cannot access modem's config interface from LAN - Networking

This is a discussion on cannot access modem's config interface from LAN - Networking ; Hello, I have an adsl modem connected to a linux box which acts as a router. The router machine has three interfaces: eth1: 192.168.1.2, connected to the modem eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch ath0: 192.168.5.1, the ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: cannot access modem's config interface from LAN

  1. cannot access modem's config interface from LAN


    Hello,

    I have an adsl modem connected to a linux box which acts as a router.
    The router machine has three interfaces:
    eth1: 192.168.1.2, connected to the modem
    eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

    The modem's LAN ip address is 198.168.2.1. The modem is working in
    bridge mode and when a connection is established, ppp0 is formed on the
    router machine.

    The iptables script that I have on the router machine does the
    forwarding and nat. All works okay between the wired and wireless LAN
    and the internet and also within the wired and wireless LAN.

    The problem is that I can access the modem's web interface (on
    192.168.2.1) only from the router machine and not from any other LAN
    machine. Could somebody tell me what are the iptables rules needed to
    make this happen?

    Thanks,
    ->HS
    PS: It doesn't really matter much I guess, but this is on Debian
    Testing, running 2.6.18.


  2. Re: cannot access modem's config interface from LAN

    > I have an adsl modem connected to a linux box which acts as a router.
    > The router machine has three interfaces:
    > eth1: 192.168.1.2, connected to the modem
    > eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    > ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)


    > The modem's LAN ip address is 198.168.2.1. The modem is working in
    > bridge mode and when a connection is established, ppp0 is formed on the
    > router machine.


    > The iptables script that I have on the router machine does the
    > forwarding and nat. All works okay between the wired and wireless LAN
    > and the internet and also within the wired and wireless LAN.


    > The problem is that I can access the modem's web interface (on
    > 192.168.2.1) only from the router machine and not from any other LAN
    > machine. Could somebody tell me what are the iptables rules needed to
    > make this happen?


    I recently encountered the same situation.
    See http://forum.openwrt.org/viewtopic.php?id=13307 for the
    corresponding thread (my router is Linksys box running OpenWRT but
    that shouldn't make much difference).

    Basically, the problem is most likely that with a LAN machine wants to send
    a packets to the modem, it correctly sends it to the router, which
    correctly sends it to the modem but the modem then doesn't know how to
    send it back because it doesn't know that it can reach 192.168.[05].NN
    via your router. So you need to add a route on your modem.
    If you can't or don't want to do that, you can instead use NAT
    translation so your modem is triked into thinking that all connections
    come from your router.

    A rule like

    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2

    on your router may do the trick. In my case it wasn't sufficient
    because OpenWRT's default iptable config disallows patckets going from
    (the equivalent of) eth0->eth1 (it only allows them to go from
    eth0->ppp0), so I needed to add

    iptables -A FORWARD -i eth0 -j ACCEPT

    to get things to work.


    Stefan

  3. Re: cannot access modem's config interface from LAN

    Hello,

    H.S. a écrit :
    >
    > I have an adsl modem connected to a linux box which acts as a router.
    > The router machine has three interfaces:
    > eth1: 192.168.1.2, connected to the modem
    > eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    > ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
    >
    > The modem's LAN ip address is 198.168.2.1.
    > [...]
    > The problem is that I can access the modem's web interface (on
    > 192.168.2.1) only from the router machine


    This should not work, because the modem address 192.168.2.1 and the
    router's eth1 address 192.168.1.2 are not in the same IP subnet. The
    subnet mask would need to be at most /22 (192.168.0.0 to 192.168.3.255)
    but then it would overlap with the wired LAN 192.168.0.0/24 subnet on
    eth0 (192.168.0.0 to 192.168.0.255), which is bad.

  4. Re: cannot access modem's config interface from LAN

    Pascal Hambourg wrote:
    > Hello,
    >
    > H.S. a écrit :
    >>
    >> I have an adsl modem connected to a linux box which acts as a router.
    >> The router machine has three interfaces:
    >> eth1: 192.168.1.2, connected to the modem
    >> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    >> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)
    >>
    >> The modem's LAN ip address is 198.168.2.1.
    >> [...]
    >> The problem is that I can access the modem's web interface (on
    >> 192.168.2.1) only from the router machine

    >
    > This should not work, because the modem address 192.168.2.1 and the
    > router's eth1 address 192.168.1.2 are not in the same IP subnet. The
    > subnet mask would need to be at most /22 (192.168.0.0 to 192.168.3.255)
    > but then it would overlap with the wired LAN 192.168.0.0/24 subnet on
    > eth0 (192.168.0.0 to 192.168.0.255), which is bad.


    Sorry, that was a typo. The modem's LAN address is 192.168.1.1. That is
    why my eth1 is given 192.168.1.x IP address.


    ->HS


  5. Re: cannot access modem's config interface from LAN

    H.S. wrote:

    > Hello,


    > I have an adsl modem connected to a linux box which acts as a router.
    > The router machine has three interfaces:
    > eth1: 192.168.1.2, connected to the modem
    > eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    > ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)


    > The modem's LAN ip address is 198.168.2.1. The modem is working in
    > bridge mode and when a connection is established, ppp0 is formed on the
    > router machine.


    > The iptables script that I have on the router machine does the
    > forwarding and nat. All works okay between the wired and wireless LAN
    > and the internet and also within the wired and wireless LAN.


    > The problem is that I can access the modem's web interface (on
    > 192.168.2.1) only from the router machine and not from any other LAN
    > machine. Could somebody tell me what are the iptables rules needed to
    > make this happen?


