Modem access over WAN port
I have a VDSL Modem acting as a bridge so that my Firewalla Gold SE can dial up via PPPoE over its WAN port (#4). Everything works perfectly fine.
Now I want to access my modem's Web GUI at 192.168.100.1/24 through my Firewalla's LAN which is 172.20.0.0/24.
I had this setup with a MikroTik router easily before, by assigning an additional IP (192.168.100.2/24) to the WAN interface and masquerading this traffic, so that the return packets from the modem know where to go.
But with Firewalla it doesn't seem to be as intuitive - can somebody help me please?
-
I do this to access my cable modem. My modem is on 192.168.100.1, while my LANs are in the 10.x.x.x space. I made this work by adding a route for 192.168.100.0/24 through my WAN. All my networks already have source NAT enabled, so no additional configuration is required for the masquerading.
-
I just did a tcpdump on my Firewalla to capture the packets between my Firewalla and the modem. Because of the source NAT, the source address for these packets is my public IP address (which is assigned to the Firewalla). I did not have to create any route on the modem, but my modem is dumb and doesn't support routing at all anyway.
-
My modem is a DrayTek Vigor 167 and is basically dumb as well.
If I do as you said - just set a route to 192.168.100.0/24 via WAN - I get a ping reply from my ISP saying "network not reachable".
What I basically noticed:
No matter which IP I ping from my LAN, say 10.10.10.10 which is totally unused in my setup, I get a reply from my ISP saying "network not reachable".So - everything that I ping and doesn't belong to my own LAN subnets seems to be stupidly forwarded to my ISP and of course the answer is "We don't know your 192.168.100.1 or 10.10.10.10 network".
This stupid topic drives me crazy.
If everything that I ping is being forwarded through my WAN port to my ISP anyway - why the heck I need a manual route 192.168.100.0/24 via WAN then? -
I understand adding this manual route if Firewalla did block RFC1918 private IP's to WAN forwarding, but mine doesn't! I don't have any complex setup, all super simple and I didn't frickle around under the hood with SSH or something.
Am I the only one where RFC1918 private IP's are blindly being forwarded to ISP?
-
You're probably correct that you don't need the manual route. I need it because I have dual WAN, and I want to be able to access the cable modem's webpage even when the primary WAN is not cable.
I don't get any response when pinging unused RFC1918 addresses from my LAN. The packets are just dropped.
A tcpdump on the Firewalla shows that the pings for RFC1918 addresses are forwarded to my ISP, so it must be my ISPs that are deciding not to respond to them.
-
So, if all RFC1918's are being forwarded to ISP, how would I ever get to my modem then?
Netgate says:
"As a general rule, it is good practice to prevent network traffic intended for RFC 1918 subnets from leaving the firewall via the WAN interface. This avoids unnecessary traffic on the WAN link and also provides a small security benefit by keeping information about the LAN network behind the firewall."
[https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html]Makes totally sense to me and I was wondering why Firewalla doesn't pay attention to this?
But anyway, even if Firewalla did (or I set a rule for this), it doesn't solve my problem with accessing the modem.
I can't believe I'm the only one who is running in a default PPPoE setup and wants to access his modem?
Is it really that difficult? -
So, if all RFC1918's are being forwarded to ISP, how would I ever get to my modem then?
Your modem is connected to the Firewalla's WAN port. I don't understand why your modem is not intercepting the packets with the destination address of 192.168.100.1. Perhaps it doesn't like that the source address is your public IP address and not an address in 192.168.100.0/24.
I suggest reaching out to Firewalla support by creating a ticket through the Firewalla app. They've been helpful for me, although they sometimes go around and around on the same questions. If you can't get any help from support, post here or on Reddit, and they may be able to escalate it for you.
Please sign in to leave a comment.
Comments
11 comments