Access to dsl modem interface with a nat rule not possible

[SiD67]

Hi, I have a dsl internet connection with a fritzbox modem in bridge mode, so that my opnsense handles the dsl login.
I want to have access to the "modem" gui from my lan interface and found the following manual:
https://www.netgate.com/docs/pfsense/interfaces/accessing-modem-from-inside-firewall.html

The fritzbox has an emergency ip 169.254.1.1/16. So i setup a new opt interface on the same physical interface as my pppoe connection with ip 169.254.1.2/16.
And also switches from automatic outbound nat to hybrid nat (I also tried manual nat, but it doesn´t work either) and created the rule as in the manuel.

I can ping the modem from opnsense, but any connection from my lan is not possible.

Anyone with a working configuration for this and can help me?

[SiD67]

Here are the other 2 attachments.

As source address i tried any and my local lan subnet, both didn´t work

[marjohn56]

Strange way of doing it, allowing access to the modem GUI from the WAN? Not too secure that.


I have used Frizbox's in Bridge mode, not using one currently though but the principle is the same. If set correctly then one of the other LAN ports on the Fritzbox should be accessible by the normal management address, i.e. 192.168.*.*


The easiest method is to set that management address to an address that is in your own LAN range and just patch it in to your LAN, then you can access it.


Mine is like this.

[SiD67]

Hi, thanks for you reply.

As for my understanding this isn´t insecure because it is not avaiable from public wan. Modem access interface just uses the same phsysical port as opnsense uses for the wan bridge, but the real wan connection is on a virtual ppoe interface.

I just followed the manual from pfsense and thought this would work.

At first I had the same configuration as you posted, fritzbox was connected also to the lan with a different lan port. But I don´t like this config because fritzbox is still scanning the whole lan for devices and I don´t trust fritzbox very much, so I think if the fritzbox is hacked, the hacker is simply able to attack devices on my lan.

So I tried to put this fritzbox "management port" into a vlan with my switch and created a new vlan interface on opnsense with rules to be able to access the fritzbox gui. This works fine from opnsense itself, I could ping access web etc., but I was not able to access the gui from my pc.

It seems that fritzbox is only allowing connections to the gui from the network itself configured on the fritzbox. Maybe it is also a problem that the fritzbox don´t know how to route back.
But it is not possible to configure routes for this manually on fbox and also I didn´t find an option to disable restrictions to access the fbox gui.

[marjohn56]

OK, well I have two Fritzbox units sitting on the shelf as that's what my ISP supplies, it's safe to say I don't like them either therefore I use a Billion as my modem. 

[schnipp]

The way you have chosen in your first post is almost right. But leave the NAT configuration in its default state, you don't need an additional NAT rule. Check the following:

1. Block private networks/Block bogon networks in the config of the physical interface.
2. Check whether the fritzbox has a default route to the physical interface
3. What is the client IP which accesses the fritzbox?


By the way, my well working setup is:

ISP <--> Fritzbox 7412 <--> Opnsense <--> Fritzbox 7490

Fritzbox 7412: guest WLAN and PPPoE forwarding
Fritzbox 7490: WLAN access point for Intranet

[schnipp]

Mine is like this.

Not a very good idea.

• A vulnerability in the modem can help an attacker to bypass your Opnsense
• How does the modem handle incoming malicious non pppoe packets?

[marjohn56]

There is no route from the ISP side to the LAN. When the WAN is bridged, the LAN specified LAN port is is removed from the LAN side bridge. May not work on a Fritzbox, but it works fine on a Billion.

[schnipp]

There is no route from the ISP side to the LAN. When the WAN is bridged, the LAN specified LAN port is is removed from the LAN side bridge. May not work on a Fritzbox, but it works fine on a Billion.

That's true in case there is no exposed endpoint at wan interface layers below the bridged protocol layer and no weaknesses in the firmware. Many DSL modems and routers are "cheap" boxes with often outdated firmware. I don't trust them.