Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: meganie on August 18, 2024, 07:07:03 PM

Title: Access modem (Zyxel FWA710) behind firewall
Post by: meganie on August 18, 2024, 07:07:03 PM
Hello,
I have a Multi WAN setup with a DSL connection and a Zyxel FWA710 5G Router.
I would like to be able to reach the GUI of the 5G router from my LAN. The Router is in IP Passthrough mode (https://support.zyxel.eu/hc/en-us/articles/360021412820-NR7101-FWA710-How-to-set-bridge-mode-cellular-IP-passthrough) so I see the public IP in OPNsense.
I've read some other forum posts about this topic and added an outbound NAT rule + disabled the "Block private networks" option on WAN_5G without success.
Maybe you can point me in the right direction. I've included screenshots of the interfaces, my outbound NAT rules and the Zyxel router.
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: doktornotor on August 18, 2024, 07:27:15 PM
Cannot see anything meaningful / useful, on the outbound NAT screenshots. Maybe this forum sucks with picture attachments.
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: Patrick M. Hausen on August 18, 2024, 07:30:24 PM
Quote from: doktornotor on August 18, 2024, 07:27:15 PM
Cannot see anything meaningful / useful, on the outbound NAT screenshots. Maybe this forum sucks with picture attachments.
If you click on them they will zoom to full size.
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: doktornotor on August 18, 2024, 07:33:39 PM
Quote from: Patrick M. Hausen on August 18, 2024, 07:30:24 PM
Quote from: doktornotor on August 18, 2024, 07:27:15 PM
Cannot see anything meaningful / useful, on the outbound NAT screenshots. Maybe this forum sucks with picture attachments.
If you click on them they will zoom to full size.

The last one does. With some scrollbar  ::). The outbound NAT does not. Anyway, downloaded it locally, that doesn't look correct. Destination should be the subnet where the router is, not *.
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: Patrick M. Hausen on August 18, 2024, 07:35:25 PM
But * should not make a difference. Outbound NAT with an explicit interface set is limited to packets leaving via that interface. Which they supposedly do. I'd use tcpdump to debug this.
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: meganie on August 18, 2024, 08:03:46 PM
Quote from: doktornotor on August 18, 2024, 07:33:39 PM
Anyway, downloaded it locally, that doesn't look correct. Destination should be the subnet where the router is, not *.

Got that from here: https://forum.opnsense.org/index.php?topic=12094.msg55483#msg55483
But changed it now without a difference.

Quote from: Patrick M. Hausen on August 18, 2024, 07:35:25 PM
But * should not make a difference. Outbound NAT with an explicit interface set is limited to packets leaving via that interface. Which they supposedly do. I'd use tcpdump to debug this.

I have a Packet Capture if that helps. I have no experience with tcpdump.

Code Select
ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 12208, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.178.11.65529 > 192.168.1.1.443: Flags [S], cksum 0xf38d (correct), seq 3800393721, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
Title: Re: Access modem (Zyxel FWA710) behind firewall
Post by: meganie on August 22, 2024, 01:44:00 PM
I was able to get this working with a static route to 192.168.1.0/24 via the gateway.
Text only | Text with Images