the wan firewall zone because you don't want to trust the modem, you will only make outgoing connections to it.
My modem main ip is 192.168.1.1
You'll need to change the lan IP from the conflicting 192.168.1.1 into something else, say 10.0.0.1.
Okey, first change my my router ip somethong like 10.0.0.1 the add interfaces and firewall rules that you wrote up after i will reach my modem 192.168.1.1?
okey i add interfaces and firewall rules like this
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbc:b715:08bd::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option password
option ipv6 'auto'
option username
config interface modem
option ifname eth1
option proto static
option ipaddr 169.254.1.1
option netmask 255.255.255.0
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
# The firewall will resolve the expression "!modem" to
# "! -s 169.254.1.1/255.255.255.0" or whatever range
# was configured in the modem alias.
option masq_dest '!modem'
option mtu_fix 1
now i can reach internet, but i cant reach modem ui
by the way i tried with 192.168.1.1 for modem but when i did connect luci (router ip 10.0.0.1)
I am not sure how you came up with this IP. Use 192.168.1.2
1 Like
mk24
May 5, 2020, 8:31pm
26
Modem network IP needs to be in the same subnet as the modem, such as 192.168.1.2. That will create a route to 192.168.1.0/24 via eth1.
Do not change anything in the firewall other than edit one line to add modem to the wan networks, i.e. option network 'wan' becomes option network 'wan modem'. You now have two definitions of the wan zone; remove the new one.
1 Like
okey my new config this
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbc:b715:08bd::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.0.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'pppoe'
option password
option ipv6 'auto'
option username
config interface 'modem'
option ifname 'eth1'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.1.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0'
firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq_dest '!modem'
option network 'wan modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
still i cant reach
mk24
May 5, 2020, 9:50pm
28
You don't need 'masq_dest'. That is not in the OpenWrt wiki that @trendy linked for you.
You actually need to masquerade to the modem like any other external destination, since the WAN -- by design for security-- cannot directly forward back to the LAN.
So take that out then browse to 192.168.1.1 and you should get the modem. If you don't, check if you can ping 192.168.1.1 from the router CLI, then from your PC CLI.
Also since the router used to be 192.168.1.1, there may be remnants of LuCI in the browser cache. If you get some sort of web page but not what is expected, clear the browser cache.
Your routing table should have a line for the modem like this:
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
...
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
...
My routing table this
root@NBG6617:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default xxx.xxx 0.0.0.0 UG 0 0 0 pppoe-wa n
10.0.0.0 * 255.255.255.0 U 0 0 0 br-lan
xxx.xxx * 255.255.255.255 UH 0 0 0 pppoe-wa n
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
I can ping router cli
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.114 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=1.668 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=2.386 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=2.109 ms
64 bytes from 192.168.1.1: seq=4 ttl=64 time=1.651 ms
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.114/1.785/2.386 ms
But i cant ping via pc
It actually is, but the OP didn't understand the comments.
@Uruloki remove this from the wan firewall zone: option masq_dest '!modem'
Actually i did that before but didnt fix it
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
It doesn't work because you don't have modem interface in the list.
option network 'wan modem'
Paste here the output of iptables-save -c
# Generated by iptables-save v1.8.3 on Wed May 6 12:43:40 2020
*nat
:PREROUTING ACCEPT [1209:276097]
:INPUT ACCEPT [196:13141]
:OUTPUT ACCEPT [232:15330]
:POSTROUTING ACCEPT [199:13294]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1209:276097] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[721:96640] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[81:10847] -A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[407:168610] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[574:82096] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[366:68334] -A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[9:468] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[721:96640] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[375:68802] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[375:68802] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[488:179457] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed May 6 12:43:40 2020
# Generated by iptables-save v1.8.3 on Wed May 6 12:43:40 2020
*mangle
:PREROUTING ACCEPT [57453:45866995]
:INPUT ACCEPT [2783:442118]
:FORWARD ACCEPT [54082:45240015]
:OUTPUT ACCEPT [3029:739907]
:POSTROUTING ACCEPT [57104:45979558]
[194:11128] -A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[37:1924] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 6 12:43:40 2020
# Generated by iptables-save v1.8.3 on Wed May 6 12:43:40 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[777:98682] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2008:343516] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1510:304170] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[30:1560] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[398:27362] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[92:11287] -A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
[8:697] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[54082:45240015] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[53490:45145607] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[592:94408] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[814:101642] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2220:639457] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2187:637421] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[33:2036] -A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[11:440] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[83:11328] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[30:1560] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[592:94408] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[592:94408] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[398:27362] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[398:27362] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[398:27362] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[7:364] -A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[430:83435] -A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[188:12645] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[100:11984] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[6:216] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[94:11768] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[33:2036] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[33:2036] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[92:11287] -A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
[2:481] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed May 6 12:43:40 2020
Dude thanks a lot, paste this code and restart interfaces in luci now i can reach my modem ui
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
1 Like
system
May 16, 2020, 9:52am
38
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.