Some DSL-/DOCSIS-Modems can be accessed by the end user. To do that, you have to find out which IP address the device has and on which port using which protocol you can access it. Sometimes you additionally need the correct username and the password to gain access or to apply changes.

Once you have the information, you connect the router directly to your PC, give your PC an IP address from the same net and access it with the appropriate program. Easy. To still be able to do that through NAT, follow the instructions:

Follow these instructions if you are using a default install of backfire and manage the firewall through UCI

Let's say the modem has 169.254.1.8 as a default IP. Assign an IP from the same net to the interface connected to the modem by utilising aliases: Head towards /etc/config/network and add these lines.

config alias modem
	option interface wan
	option proto static
	option ipaddr 169.254.1.1
	option netmask 255.255.255.0
	option layer 1

To exempt the internal modem address range from masquerading, add a "masq_dest" expression to the wan zone in /etc/config/firewall:

config zone
        option name             wan
        option network          'wan'
        option input            REJECT
        option output           ACCEPT 
        option forward          REJECT
        option masq             1
        # The firewall will resolve the expression "!modem" to 
        # "! -s 169.254.1.1/255.255.255.0" or whatever range 
        # was configured in the modem alias.
        option masq_dest        '!modem'
        option mtu_fix          1

If the modem should have an IP address like say 192.168.1.8, you could not use the network 192.168.1.0/24 for your LAN and at the same time access your modem with this method. Use any other network in that case, like 192.168.0.0/24 or 192.168.33.0/24.

1. Add alias

Navigate to Admin → Network → Interfaces → WAN, fill in a name in the "IP-Aliases" add field and click "Add".


Within the appearing alias section, fill out the IP address and netmask fields suitable for your modem, hit "Save & Apply".
In my case the modem is reachable via 192.168.100.1, so I've choosen 192.168.100.10 as alias address.
After a while you should see the alias prefix appear in the interface status display (underlined red).


Navigate to Admin → Network → Firewall and open the WAN zone properties (framed red).


Switch to the "Advanced Settings" tab and enter !modem into the destionation restriction field, this will tell the firewall to not NAT traffic directed at the modem address range.
Hit "Save & Apply" to make the change effective.


At this point the modem should be reachable from any host in the LAN.

Let's configure source NAT. This is done with iptables, see netfilter. You can add these custom rules to /etc/firewall.user , or by using the LuCI interface (Network > Firewall > Custom rules).

iptables -t nat -I postrouting_rule -s 192.168.1.0/24 -d 169.254.1.8 -j SNAT --to 169.254.1.1
iptables -I zone_lan_forward -s 192.168.1.0/24 -d 169.254.1.8 -j ACCEPT

If you changed the lan network from the OpenWrt default of 192.168.1.1, you'll have to replace 192.168.1.0 with the net you've chosen.

NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT):

iptables -I FORWARD -j ACCEPT -i br-lan -o eth0.2
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

This works because pppd (needed for PPPoE) spawns pppoe-dsl, so eth0.2 remains freely usable. After testing the configuration changes, add all the necessary commands to /etc/firewall.user. Now for example, you could use a GUI program to show some information about your DSL status:

NOTE: Not all modems offer access! Above picture is obtain through a (closed source) program written for the purpose of obtaining a graphic overview for distinct modems. It is very useful to track down connection problems and monitor your DSL-connection. But some modem even offer a WebUI so you can access them with your web browser.

Follow these instructions if you don't use UCI to manage your firewall

Most of the Easy Version still applies. After assigning the modem interface an address,

you will have to source nat packets to the IP address of the DSL modem, by adding the following line, after the MASQUERADE:

IF_LAN="br-lan"
NET_LAN="192.168.1.0/24"
iptables -t nat -A POSTROUTING -o eth0.2 -i $IF_LAN -s $NET_LAN -d 169.254.1.0/8 -j SNAT --to-source 169.254.1.1

Follow these instructions if you are using a default install of Attitude Adjustment 12.09 and later

In this example the modem has 192.168.254.254 as default IP. Declare a new interface called "modem". An Alias is not needed anymore, as multiple interfaces can share the same ifname. Make sure you use a different network than your existing LAN. Head towards /etc/config/network and add these lines:

config interface 'modem'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.254.1'
        option netmask '255.255.255.0'

Check if your interface is up with:

ifstatus modem

The modem should now be pingable from your Router. Because forwarding between lan and eth1 below pppoe-wan is not allowed, now just simply stick the new interface to the wan zone so it will be forwarded:

uci set firewall.@zone[1].network='wan modem'
uci commit firewall
fw reload

And thats really all to be done. You could also create a new zone called "modem" and make interzone-forwarding, but thats more work to do.

With DOCSIS-Modem, we do not use the pppd and do not spawn any additional interfaces, so the SNAT-hook need to be before the MASQUERADING-hook. Also, you need to set an alias to the interface with which your Cable modem it connected.

First give the interface (in this case it's even a virtual interface) facing the Internet a second IP address:

ifconfig eth0.2:1 add 192.168.100.2

With UCI you can accomplish this as well: aliases.

Then source nat packets to the IP address of the cable modem. Add the following line, before the MASQUERADE:

iptables -t nat -I POSTROUTING -o eth0.2:1 -i eth0.1 -s $NET_LAN -d 192.168.100.1 -j SNAT --to-source 192.168.100.2

NOTE: Depending on how restrictive your firewall and the policy is, you may need to execute the following as well to allow flow (the above rules only manage the SNAT):

iptables -I FORWARD -j ACCEPT -i $IF_LAN -o $IF_DSL
iptables -I FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

Now access you cable modem from your PC with a telnet program or with your browser: