Cannot access my Draytek Vigor 120 DSL Modem

Exolon · Jan 27, 2012, 11:05 PM

I'm stuck and I need a little bit of help!

Now that I've updated to pfSense v2 (and now updated to v2.01), I now cannot access my Draytek Vigor 120 DSL Modem using the redir package.

The instructions that I used for pfSense v1.2.3 were nice and simple:


pkg_add -r redir
rehash
ifconfig re0 192.168.1.10/24
redir --lport 8989 --cport 80 --caddr 192.168.1.1 &

I could then access my modem by using the following: http://192.168.3.1:8989

(192.168.3.1 being my LAN network address)

Now, the documentation talks about creating an Outbound NAT rule and this is where I'm stuck (or too stupid to understand!).

From the documentation http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall:

On 2.0, a PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port. So the tricks above are not needed and the NAT portion will not work at all.

If you already added the IP alias, remove it. If you added the IP alias via the shellcmd trick above, remove it also.

Instead, under Interfaces > (assign), create a new OPT interface, and assign it to the physical network card that is on WAN. For example, if your WAN on the assignment page is "PPPOE0(fxp0)", choose fxp0, and Save your changes.

So, here is a screen shot of my OPT1 interface that I assigned to the physical port:

{Interface_Assign.jpg}

Go to Interfaces > (your new OPT interface), and enable the interface. Give it an IP address in the same subnet as your modem, such as 192.168.1.5/24 (For example, the same IP address suggested in for the alias in the previous instructions). Do not set a gateway. If you like, you can rename the interface to something like ModemAccess.

Here is a screen shot of the OPT1 interface enabled:

{Interface_OPT1_Enabled.jpg}

Add an Outbound NAT rule as described above but do NOT choose the WAN interface, choose your new OPT interface.

You should then be able to access the modem from LAN.

And here is the NAT Outbound:Edit:

{Firewall_NAT_Outbound_Edit.jpg}

So, what have I done wrong?

wallabybob · Jan 28, 2012, 12:24 AM

The rules look OK to me EXCEPT the NAT rule doesn't exactly mimic what you appear to have configured with redir in that it won't map access to port 8989 to port 80.

Does the modem respond to a ping?

What URL are you using to access the modem web server? What is reported when you attempt that access?

Note that after playing with firewall rules it is often necessary to reset firewall states; see Diagnostics -> States, Reset states tab

stephenw10 · Jan 28, 2012, 1:29 AM

I'm using that modem and I went with a third option that works like a charm but is a bit of a nasty hack. ;)
I don't want to confuse things but ask if you'd like know.

Steve

Exolon · Jan 28, 2012, 1:21 PM

@wallabybob,

Thanks, I uploaded the wrong screen dump of the NAT Outbound Edit, I've attached the proper screen dump:

{Firewall_NAT_Outbound_Edit.jpg}

I can ping both IP addresses (192.168.3.1 and 192.168.1.1):


C:\Users\Exolon>ping 192.168.3.1

Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time<1ms TTL=64
Reply from 192.168.3.1: bytes=32 time<1ms TTL=64
Reply from 192.168.3.1: bytes=32 time<1ms TTL=64
Reply from 192.168.3.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.3.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\Exolon>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

When I try to access 192.168.3.1:8989 (or pfsense.home:8989) I get a "Problem loading page. The connection has timed out".

I've reset the State Table (Diagnostics -> States, Reset states), cleared the browser cache, but I still cannot access my modem!

@stephenw10,

It obviously doesn't take much to confuse me!

Option one; The easiest solution is to use the "redir" command, but this is just a "hack".
Option two; The NAT Outbound should work and is I guess what you should be using, but I've probably done something really simple and mucked it up, I would like to get this to work as it would help others.
Option three; your "nasty hack" won't do any harm, might as well throw this into the pot, I resurrected my Soekris 5501/70 to play with.

