Outbound NAT to access WebUI of DSL Modem

techvic · March 22, 2025, 10:20:52 AM

I have an OPNsense with the following setup:

LAN Network: 192.168.71.0/24
WAN Side: Zyxel DSL modem, PPPoE connection handled by OPNsense
DSL Modem: IP address 192.168.100.1

I want to access the WebUI of the DSL modem from my LAN, which has the IP address 192.168.100.1. To achieve this, I created an additional interface on the OPNsense on the same physical Ethernet port and assigned the IP address 192.168.100.2 to the OPNsense.

Steps Taken So Far:

Interface Configuration:

An interface named DSL-Modemconf with the IP address 192.168.100.2/24 was created.

Firewall Rules:

An any-to-any rule is configured on the LAN interface.
Outbound NAT Rule:

An outbound NAT rule was configured to translate traffic from 192.168.71.0/24 to the IP address 192.168.100.1 to the IP address 192.168.100.2.
Routing Table:

The routing table shows the route 192.168.100.0/24 on the interface DSL-Modemconf.

Ping Tests:

Ping from the OPNsense with the source IP 192.168.100.2 works.
Ping from the OPNsense with the source IP 192.168.71.1 does not work.

Firewall Logs:

No blocked packets in the firewall logs.

ARP Table:

The ARP entry for 192.168.100.1 shows the correct MAC address of the modem.

NAT Reflection:

Reflection for port forwards, Reflection for 1:1, and Automatic outbound NAT for Reflection have been enabled.

Question: Why can't I access the WebUI of the DSL modem from my LAN, even though the NAT rule and firewall rules are correctly configured and no packets are being blocked?

I recently switched from pfSense to OPNsense and had this exact setup working with pfSense, and now I'm at a loss.

patient0 · March 22, 2025, 10:39:21 AM

Quote from: techvic on March 22, 2025, 10:20:52 AMAn any-to-any rule is configured on the LAN interface.

No firewall rules and no blocked traffic on the DSL-Modemconf interface?

Maybe [Tutorial] Bridged Modem Access Guide is of help?

techvic · March 22, 2025, 11:01:05 AM

The traffic is always initiated from the LAN-side, so it shouldn't require a rule on the DSL-Modemconf-Interface, however, I already put an any-rule there too for testing

patient0 · March 22, 2025, 11:58:29 AM

QuoteAn outbound NAT rule was configured to translate traffic from 192.168.71.0/24 to the IP address 192.168.100.1 to the IP address 192.168.100.2

You configured an outbound NAT rule on the DSL-Modemconf-Interface interface with source LAN subnet, destination 192.168.100.0/24 and Translation/target set to Interface address? And set the oubound NAT mode to 'Hybrid ...'? Then it really should work, yes.

A package capture on the DSL-Modemconf-Interface could give some inside.

techvic · March 22, 2025, 12:03:42 PM

damn, I mistakenly had the NAT outbound rule on the LAN interface. I checked the rule a thousand times and never noticed that. Thanks for you hint!

patient0 · March 22, 2025, 12:13:18 PM

Glad it got sorted.

Outbound NAT to access WebUI of DSL Modem

techvic

March 22, 2025, 10:20:52 AM

patient0

March 22, 2025, 10:39:21 AM #1

techvic

March 22, 2025, 11:01:05 AM #2

patient0

March 22, 2025, 11:58:29 AM #3

techvic

March 22, 2025, 12:03:42 PM #4

patient0

March 22, 2025, 12:13:18 PM #5