Some DSL-/DOCSIS-Modems can be accessed by the end user. To do that, you have to find out which IP address the device has and on which port using which protocol you can access it. Sometimes you additionally need the correct username and the password to gain access or to apply changes.
Once you have the information, you connect the router directly to your PC, give your PC an IP address from the same net and access it with the appropriate program. Easy. To still be able to do that through NAT, follow the instructions:
Follow these instructions if you are using a default install of backfire and manage the firewall through UCI
An IP in the same net as the modem must be assigned to the interface which is connected to the modem. To do this, we create an alias as shown below.
For this example we assume two things: that the modem's IP is
169.254.1.8, and that the interface "wan" we are adding an alias to is on eth1.
Head towards /etc/config/network and add these lines.
config interface modem option ifname eth1 option proto static option ipaddr 169.254.1.1 option netmask 255.255.255.0
To exempt the internal modem address range from masquerading, add a "masq_dest" expression to the wan zone in /etc/config/firewall:
config zone option name wan option network 'wan' option input REJECT option output ACCEPT option forward REJECT option masq 1 # The firewall will resolve the expression "!modem" to # "! -s 169.254.1.1/255.255.255.0" or whatever range # was configured in the modem alias. option masq_dest '!modem' option mtu_fix 1
If the modem should have an IP address like say
192.168.1.8, you could not use the network
192.168.1.0/24 for your LAN and at the same time access your modem with this method. Use any other network in that case, like
1. Add alias
Navigate to Admin → Network → Interfaces → WAN, fill in a name in the "IP-Aliases" add field and click "Add".
Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply".
In my case the modem is reachable via 192.168.100.1, so I've choosen 192.168.100.10 as alias address.
After a while you should see the alias prefix appear in the interface status display (underlined red).
Navigate to Admin → Network → Firewall and open the WAN zone properties (framed red).
Switch to the "Advanced Settings" tab and enter
!modem into the destionation restriction field,
this will tell the firewall to not NAT traffic directed at the modem address range.
Hit "Save & Apply" to make the change effective.
At this point the modem should be reachable from any host in the LAN.
Let's configure source NAT. This is done with
iptables, see netfilter.
You can add these custom rules to /etc/firewall.user , or by using the LuCI interface (Network > Firewall > Custom rules).
iptables -t nat -I postrouting_rule -s 192.168.1.0/24 -d 169.254.1.8 -j SNAT --to 169.254.1.1 iptables -I zone_lan_forward -s 192.168.1.0/24 -d 169.254.1.8 -j ACCEPT
If you changed the
lan network from the OpenWrt default of
192.168.1.1, you'll have to replace
192.168.1.0 with the net you've chosen.
NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT):
iptables -I FORWARD -j ACCEPT -i br-lan -o eth0.2 iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
This works because
pppd (needed for PPPoE) spawns
pppoe-dsl, so eth0.2 remains freely usable. After testing the configuration changes, add all the necessary commands to
/etc/firewall.user. Now for example, you could use a GUI program to show some information about your DSL status:
NOTE: Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct modems. It is very useful to track down connection problems and monitor your DSL-connection. But some modem even offer a WebUI so you can access them with your web browser.
Follow these instructions if you don't use UCI to manage your firewall
Most of the Easy Version still applies. After assigning the modem interface an address,
you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE:
IF_LAN="br-lan" NET_LAN="192.168.1.0/24" iptables -t nat -A POSTROUTING -o eth0.2 -i $IF_LAN -s $NET_LAN -d 169.254.1.0/8 -j SNAT --to-source 169.254.1.1
Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later
In this example the modem has
192.168.254.254 as default IP. Declare a new interface called "modem". An Alias is not needed anymore, as multiple interfaces can share the same ifname. Make sure you use a different network than your existing LAN. Head towards /etc/config/network and add these lines:
config interface 'modem' option ifname 'eth1' option proto 'static' option ipaddr '192.168.254.1' option netmask '255.255.255.0'
Check if your interface is up with:
The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoe-wan is not allowed, now just simply stick the new interface to the wan zone so it will be forwarded:
uci set firewall.@zone.network='wan modem' uci commit firewall fw reload
And thats really all to be done. You could also create a new zone called "modem" and make interzone-forwarding, but thats more work to do.
With DOCSIS-Modem, we do not use the pppd and do not spawn any additional interfaces, so the SNAT-hook need to be before the MASQUERADING-hook. Also, you need to set an alias to the interface with which your Cable modem it connected.
First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address:
ifconfig eth0.2:1 add 192.168.100.2With UCI you can accomplish this as well: aliases.
Then source nat packets to the IP address of the cable modem. Add the following line, before the MASQUERADE:
iptables -t nat -I POSTROUTING -o eth0.2:1 -i eth0.1 -s $NET_LAN -d 192.168.100.1 -j SNAT --to-source 192.168.100.2NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT):
iptables -I FORWARD -j ACCEPT -i $IF_LAN -o $IF_DSL iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
Now access you cable modem from your PC with a telnet program or with your browser: