Tutorial 2023-11 Bridge Modem access - using VIPs

Started by bucky2780, November 11, 2023, 11:14:57 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 14, 2025, 08:17:59 PM #15
Quote from: meyergru on October 14, 2025, 05:44:27 PMFirst try to ping the device from OpnSense CLI itself.
Gotcha, of course it doesnt work :D no route to host

QuoteIf that works - without the possibility to add a back route from the modem - you need a working NAT rule. How that must be done depends largely on your WAN setup (i.e. DHCP / VLAN / PPPoE), but essentially has to be done via a manual NAT rule that is prioritized higher than automatic rules from the LAN network on the interface that the modem is connected to and with exactly the VIP address.
I use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?

QuoteThis rule potentially does not use the WAN link, but its underlying interface, e.g. in the case of PPPoE.
Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?
October 14, 2025, 09:26:36 PM #16 Last Edit: October 14, 2025, 09:33:35 PM by meyergru
Quote from: cottec on October 14, 2025, 08:17:59 PMGotcha, of course it doesnt work :D no route to host

So, there is no route (as expected), but no correct NAT, either.

Quote from: cottec on October 14, 2025, 08:17:59 PMI use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?

Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?

You need a MODEM interface. You can even give that an IP directly, because normally, it does not have one - no need for a VIP. In fact, remove it, wherever you have put that. Do not forget to disable "block RFC1918 IPs" on the MODEM interface.

After having created this, you should be able to ping the modem IP from OpnSense CLI.

Afterwarrd, you need a NAT rule from your LAN. Use hybrid rules, with "manual rules before automatic rules" and create one rule for the MODEM interface.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
October 16, 2025, 01:18:53 AM #17
argh sorry, made a really dumb mistake here...
My wireguard was configured to x.x.10.x as well ...


I now put the modem into another one and it just worked.... :)

should I switch back to VIP configuration or doesnt it matter at all?
October 16, 2025, 01:29:13 AM #18
You only need a VIP if the interface itself needs other IP ranges for WAN connectivity. With PPPoE, the underlying physical interface normally needs no IP, so you can just configure it directly on the interface. With a pure static or DHCP connection on WAN without any VLAN, you must use a VIP, because in that case, the WAN IP plus the modem access IP will be needed.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
October 16, 2025, 12:50:13 PM #19
Understood, thanks!
Is it advisable to disable the Interface and only activate it if there's something to check on the modem?
October 16, 2025, 01:32:21 PM #20
No.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages 1 2
User actions