Accessing a DSL or cable modem IP from inside the firewall
Some DSL or cable modems have web interfaces on private IP addresses. Since these sit outside your firewall and don't have a public IP, accessing them isn't as straight forward as it might seem.
Static outside IP address
When trying to access any network m0n0wall doesn't know about, it will go through its default gateway - your ISP's router. Your ISP isn't going to route traffic for private IP's back to your modem, so this doesn't work.
For this example, the DSL modem has IP 10.10.10.1. Note - the modem cannot have an IP address that lies within any of your LAN or DMZ subnets.
First we'll add IP alias 10.10.10.2/24 to m0n0wall's WAN interface. Go to /exec.php on your m0n0wall and run the following, replacing sis0 with the interface name of your WAN interface (to determine the name of your WAN interface, run 'ifconfig' in exec.php and see which interface has your public IP under it):
ifconfig sis0 inet 10.10.10.2/24 alias
Now go to the Firewall -> NAT screen on m0n0wall. Click the Outbound tab and click the plus at the bottom of the screen.
First add a rule to replace m0n0wall's default NAT rule. Since we'll have to enable advanced Outbound NAT, we'll need to manually replace this rule. Source is your LAN subnet, destination is not the IP of the modem, target is blank (so it uses the WAN IP), and fill in the description as you desire, then click Save.
Note - If you have more than one subnet on your network, for example of you have a second LAN interface, a routed network behind m0n0wall, or a DMZ interface with private IP's, you'll need to add another NAT rule to accommodate those subnets.
Click the plus button again, and now we'll add a NAT entry for accessing the modem.
Now your Outbound NAT screen will look something like this.
Check the "enable advanced outbound NAT" box and click Save.
Now you should be able to access your modem from your LAN.
To keep the ifconfig alias across reboots, use the backup feature to download your config.xml, and open it in a text editor.
In between the </webgui> and </system> lines, add a line like the following.
<shellcmd>ifconfig sis0 inet 10.10.10.2/24 alias</shellcmd>
Then save the changes to the config.xml file, and use m0n0wall's restore function to restore this modified configuration.
Using PPPoE or PPTP for outside IP address
The problem with DSL or cable modems being used together with PPPoE or PPTP: M0n0wall - or better the MPD used by m0n0wall for PPPoE and PPTP connections - assigns a new interface called "ng0" as WAN interface. When trying to access any network m0n0wall doesn't know about, it will go through its default gateway - tunneling traffic via PPPoE or PPTP to your ISP's router. Your ISP isn't going to route traffic for private IP's back to your modem, so this doesn't work. What you have to do is routing the traffic for the DSL or cable modem via your physical outside interface to your DSL or cable modem and any other traffic via PPPoE or PPTP to your ISP's router.
The solution is based on configuring two outside interfaces: One for PPPoE or PPTP (called "ng0") and the other one (called "sis1") for the transfer net to the DSL or cable modem. Compared to a solution w/o PPPoE or PPTP we must have to assign IP addresses to two real interfaces and can't just add an alias to an existing one (see above). Because m0n0wall can't assign a physical interface more than once, you'll have to do this step manually.
For this example, the DSL modem has IP 10.10.10.1/24 and your m0n0wall will get an IP address out of subnet 10.10.10.0/24, too. Note - the modem cannot have an IP address that lies within any of your LAN or DMZ subnets. Our internal net will be 192.168.0.0/24.
Assume the WAN interface as "sis1" is accurately configured for PPPoE or PPTP.
Use the backup feature to download your config.xml, and open it in a text editor.
In between the <interfaces> and </interfaces> lines, look for the following:
<interfaces> <lan> <if>sis0</if> <ipaddr>192.168.0.1</ipaddr> <subnet>24</subnet> </lan> <wan> <if>sis1</if> <mtu>1492</mtu> <spoofmac/> <ipaddr>pppoe</ipaddr> <blockpriv/> </wan> </interfaces>
Copy the LAN section and insert it at the end (before </interfaces>). Rename the new section to "opt1" (depends on the number n of optional
interfaces you have, just call it "opt(n+1)") and give it a good description, e. g. "OUT" would be fine). Replace the interface definition <if>sis0</if> with the name of the physical outside interface "sis1". Add an IP address out of subnet 10.10.10.0/24 to the newly created OUT interface. In this example we use IP address 10.10.10.2, but it can be any IP address in the range from 10.10.10.2 to 10.10.10.254 (what a waste of IP addresses ;-)). Activate the new interface by adding <enable/>. The result should look like this one:
<interfaces> <lan> <if>sis0</if> <ipaddr>192.168.0.1</ipaddr> <subnet>24</subnet> </lan> <wan> <if>sis1</if> <mtu>1492</mtu> <spoofmac/> <ipaddr>pppoe</ipaddr> <blockpriv/> </wan> <opt1> <descr>OUT</descr> <if>sis1</if> <ipaddr>10.10.10.2</ipaddr> <subnet>24</subnet> <enable/> </opt1> </interfaces>
Save the changes to the config.xml file, and use m0n0wall's restore function to restore this modified configuration. After Reboot, you'll have a new interface called "OUT".
If you take a look at the generated ruleset (ipfstat -no) you must have an entry like this one (it's possibly not ruleset number "@6" -- notice the interface "sis1" or whatever your WAN interface is!):
@6 pass out quick on sis1 from any to any keep state
Fine. All you now have to do is to enable advanced outbound NAT and configure NAT rules by hand. It isn't necessary to exclude the transfer net from NAT on the PPPoE interface, because it will never be routed to "ng0", so just create one rule for your LAN and another one for OUT.
So go to the Firewall -> NAT screen on m0n0wall. Click the Outbound tab and click the plus at the bottom of the screen.
First add a rule to replace m0n0wall's default NAT rule. Since we'll have to enable advanced Outbound NAT, we'll need to manually replace this rule. Source is your LAN subnet, destination is any, target is blank (so it uses the WAN IP), and fill in the description as you desire, then click Save.
Note - If you have more than one subnet on your network, for example of you have a second LAN interface, a routed network behind m0n0wall, or a DMZ interface with private IP's, you'll need to add another NAT rule to accommodate those subnets.
Click the plus button again, and now we'll add a NAT entry for accessing the modem.
Now your Outbound NAT screen will look something like this.
Check the "enable advanced outbound NAT" box and click Save.
You should now be able to access your modem from your LAN.
There are 3 comments on this page. [Display comments]