    That probably would depend on the firewall and the port for web
    access used by the firewall. Here to allow packets from any source
    to the usual web port it is basically

    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    ....
    $IPTABLES -N allowed
    ....
    $IPTABLES -A allowed -p TCP --syn -j ACCEPT
    $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A allowed -p TCP -j DROP
    ....
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

    but you might want to restrict the packets' source to the LAN networks
    by using two rules with "-s 192.168.0.0/24" and "-s 192.168.5.0/24
    in place of the last rule.

    --
    Clifford Kite
    /* Domain names are for water/carbon units that don't think in binary.
    --Allen Kistler */


  6. Re: cannot access modem's config interface from LAN

    Stefan Monnier wrote:
    >> I have an adsl modem connected to a linux box which acts as a router.
    >> The router machine has three interfaces:
    >> eth1: 192.168.1.2, connected to the modem
    >> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    >> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

    >
    >> The modem's LAN ip address is 198.168.2.1. The modem is working in
    >> bridge mode and when a connection is established, ppp0 is formed on the
    >> router machine.

    >
    >> The iptables script that I have on the router machine does the
    >> forwarding and nat. All works okay between the wired and wireless LAN
    >> and the internet and also within the wired and wireless LAN.

    >
    >> The problem is that I can access the modem's web interface (on
    >> 192.168.2.1) only from the router machine and not from any other LAN
    >> machine. Could somebody tell me what are the iptables rules needed to
    >> make this happen?

    >
    > I recently encountered the same situation.
    > See http://forum.openwrt.org/viewtopic.php?id=13307 for the
    > corresponding thread (my router is Linksys box running OpenWRT but
    > that shouldn't make much difference).
    >
    > Basically, the problem is most likely that with a LAN machine wants to send
    > a packets to the modem, it correctly sends it to the router, which
    > correctly sends it to the modem but the modem then doesn't know how to
    > send it back because it doesn't know that it can reach 192.168.[05].NN
    > via your router. So you need to add a route on your modem.


    I just tried this and it worked. In that modem, there are two networks,
    192.168.1.0 and 192.168.2.0, for the wired and for the USB networks
    respectively. I added the route:
    Dest. Netmask NextHop IF Name RouteType RouteOrigin
    192.168.0.0 255.255.255.0 192.168.1.2 eth-0 Indirect Local

    And now it works.

    > If you can't or don't want to do that, you can instead use NAT
    > translation so your modem is triked into thinking that all connections
    > come from your router.
    >
    > A rule like
    >
    > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2


    I tried this first actually but it didn't work. I probably will look
    into this further, since this is appears to be my preferred method.

    thanks a ton,
    ->HS



    > on your router may do the trick. In my case it wasn't sufficient
    > because OpenWRT's default iptable config disallows patckets going from
    > (the equivalent of) eth0->eth1 (it only allows them to go from
    > eth0->ppp0), so I needed to add
    >
    > iptables -A FORWARD -i eth0 -j ACCEPT
    >
    > to get things to work.
    >
    >
    > Stefan


  7. Re: cannot access modem's config interface from LAN

    Stefan Monnier wrote:
    >> I have an adsl modem connected to a linux box which acts as a router.
    >> The router machine has three interfaces:
    >> eth1: 192.168.1.2, connected to the modem
    >> eth0: 192.168.0.1, the wired LAN (192.168.0.0/24) using a switch
    >> ath0: 192.168.5.1, the wireless lan (192.168.5.0/24)

    >
    >> The modem's LAN ip address is 198.168.2.1. The modem is working in
    >> bridge mode and when a connection is established, ppp0 is formed on the
    >> router machine.

    >
    >> The iptables script that I have on the router machine does the
    >> forwarding and nat. All works okay between the wired and wireless LAN
    >> and the internet and also within the wired and wireless LAN.

    >
    >> The problem is that I can access the modem's web interface (on
    >> 192.168.2.1) only from the router machine and not from any other LAN
    >> machine. Could somebody tell me what are the iptables rules needed to
    >> make this happen?

    >
    > I recently encountered the same situation.
    > See http://forum.openwrt.org/viewtopic.php?id=13307 for the
    > corresponding thread (my router is Linksys box running OpenWRT but
    > that shouldn't make much difference).
    >
    > Basically, the problem is most likely that with a LAN machine wants to send
    > a packets to the modem, it correctly sends it to the router, which
    > correctly sends it to the modem but the modem then doesn't know how to
    > send it back because it doesn't know that it can reach 192.168.[05].NN
    > via your router. So you need to add a route on your modem.


    I replied earlier that the approach you gave below worked. But I was
    playing around with telnet on the modem and realized that the packets
    originating on the modem and destined for 192.168.[05].n will not be
    sent by the modem since it doesn't know what to do with that traffic (it
    knows only about 192.168.1.0 and 192.168.2.0 networks which are its LAN
    and USB networks). Am I correct? For this to work, the above method will
    have to used, right?

    thanks,
    ->HS


    > If you can't or don't want to do that, you can instead use NAT
    > translation so your modem is triked into thinking that all connections
    > come from your router.
    >
    > A rule like
    >
    > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.2
    >
    > on your router may do the trick. In my case it wasn't sufficient
    > because OpenWRT's default iptable config disallows patckets going from
    > (the equivalent of) eth0->eth1 (it only allows them to go from
    > eth0->ppp0), so I needed to add
    >
    > iptables -A FORWARD -i eth0 -j ACCEPT
    >
    > to get things to work.
    >
    > Stefan


+ Reply to Thread