Thanks.

stephenw10 · Jan 28, 2012, 2:50 PM

OK, here goes. ;)

Explanation.
I didn't want to disable automatic outbound NAT as I felt that could confuse matters and everything else was working fine as it was.
pfSense distinguishes between only two types of interface, those with a gateway and those without, WAN and LAN for example. Excluding virtual and bridges etc!
When you add the extra interface and assign it to the physical NIC connected to the modem you are adding a LAN type as you haven't given it a gateway. Normally if you have two LAN interfaces you can happily access machines on each segment from the other directly via their address and pfSense routes traffic in between. The only reason you can't access the modem directly is that the modem has no route to send data back to you. This is because, unlike other LAN connected machines, the modem has a static IP and no gateway set. Therefore to make the modem accessible you just need to give it a route back to your machine.
Unfortunately there is no easy way to do this from the modem's web interface (in fact you could do it via the telnet interface but that's another topic!). So in order to give the modem a route I have simply given the modem a subnet mask that includes all my pfSense LAN interfaces. This is a bit of nasty way to do it but works like a charm. :)

What to do.
Assuming you are starting from scratch.
Assign the physical interface connected to the modem as a new pfSense interface and enable it.
Give it a static IP in the same subnet as the modem. Make sure it's a different subnet to any of your other interfaces.
Go into the modem setup webGUI (I connected it directly to a laptop to do this) and change the sub net mask to include your LAN interfaces, probably 255.255.0.0.
Done!

There's no need for any firewall rules as you are only ever going out of the new interface. You can leave outbound NAT set to automatic as you aren't NATing on that interface.

Steve

wallabybob · Jan 28, 2012, 9:30 PM

@stephenw10:

You can leave outbound NAT set to automatic as you aren't NATing on that interface.

Then Exolon would need to access the modem's web GUI on port 80 rather than 8989?

stephenw10 · Jan 29, 2012, 1:20 PM

Yes, I should have said you can then access the modem directly on it's IP. E.g: 192.168.0.1 or whatever you set your modem to.
Using port 8989 was only necessary when using port redirect.

Steve

Exolon · Jan 29, 2012, 7:12 PM

@stephenw10,

I'll have a look a the Draytek Web GUI, but I would like to get the NAT sorted out, I thought it would have been simple but something doesn't appear to be correct with my setup. My "old" Soekris is proving to be a temperamental little b'stard.

Thanks.

Exolon · Jan 29, 2012, 7:13 PM

Double post!

stephenw10 · Jan 30, 2012, 12:30 PM

Ok, reading back through this I think you have confused matters by trying to use port 8989. That was only relevant when you were using the port redirection method with 1.2.3.
You should leave the source and destination ports blank (any) in your NAT rule. You should then be able to connect to the modem with any service on any port e.g. ping, telnet, web (port 80) etc.

Steve

Exolon · Jan 31, 2012, 11:55 AM

@stephenw10,

I can now access my Draytek Vigor 120!!

I finally got my little Soekris box up and running and did a clean install of pfSense v2 and started testing, I then added an OPT1 interface and gave it the static IP address of 192.168.1.10 (same as before), this is the IP address that the DHCP server on the Draytek gives out.

I then added a NAT Outbound rule same as before, but this time with your suggestion of removing port 8989 on the LAN subnet and removing port 80 on the Draytek subnet.

I then entered the IP address 192.168.1.1 and (as if by magic) I can now access my modem!

Thanks to both yourselft and Wallabybob!

stephenw10 · Jan 31, 2012, 12:07 PM

Excellent! ;D
What firmware version are you running?
I tried out many until I settled on this. Seems quite stable.

Steve

Exolon · Jan 31, 2012, 12:33 PM

I've just checked on the DrayTek website and we are both running on the most up-to-date firmware:

stephenw10 · Jan 31, 2012, 12:54 PM

You would think that but I had some problems with mine. It wasn't running that firmware when I got it so I started looking into it and there are many to choose from. They are apparently optimised for different markets but it's hard to find any useful information.

See:```
ftp://ftp.draytek.com/Vigor120/Firmware/V3.2.4.4/


Steve

Exolon · Jan 31, 2012, 7:11 PM

I've updated my modem about three times and I've always gone for the firmware with 332201, I can't remember where I read this, but I'm sure this specific to the UK region and as you can see from the dates, it was at the end of 2010 that I last updated my modem.

stephenw10 · Jan 31, 2012, 8:19 PM

Mine started dropping the connection and occasionally locking up which was why I started trying other versions. I think I remember that there was a firmware optimised for bad line quality.
If it aint broke don't fix it! You look to have a good uptime on your modem too.

Steve

RobinGill · Feb 1, 2012, 5:41 PM

I tried the extra interface method last night. Rather than messing with rules, I just added the vigor as the default gateway for that extra NIC and it worked fine.