2023-11-11 Initial tutorial published
~
This is similar to another tutorial on the subject, but going to use Virtual IP's rather than an additional wan interface to accomplish the task at hand. For original tutorial and inspiration see here : https://forum.opnsense.org/index.php?topic=33497.0
Who is this for?opnsense only accepts ethernet as physical connection for your wan.
If your ISP is using older vdsl protocols to connect you to the internet, you will need another device (modem) which you'll need to configure. Usually this a spare router you have lying around which you will dumb down and run it in bridged mode. Physically you plug an RJ11 line from wall to modem for adsl/vdsl, and then plug an ethernet port from the bridged modem to the router's wan port. This way your router will perform all the handshaking with your ISP, and the modem only worries about protocol translation between vdsl and ethernet.
This arrangement works fine, but you lose access to the modem gui, which is very annoying. The modem is behind the wan port, and its management ip is not accessible, since the wan port is busy connecting you to the internet. Should you wish to consult the modem gui to have a look at your sync rate, well you can't. You would need to pull the modem out of its position, reset to defaults and then connect to a pc sitting on your desk. What a pain.
Solution:opnsense does have a solution which is a little complex though only uses a couple of configuration lines, hence this tutorial. Once you get your head around some of the key concepts it is very gratifying as it teaches you quite a bit about networking... so worth giving it a go in my opinion.
The nature of the solution is to use your physical wan link to to run 2 x different networks. Network 1 is your normal wan, and network 2 is a small subnet we create to talk directly to the modem. We use a virtual ip address as a means to create this second network. Piece of cake. Read on...
There are 4 x steps in this tutorial as follows: We will show each step in some detail... so please stop stressing.
- Configure your modem's GUI IP address
- Create a virtual IP address
- Configure Outbound NAT to direct traffic to the modem over the wan link
- Firewall rule to allow flow between your lan and the new subnet targetting your modem
IP addressing:
Before we start let me say I will be using a set of addresses that suit my personal situation. I don't like using standard addressing schemes as these are constantly being probed for security flaws. For this tutorial please adapt IP addressing schemes to suit your own installation.
LAN
192.168.92.1/24 mask 255.255.255.0 (254 usable ip addresses)
Modem network - A tiny subnet is created to connect opnsense to the modem via its own subnet.
192.168.5.1/30 mask 255.255.255.252
- 4 x addresses of which only 2 are usable
- 192.168.5.0 - network id
- 192.168.5.3 - Broadcast
- 192.168.5.1 - usable address pointing to the modem
- 192.168.5.2 - usable address pointing to the vip
Hardware:
I use a 4 x port qotom box for my opnsense platform
I use a draytek vigor 130 router/modem. Turn off dhcp and set into bridged mode.
Step 1: Setup modem
I put the modem into bridge mode.
(https://i.postimg.cc/p92dFBmv/vigor1.png) (https://postimg.cc/p92dFBmv)
Assign it an ip address of 192.168.5.1/30 (note subnet mask of 252)
(https://i.postimg.cc/Mn0THLKt/vigor2.png) (https://postimg.cc/Mn0THLKt)
Step 2: Create the vip
In opnsense navigate to: Interfaces-> virtual IP's->Settings, and add a new vip like this. Make sure to tunnel it via the physical wan interface
I give the vip an ip address of 192.168.5.2
(https://i.postimg.cc/y3JxNYkS/opn1.png) (https://postimg.cc/y3JxNYkS)
Step 3: Outbound NAT
In opnsense I need a way to shuffle all traffic bound for the modem subnet, via the wan physical interface, Outbound NAT is your friend here
Navigate to Firewall-> NAT -> Outbound, and create a rule which looks like this:
(https://i.postimg.cc/YhrdqdB7/opn2.png) (https://postimg.cc/YhrdqdB7)
step 4: Firewall
Since in opnsense all subnets are configured to reject traffic by default, we need to specifically open up traffic from Lan to the modem subnet. I use a simple fw rule to acheive this.
Navigate to Firewall-> rules -> Floating, and add a rule like this:
(https://i.postimg.cc/LYy7Tj2G/opn3.png) (https://postimg.cc/LYy7Tj2G)
Time to test this config... fire up a web page, and enter the modem gui address:
(https://i.postimg.cc/4YGfD1bc/opn4.png) (https://postimg.cc/4YGfD1bc)
Job done....
