Unable to access Arris TG3452A modem all of a sudden

For some reason, I am unable to access the ISP provided Arris TG3452A. The IP that worked weeks ago was 192.168.0.1 accessible through simple http. Now connections time out and I cannot ping the device. It is up and all internet services seem fine (connection is supplied at the plan's speed, I can ssh into devices behind my router/firewall, wireguard works, etc.).

Is there anything in my configs that would explain this? Note that I cannot ping it from the router itself.

/etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd74:9589:935a::/48'
	option packet_steering '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'lan'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'
	option description 'wan'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'iot'
	option ports '6t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option description 'guest'
	option ports '6t'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.4.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'IOT'
	option device 'br-iot'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'guest'
	option device 'br-guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option type 'bridge'
	option name 'br-lan'
	list ports 'eth1.1'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth1.3'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth1.4'
	option ipv6 '0'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config device
	option name 'eth1.1'
	option type '8021q'
	option ifname 'eth1'
	option vid '1'
	option ipv6 '0'

config device
	option name 'eth1.3'
	option type '8021q'
	option ifname 'eth1'
	option vid '3'
	option ipv6 '0'

config device
	option name 'eth1.4'
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option ipv6 '0'

<< omitted wireguard section >>
/etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	list network 'wg0'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lxc'
	option output 'ACCEPT'
	list network 'lxc'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'ssh pi'
	list proto 'tcp'
	option src 'wan'
	option src_dport '12243'
	option dest 'lan'
	option dest_ip '192.168.1.101'

config redirect
	option target 'DNAT'
	option name 'ssh reborn'
	list proto 'tcp'
	option src 'wan'
	option src_dport '13232'
	option dest 'lan'
	option dest_ip '192.168.1.100'

config rule 'wg'
	option name 'Allow-WireGuard'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '41117'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config zone
	option name 'IoT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'REJECT'

config rule
	option name 'guest dhcp and dns'
	option src 'guest'
	option target 'ACCEPT'
	option dest_port '53 67 68'

config rule
	option name 'pi-hole-dns guest to lxc'
	list proto 'udp'
	option src 'guest'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'IoT'
	option target 'ACCEPT'
	option name 'iot dhcp'
	option dest_port '67 68'

config rule
	option name 'iot dns'
	list proto 'udp'
	option src 'IoT'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'IoT'

config zone
	option name 'guest'
	option output 'ACCEPT'
	list network 'guest'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

What is the subnet you are using for wireguard? And is the wireguard interface inbound (ie a road warrior type config), or are you setting up a tunnel for your traffic to egress?

Also, have you tried 192.168.100.1 for the modem interface?

I did try 192.168.100.1 but nothing. Wireguard is running on 10.200.200.200/24 and it is configured for road warrior. Just for connecting to the network from remote locations.

Is your Arris device operating as a bridge (i.e. providing the public IP directly to the WAN of your OpenWrt device)? Or is it running in router mode? If in doubt, what are the first two octets of your OpenWrt's reported WAN IP? (in bold: aaa.bbb.ccc.ddd)

Yes, it is indeed in bridge mode. The first two numbers match the external IP, 67.149 in this case (Network>Interfaces in luci).

Let's see the wireguard section of your config. Redact the keys, of course.

It's pretty standard:

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.200.200.200/24'
        option private_key 'x'
        option delegate '0'
        option listen_port '41117'

config wireguard_wg0
        option description 'me phone'
        option route_allowed_ips '1'
        option public_key 'P'
        option preshared_key 'x'
        list allowed_ips '10.200.200.202/32'

config wireguard_wg0
        option description 'me workstation'
        list allowed_ips '10.200.200.203/32'
        option route_allowed_ips '1'
        option public_key 'L'
        option preshared_key 'h'

config wireguard_wg0
        option description 'wife'
        list allowed_ips '10.200.200.204/32'
        option route_allowed_ips '1'
        option public_key 'A'
        option preshared_key 'e'

ok... nothing that would conflict here.

What happens when you ping 192.168.0.1?

Try removing this line from your lan (and probably from your other networks, too)

# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
64 bytes from 192.168.0.1: seq=32 ttl=64 time=1.969 ms
64 bytes from 192.168.0.1: seq=33 ttl=64 time=0.977 ms
^C
--- 192.168.0.1 ping statistics ---
75 packets transmitted, 2 packets received, 97% packet loss
round-trip min/avg/max = 0.977/1.473/1.969 ms

That was about 20 seconds with tons of packet loss.

I removed the delegate option from all network but I get the same result.

So for no apparent reason, it just started accepting pings and I can log into the http interface. So random.

Thank for your help @psherman ... seems to be unrelated to my OW router/firewall.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.