Modem access over WAN port

Comments

11 comments

  • Avatar
    David Rothenberger

    I do this to access my cable modem. My modem is on 192.168.100.1, while my LANs are in the 10.x.x.x space. I made this work by adding a route for 192.168.100.0/24 through my WAN. All my networks already have source NAT enabled, so no additional configuration is required for the masquerading.

    0
    Comment actions Permalink
  • Avatar
    TeWe

    Okay, so NO extra (and manual) Source Network and JUST a manual route to 192.168.100.0/24 through WAN?

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    Right. My source NAT configuration already lists all my 10.x.x.x LANs, so no need to add anything there.

    0
    Comment actions Permalink
  • Avatar
    TeWe

    I did as you said - but no ping and no Web GUI from 172.20.0.107.
    Yes, my source NAT configuration lists all my LAN's.

    Anything else required?
    Possibly a static route on the modem back to Firewalla?

     

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    I just did a tcpdump on my Firewalla to capture the packets between my Firewalla and the modem. Because of the source NAT, the source address for these packets is my public IP address (which is assigned to the Firewalla). I did not have to create any route on the modem, but my modem is dumb and doesn't support routing at all anyway.

    0
    Comment actions Permalink
  • Avatar
    TeWe

    My modem is a DrayTek Vigor 167 and is basically dumb as well.

    If I do as you said - just set a route to 192.168.100.0/24 via WAN - I get a ping reply from my ISP saying "network not reachable".

    What I basically noticed:
    No matter which IP I ping from my LAN, say 10.10.10.10 which is totally unused in my setup, I get a reply from my ISP saying "network not reachable".

    So - everything that I ping and doesn't belong to my own LAN subnets seems to be stupidly forwarded to my ISP and of course the answer is "We don't know your 192.168.100.1 or 10.10.10.10 network".

    This stupid topic drives me crazy.
    If everything that I ping is being forwarded through my WAN port to my ISP anyway - why the heck I need a manual route 192.168.100.0/24 via WAN then?

    0
    Comment actions Permalink
  • Avatar
    TeWe

    I understand adding this manual route if Firewalla did block RFC1918 private IP's to WAN forwarding, but mine doesn't! I don't have any complex setup, all super simple and I didn't frickle around under the hood with SSH or something.

    Am I the only one where RFC1918 private IP's are blindly being forwarded to ISP?

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    You're probably correct that you don't need the manual route. I need it because I have dual WAN, and I want to be able to access the cable modem's webpage even when the primary WAN is not cable.

    I don't get any response when pinging unused RFC1918 addresses from my LAN. The packets are just dropped.

    A tcpdump on the Firewalla shows that the pings for RFC1918 addresses are forwarded to my ISP, so it must be my ISPs that are deciding not to respond to them.

    0
    Comment actions Permalink
  • Avatar
    TeWe

    So, if all RFC1918's are being forwarded to ISP, how would I ever get to my modem then?

    Netgate says:
    "As a general rule, it is good practice to prevent network traffic intended for RFC 1918 subnets from leaving the firewall via the WAN interface. This avoids unnecessary traffic on the WAN link and also provides a small security benefit by keeping information about the LAN network behind the firewall."
    [https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html]

    Makes totally sense to me and I was wondering why Firewalla doesn't pay attention to this?

    But anyway, even if Firewalla did (or I set a rule for this), it doesn't solve my problem with accessing the modem.

    I can't believe I'm the only one who is running in a default PPPoE setup and wants to access his modem?
    Is it really that difficult?

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    So, if all RFC1918's are being forwarded to ISP, how would I ever get to my modem then?

    Your modem is connected to the Firewalla's WAN port. I don't understand why your modem is not intercepting the packets with the destination address of 192.168.100.1. Perhaps it doesn't like that the source address is your public IP address and not an address in 192.168.100.0/24.

    I suggest reaching out to Firewalla support by creating a ticket through the Firewalla app. They've been helpful for me, although they sometimes go around and around on the same questions. If you can't get any help from support, post here or on Reddit, and they may be able to escalate it for you.

    0
    Comment actions Permalink
  • Avatar
    TeWe

    Will do David.

    You've been super helpful so far and I thank you for all the time you've invested for me.

    0
    Comment actions Permalink

Please sign in to leave a comment.