For extra credit you can try some of the following ideas....
if you run a reverse proxy best to use it, rather than trying to remember a pesky ip address. I added an entry to my reverse proxy, and can access the modem gui with my domain... eg. modem.mydomain.net. Nice one....
When starting out... you may wish to point your vip at the existing subnet defined in your router. Otherwise you cannot get to the modem without pulling it out and resetting to defaults. Once you have the scheme working you can configure your modem in a more exact way.
Great guide, thanks!
Question: from the modem standpoint, my Vigor 166 port is configured with a subnet of /24, would this create any issues?
Tia.
no issues.
My vigor was originally 192.168.5.1/24 and worked fine in this scenario. This is actually desirable at first, since you can't really manage the modem until you have the scheme working. Best to use your existing /24 subnet, and then adapt later once you got things working.
I chose to narrow the size of the network with /30, so as to minimise the threat surface.
By the way, I have 2 x modems, since lightning strikes are famous for blowing modems out of the water. Can always keep your spare modem on your desk, configure it, and then when ready place it into your network.
So, I'm following your guide but with no success :(
This is my config:
1) Modem IP address = 192.168.2.1/24 (DHCP disabled)
2) OPNsense LAN = 192.168.0.1/24
3) VIP = 192.168.2.2/24 (on WAN interface)
4) Outbund NAT attached
5) Floating rule attached
And I've also attched what I see in the firewall -> live view
Any help would be much appreciated.
Thanks.
your setup looks clean to me.... Mystery however abounds....
A couple of things to try...
- On your WAN interface, uncheck "Block local networks" (at least temporarily)
- ping 2.1 and 2.2 (from 0.7), what do you get ?
- perhaps post modem setup, can be some wacky modem setup thing that interferes - try to dumb down as much as possible.
- might help to post vip setup too
- Are you getting an error or is there just lack of connectivity ?
Quote from: bucky2780 on November 17, 2023, 09:08:50 PM
- On your WAN interface, uncheck "Block local networks" (at least temporarily)
Will try when nobody is connected or they will 'kill' me ;D
Quote from: bucky2780 on November 17, 2023, 09:08:50 PM
- ping 2.1 and 2.2 (from 0.7), what do you get ?
request timed out
Quote from: bucky2780 on November 17, 2023, 09:08:50 PM
- might help to post vip setup too
attached - what about the gateway?
Quote from: bucky2780 on November 17, 2023, 09:08:50 PM
- Are you getting an error or is there just lack of connectivity ?
lack of connectivity
I strongly suspect the first item... since it generates a firewall rule by default disallowing the 192.x.x.x ip addresses from reaching the wan interface.
I have this ticked atm, and it still works. I suspect because the floating rule is being assessed first.
Go ahead... put it in temporarily... they will never know. :)
I really appreciate you patience/help, but I clearly don't know what I'm doing wrong, it's just doesn't work for me :-\
I got it working by having an additonal interface on top of the WAN interface and a NAT rule - so I'm wondering if that method is less 'secure' than the VIP one or it's basically the same and if so I'll probably move on 8)
Many thanks!
The tutorial is fine, however, it should be noted that for some ONTs, it will just not work because they disable IP access when PON is activated. That is: You can only access the device without GPON attached. Thus, it may seem that this method does not work when in fact it would - somehow.
This is true for the whole range of Nokia/Alcatel G-010G-x series (https://hack-gpon.org/ont-nokia-g-010g-q/), for example.
And two more notes:
1. You can achieve the same effect as with a VIP by using the "Alias IPv4 address" if you use DHCP configuration for your WAN. The translation target for the outbound NAT rule must be specified manually in this case.
2. Be careful if you have a blocking rule to not leak RFC1918 "out" your WAN connection. I stumbled over this when all pings to the modem network failed with: "ping: sendto: Permission denied". You will have to explicitely allow outbound traffic to your modem.
Just to add something to this.
Many users have to setup a vlan for pppoe to their ISP. In my case it's vlan 7 and its my WAN interface. The hardware interface is usually not not assigned and not up.
