Can anyone reach their cable modem through OpnSense?

[jds]

I recently replaced my DOCSIS 3.0 cable model with DOCSIS 3.1 (Arris) modem, and the performance
actually got worse.  I wanted to look at the GUI for the modem and search for errors.  The only way to
do this was by plugging an ethernet cable from my laptop into the second port on the modem, and then
I could reach the modem at 192.168.100.1.  However, it would be better if I could just reach the cable
modem from my LAN.  I found a couple of posts on this for pfsense:

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html
https://superuser.com/questions/1243134/how-do-i-reach-the-modem-settings-page-from-inside-firewall

but nothing on the forum, or online for OPNsense.

There are just a few steps, but I get hung up on the earliest one, assuming that something analogous would work for OPNsense. Namely, how to "create a new OPT interface, and assign it to the physical network card that is on WAN" ?  If I go to Interface -> Assignments, I could add a new interface, but it has to be attached to a NIC
different from the WAN.  I can do that, and go edit to try to assign it to the same NIC, but OPNsense complains.
I am guessing that it needs a bridge ?  But I am lost.

Can anyone point me in the right direction? Thanks.
 

[chemlud]

Interesting question! I never tried, but have the setup running with a DSL modem. Problem is: there is a PPPoE interface configured with DSL, but not with cabel modem (DHCP), where the physical interface is directly assiged to the WAN interface...   

Have you tried to simply NAT outbound the modems IP to WAN?

[jds]

Yes, I did try that in fact. I just checked again, but I may be making a mistake:
I added a NAT outbound rule with WAN interface.  For protocol, source address,
source port, and destination port, I left as "any".  For Destination Address, I added
192.168.100.0/24 (also tried 192.168.100.1). For translation target, I tried both
"interface address" and the specific web gui address.  I also moved this rule to the
top of the list, to make sure that my VPN rules did not get in the way.

[chemlud]

... but there is no other 192.168.100.0/xy in your local/remote (VPN) LAN's?

[jds]

No, the rest of the LAN is on 192.168.1.0

[cguilford]

Yeah I've noticed this as well.  Not sure why but can't seem to access the modem through opnsense.. I've done some tinkering and never made any headway.  It would be nice to have this, but never could figure out without disconnecting opn and connecting a laptop directly to the modem to access the cable modem these days.  I have the an e31u2v1 from Spectrum.

[chemlud]

"Block private networks" on WAN? The modems IP is allowed on LAN firewall rules? Might be that in the setup of the modem the concurrent use of the private address has to be configured?

[cguilford]

I think the problem is the Modem is set to ONLY allow connections from a 192.168.100.x ip (as you have to hardcode a 192.168.100.x IP to the Laptop/device connecting to the modem) and since opnsense at least not that I can see allows us to create another "virtual" interface and assign it to the wan with a 192.168.100.x ip for routing it doesn't allow us to connect.

[jds]

Neither can I see a way to create a virtual interface in OPNsense.
However, I don't believe that the first part is correct.  I recall being
able to connect to the cable modem when there was only my
router between it and the LAN, which is on 192.168.1.0. Also, the
instructions online for this modem say that should be the case.

There is an interesting comment on the pfsense page that would seem
to apply here too:

Some DSL or cable modems have web interfaces on private IP addresses. Since these sit outside the firewall and don’t have a public IP, accessing them isn’t as straight forward as it might seem. The firewall is typically assigned a public IP, and sends all outbound traffic upstream to the ISP. The ISP won’t route the private subnet back to the modem, leaving it unreachable. This page describes the work around needed to access the management interface on the modem from the inside of the network.

Note: The modem’s management IP must be on a different IP subnet than the internal network. If it is not, attempts to connect to it will never go to the firewall to be routed out to the modem, as hosts on the internal network would try to connect to it on the local network and fail.

[bartjsmit]

What about running Squid on OPNsense? That would set the source IP for the traffic to the firewall 192.168.100.x address.

Bart...

[jds]

Don't know much about squid.  Do you mean under Services->Web Proxy ?
I have used that only for blacklists.  How would you set that up? 

[RickNY]

Ive always been able to access my modem's 192.168.100.1 address from the LAN through my OPNSense box.. These have included Arris TM802, Arris TM1602, Motorola SB6183, and now Netgear CM600.. The "block private networks" thing I believe only blocks incoming connections from source addresses that are RFC1918 on the WAN interface.

I do have a default IPv4 LAN outgoing rule that allows anything from "LAN Net" to go to ANY..  Have you tried adding in a LAN rule that allows anything from "LAN Net" to go to 192.168.100.1 if you dont already have an allow all outgoing rule?

[jds]

I do have a LAN interface rule that allows anything from LAN Net to go to ANY, but do not have any similar
NAT outbound rules.  Probably more relevant, I send everything out through a VPN. So, I added a rule to
the OpenVPNClient interface that allows any source to go to 192.168.100.1 on any port, and moved this rule
to the top.  But it still gave no access to the modem.

[Charles2019]

Yes I'm able to reach my cable modem through OPNSense.

[chemlud]

Yes I'm able to reach my cable modem through OPNSense.

How? :-D

PS: OK, I added an outbound NAT rule for the network my cable modem is running its web interface on, inserted the IP in the browser and was there. As I suggested in the beginning. ;-)