OPNsense – Accessing ONT / Modem Management Interfaces (Complete Guide)I know that there are existing guides to do this, like this (https://forum.opnsense.org/index.php?topic=36936.0), yet those threads have become quite cluttered.
This guide does not want to take away from these efforts, rather expand them for a complex edge case that warrants a new guide, so here goes:
Basic RequirementsFirst off, there are some basic requirements for this to work:
- You must not block RFC1918 IPs on the OPNsense interface connected to the ONT for obvious reasons.
- Your ONT's (or modem's) management IP must be outside of any of your local networks, including remote VPN sites. This is why you should never use some well-known network ranges that ONTs often use (also covered here (https://forum.opnsense.org/index.php?topic=47099)).
- Some ONTs shut off management access once they establish internet access (i.e., O5 state). Nokia ONTs only react to ARP, but neither ICMP nor IP access works once connected on the fiber side.
- You most probably need outbound NAT to access the ONT because it is statically configured and does not have a default gateway. By using NAT, the translated IP the ONT sees lies inside its own local network, so it can respond correctly. You could theoretically install a route via OPNsense instead, but that does not work for all ONTs. Outbound NAT is the more general solution.
- You need a firewall rule allowing access from your management client(s) to your ONT's management IP.
In what follows, I assume 192.168.100.1 is the ONT management IP and 192.168.100.2/24 is the OPNsense interface IP. Adjust as needed for your setup.Important warning: Some providers (e.g., Deutsche Glasfaser) block your internet access for a few minutes if they detect traffic to RFC1918 or BOGON IPs outside your networks.
- This can happen if devices (Fritzboxes, IoT devices) attempt to reach hardcoded RFC1918 IPs that are not local.
- Such traffic goes out via your ISP router and triggers provider protections.
You cannot simply block RFC1918 on the WAN interface because it violates requirement a).I like to have an "out" rule on the WAN interface to suppress traffic to RFC1918 destinations, but that is not so easy sometimes...
Two Main CasesYou have two separate cases if you want to enable ONT (or modem) access:
Easy Case: WAN interface ≠ ONT interface
You have the actual WAN interface on a separate interface than your ONT.
This applies if your WAN uses either a VLAN, PPPoE, or both.
In this case, you can assign the ONT interface to the management subnet, because the interface is not being used otherwise.
So, you simply configure the ONT interface like this:
2026-02-03 11_39_28-[ONT] _ [LOCAL_VLANS] _ Interfaces _ OPNsense.mgsoft — Mozilla Firefox.png
This is the outbound NAT rule (you can use it via manual or hybrid NAT):
outbound_nat.png
Now for the question on how to block WAN traffic for RFC1918 destinations - this is easy in this case, because the rule applies to WAN only (and not to ONT):
2026-02-03 13_32_39-WAN _ Rules _ Firewall _ OPNsense.mgsoft — Mozilla Firefox.png
And lastly, the firewall rule to allow management clients to access your ONT (in case your LAN does not have an "allow any" rule):
2026-02-03 11_34_33-LAN _ Rules _ Firewall _ OPNsense.mgsoft — Mozilla Firefox.png
Complex Case: WAN interface = ONT interface
This is when your WAN interface is the same as the management interface (often via DHCP).
You must assign a second IP in addition to the DHCP address, using a Virtual IP.
Now for the question on how to block WAN traffic for RFC1918 destinations.
Apparent solution: Use an "out" firewall rule to block all RFC1918 traffic, but create exceptions for your ONT network.
Allow "out" quick from any to 192.168.100.0/24
Block "out" quick from any to RFC1918
This will pass outbound packets, but replies may not return unless Disable reply-to is enabled, because the resulting rules in /tmp/rules.debug would show:Quotepass in quick on igc3 reply-to ( igc3 100.87.0.1 ) inet from {any} to {192.168.100.0/24} keep state # Allow ONT access
block out log quick on igc3 reply-to ( igc3 100.87.0.1 ) inet from {any} to $RFC1918 # Never expose internal IPs
Correct approach: Enable
Disable reply-to in the advanced rule options for both allow and block rules:
Allow "out" quick from any to 192.168.100.0/24 with disable reply-to
Block "out" quick from any to RFC1918 with disable reply-to
Another method: exclude the ONT network from the RFC1918 block.
Note: You cannot use an exception in the RFC1918 alias. You must manually list all subnets except the ONT subnet. On the other hand, you need no "disable-reply-to" in your (single) rule.
Example alias "RFC1918_WITHOUT_ONT":
10.0.0.0/8
172.16.0.0/12
192.168.0.0/18
192.168.64.0/19
192.168.96.0/22
192.168.101.0/24
192.168.102.0/23
192.168.104.0/21
192.168.112.0/20
192.168.128.0/17
Them use the new alias in your block rule:
Block "out" quick from any to RFC1918_WITHOUT_ONT
Actual steps with screendumpsSo, to configure for the complex case, first create the virtual IP:
2026-02-03 12_29_31-Settings _ Virtual IPs _ Interfaces _ OPNsense.jmg — Mozilla Firefox.png
Do not forget the outbound NAT rule (you cannot use "Interface address" for the NAT address because of the virtual IP):
outbound_nat2.png
Again, you can use either hybrid or manual mode for this.
Also, unlike in the easy case, you cannot use "ONT net" with a virtual IP in your client access rule:
2026-02-03 12_42_16-LAN _ Rules _ Firewall _ OPNsense.mgsoft — Mozilla Firefox.png
The first (pass) rule discussed above will look like this:
2026-02-03 12_53_01-WAN _ Rules _ Firewall _ OPNsense.jmg — Mozilla Firefox.png
The second (block) rule is this and it has to be placed after the pass rule:
2026-02-03 12_56_50-WAN _ Rules _ Firewall _ OPNsense.jmg — Mozilla Firefox.png
The alternative method uses just a single block rule with a modified alias instead of the two rules:
2026-02-03 13_05_10-Aliases _ Firewall _ OPNsense.jmg — Mozilla Firefox.png
and no advanced options (i.e. no explicit disable-reply-to):
2026-02-03 13_00_45-WAN _ Rules _ Firewall _ OPNsense.jmg — Mozilla Firefox.png
placeholder
placeholder
There's another and - in my opinion - better approach for preventing traffic with private destination addresses from being routed to the ISP:
Create null routes for all private address space. This will blackhole all private destination networks for which no higher priority routes exist. No firewall rules needed.
null routes.png
And if your ONT has 192.168.100.1, I would configure OPNsense with 192.168.100.2/30 (not /24).
Cheers
Maurice
Quote from: Maurice on Today at 05:21:48 PMCreate null routes for all private address space. This will blackhole all private destination networks for which no higher priority routes exist. No firewall rules needed.
W00t! Good old Cisco IOS memories ...
Definitely going to implement this. Thanks!
I thought that's how everyone does it everywhere anyway. Assumptions... 😅
Cisco IOS has a Null interface - the idea to do it on OPNsense with Loopback did not occur to me.