That means: If you follow this Tutorial, it won't work, as it would bind the VIP to VLAN 7. Therefore the connection will obviously fail. As the modem does not have its mgmt encapsulated in vlan 7.
To fix it:
1. Interface - Assignments: Add the physical device. For instance igc3. Give a name like "modem-mgmt" and hit save.
2. Under interfaces, choose the new interface "modem-mgmt" and enable the interface. You can select block private and bogon as well. No need to add an IP Address or anything else.
3. create the VIP as usual, pointing to that Interface.
4. create the NAT rule with the same interface.
5. create the flowting rule.
Notes: Due to security concerns, it makes absolutely sense to allow really only what is needed. (e.g TCP, HTTPS) For both rule and nat. And you might want to limit it to your workstation for later configuration. From my perspective there is no need to open the whole LAN subnet, or allow protocols and ports which are unneccesary.
Thanks @bucky2780 for your HowTo
Trying to get this running but i suspect i made a mistake.
my lan client is in x.x.100.0
im pretty sure the ip of my modem is x.x.11.2
so i created a vip x.x.11.1
but I cant get access to the modem...
the problem is I cant even verify the ip of the modem...
is there any chance to check that easily?
i was pretty sure as well I set up the LAN2 on the draytec vigor 167, but didnt write that down and now forgot...
just thinking about it... as it should be in bridge mode, is there any bigger issues with just factory resetting it, setting the ip again and put it in bridge mode again?did I forget anything?
More often than not, those IPs tend to end in .1, not .2.
I know but I had an old interface named Modem which had the .1
Seems like I tried something in the past and then gave up :D
@meyerguru: I just connected the modem directly to a notebook which was manually set to x.x.11.5 --> immediate access to the modem
found out the IP definitely is x.x.11.2
any idea why the connection from LAN still wouldnt work?
from a client I can ping the x.x.11.1 but not the .2
First try to ping the device from OpnSense CLI itself.
If that works - without the possibility to add a back route from the modem - you need a working NAT rule. How that must be done depends largely on your WAN setup (i.e. DHCP / VLAN / PPPoE), but essentially has to be done via a manual NAT rule that is prioritized higher than automatic rules from the LAN network on the interface that the modem is connected to and with exactly the VIP address.
This rule potentially does not use the WAN link, but its underlying interface, e.g. in the case of PPPoE.
Quote from: meyergru on October 14, 2025, 05:44:27 PMFirst try to ping the device from OpnSense CLI itself.
Gotcha, of course it doesnt work :D no route to host
QuoteIf that works - without the possibility to add a back route from the modem - you need a working NAT rule. How that must be done depends largely on your WAN setup (i.e. DHCP / VLAN / PPPoE), but essentially has to be done via a manual NAT rule that is prioritized higher than automatic rules from the LAN network on the interface that the modem is connected to and with exactly the VIP address.
I use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?
QuoteThis rule potentially does not use the WAN link, but its underlying interface, e.g. in the case of PPPoE.
Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?
Quote from: cottec on October 14, 2025, 08:17:59 PMGotcha, of course it doesnt work :D no route to host
So, there is no route (as expected), but no correct NAT, either.
Quote from: cottec on October 14, 2025, 08:17:59 PMI use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?
Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?
You need a MODEM interface. You can even give that an IP directly, because normally, it does not have one - no need for a VIP. In fact, remove it, wherever you have put that. Do not forget to disable "block RFC1918 IPs" on the MODEM interface.
After having created this, you should be able to ping the modem IP from OpnSense CLI.
Afterwarrd, you need a NAT rule from your LAN. Use hybrid rules, with "manual rules before automatic rules" and create one rule for the MODEM interface.
argh sorry, made a really dumb mistake here...
My wireguard was configured to x.x.10.x as well ...
I now put the modem into another one and it just worked.... :)
should I switch back to VIP configuration or doesnt it matter at all?
You only need a VIP if the interface itself needs other IP ranges for WAN connectivity. With PPPoE, the underlying physical interface normally needs no IP, so you can just configure it directly on the interface. With a pure static or DHCP connection on WAN without any VLAN, you must use a VIP, because in that case, the WAN IP plus the modem access IP will be needed.
Understood, thanks!
Is it advisable to disable the Interface and only activate it if there's something to check on the modem?
No.