[Solved] Access modem throught router different subnet

After an (almost) full switch from DD-WRT to OpenWrt the only thing that I'm unable to replicate is to have access to my modem webui from my LAN.

Modem has IP 192.168.2.1
OpenWrt router 192.168.1.2

I followed this tutorial from the OpenWrt site: Accessing the modem through the router but it doesn't work so I'm asking for a little help. Thanks in advance

My configuration is:

config interface 'modem'
	option proto 'static'
	option device '@wan'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

Full:

root@R7800:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:48e4:ec4a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.2/24'
	list dns '192.168.1.4'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth0.2'
	option username 'aliceadsl'
	option password 'aliceadsl'
	option ipv6 '0'
	option peerdns '0'
	list dns '192.168.1.4'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '10.4.0.1/32'

config wireguard_wg0
	option public_key '3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU='
	list allowed_ips '10.4.0.2/32'
	option description 'iPhone'
	option route_allowed_ips '1'

config wireguard_wg0
	option description 'iPad'
	option public_key 'w7nFXL4tC8Z7dXI30orh3jTNiN9aITy6Mbmc5hQGPWc='
	list allowed_ips '10.4.0.3/32'
	option route_allowed_ips '1'

config device
	option name 'pppoe-wan'
	option type 'tunnel'

config interface 'modem'
	option proto 'static'
	option device '@wan'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

And firewall:

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'PPPoE'
	list network 'wan'
	list network 'modem'

Full:

root@R7800:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'PPPoE'
	list network 'wan'
	list network 'modem'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

Quick overview of how I did it...

My modem's IP address was 192.168.254.254.

Steps -

  1. Created a new WAN interface called MODEM. No DHCP turned on and selected static IP as the protocol.

  2. IPv4 address set to 192.168.254.253

  3. Netmask set to 255.255.255.0

  4. Gateway IP set to 192.168.254.254

  5. Added the MODEM WAN connection to the WAN firewall zone.

  6. Clicked on Stop for the WAN interface.

  7. Clicked on Restart for the MODEM interface.

  8. Entered 192.168.254.254

  9. Got the modem login prompt.

  10. Logged in, and was able to access all functions.

1 Like

Thanks, yes it similar to what I've done and it should works also for me, but it doesn't.

I've modified with the gateway and the ip sets to 192.168.2.0 instead of 192.168.2.2 but nothing...

config interface 'modem'
	option proto 'static'
	option ipaddr '192.168.2.0'
	option netmask '255.255.255.0'
	option device '@wan'
	option gateway '192.168.2.1'

This should be using the format "eth0.n"

1 Like

With the @wan you are sending the packets over pppoe. You want to send them to eth0.2.

1 Like

I guess I'm missing something but with my RT3200 connected to LTE router in bridge mode it just worked. I mean modem is connected via wan port and so I could just access the modem IP (192.168.8.1) from my router / lan (192.168.1.1).

The only special thing I had to do was to route traffic destined for 192.168.8.1 to wan rather than vpn.

@trendy what am I missing?

I don't follow. A static route shouldn't be necessary, as the modem subnet is directly connected. And you are adding more things in the equation, like VPN.

Thank. Indeed I was skeptical of this, but if I use eth0.2 I lose the connection, maybe @eth0.2 ?

No, straight eth0.2

1 Like

Okay, done but I have still no access to my modem...

root@R7800:~# nano /etc/config/network

config interface 'modem'
	option proto 'static'
	option ipaddr '192.168.2.0'
	option netmask '255.255.255.0'
	option device 'eth0.2'
	option gateway '192.168.2.1'

root@R7800:~# /etc/init.d/network restart
root@R7800:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes


What I'm doing wrong?!

Wrong IP, .0 is not globally acceptable host IP. Use .2 instead.
Also remove the gateway.

Damn, great, thank you, the addresses I entered were correct from the beginning, it was the browser cache the trouble... tried to ping it and works, but when I open the webpage and it fails

switched to another browser

Thanks again!

PS: in the end the correct config is:

config interface 'modem'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'eth0.2'
	option ipaddr '192.168.2.2'

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.