Connect to Modem through Firewall (not using PPPoE)

scolby33

I have a cable modem with an internal web server on 192.168.2.1 that I would like to access from hosts inside the firewall. My internal subnets are all 10./ so there is no interference there. I found this guide, but my WAN interface is not connected with PPPoE, and instead gets its IP addresses via DHCP. I am not able to create an OPT interface on the same physical interface (in this case VLAN 4090 on mvneta0).

Is this possible? What is the right approach here?

viragomann

@scolby33
So in this case, you have only to add a virtual IP to the WAN within the modems subnet, I guess 192.168.2.0/24.
Then configure the NAT for this IP as described in the guide.

scolby33

It's been a while, but I have an update on this. Like @viragomann suggested, I created the virtual IP and configured the NAT. I was then able to connect from the firewall to the modem, but not from within the LAN to the modem. I was confused by this and just decided to deal with it (using an SSH tunnel via the firewall when I needed to get to the modem page).

Today I took another look and ran a packet capture comparing what happened when I performed a ping from the firewall to what happened when I pinged from a host on the LAN. I saw the packets from inside the LAN being translated to the virtual IP and being sent on to the modem's IP, but there were no replies. The packets from the firewall were being sent out with my public external IP and were receiving replies. If I specified the source address as the virtual IP, I saw the same behavior as from within the LAN: outgoing packets, but no replies.

From this I surmise that the modem has some kind of smarts about how to route packets back down its ethernet interface when it receives them from the IP that it knows it has on the public internet. Simply removing the NAT rule has allowed me to access the modem from within the LAN at 192.168.2.1 with no issues.

scolby33

I have encountered a flaw in my above configuration. When the modem is up and I have a public IP, I can access the modem at 192.168.2.1 from hosts inside the network. However, when my internet connection is down (I noticed this during a recent Comcast outage ), I cannot. It is still possible to access the address directly from the firewall, but not from a host going through the firewall.

The current configuration is a pass out quick to 192.168.2.1 on WAN floating rule. (This is necessary because I have a reject out quick to Private_Addresses on WAN floating rule immediately following this one.)

There is no virtual IP or special NATing for this at the moment.

When the internet connection is up (and this configuration is working), I have a public IP address from my ISP. When the connection is down, the modem assigns the firewall an IP in 192.168.2.0/24 and then the configuration is not working.

I tried some packet captures, and saw the packets from my internal host exiting the WAN interface, but no responses were returning. I'm not sure where this says they were being dropped.

viragomann

@scolby33
I assume, it's due to this

When the connection is down, the modem assigns the firewall an IP in 192.168.2.0/24 and then the configuration is not working.

If so, it might help to disable the modems DHCP server, if it's possible at all.

Otherwise you can block the server.
To do so, find out the DHCP server's IP (is it 192.168.2.1?). You will find it in the DHCP log. Look for client entries.

Then go to the WAN interface settings and enter its IP in "Reject leases from" box.

tedly

Make sure you are allowing your WAN to talk to private ip space.

Click on Interfaces, then on WAN, scroll down to the bottom for this:

If that's checked you are going to have a hard time talking to the external non routable IPs. This particular problem has tripped me up many times over the years when I forgot about it.