Outbound NAT to access WebUI of DSL Modem

[techvic]

I have an OPNsense with the following setup:

LAN Network: 192.168.71.0/24
WAN Side: Zyxel DSL modem, PPPoE connection handled by OPNsense
DSL Modem: IP address 192.168.100.1

I want to access the WebUI of the DSL modem from my LAN, which has the IP address 192.168.100.1. To achieve this, I created an additional interface on the OPNsense on the same physical Ethernet port and assigned the IP address 192.168.100.2 to the OPNsense.

Steps Taken So Far:

Interface Configuration:

An interface named DSL-Modemconf with the IP address 192.168.100.2/24 was created.

Firewall Rules:

An any-to-any rule is configured on the LAN interface.
Outbound NAT Rule:

An outbound NAT rule was configured to translate traffic from 192.168.71.0/24 to the IP address 192.168.100.1 to the IP address 192.168.100.2.
Routing Table:

The routing table shows the route 192.168.100.0/24 on the interface DSL-Modemconf.

Ping Tests:

Ping from the OPNsense with the source IP 192.168.100.2 works.
Ping from the OPNsense with the source IP 192.168.71.1 does not work.

Firewall Logs:

No blocked packets in the firewall logs.

ARP Table:

The ARP entry for 192.168.100.1 shows the correct MAC address of the modem.

NAT Reflection:

Reflection for port forwards, Reflection for 1:1, and Automatic outbound NAT for Reflection have been enabled.

Question: Why can't I access the WebUI of the DSL modem from my LAN, even though the NAT rule and firewall rules are correctly configured and no packets are being blocked?

I recently switched from pfSense to OPNsense and had this exact setup working with pfSense, and now I'm at a loss.

[patient0]

An any-to-any rule is configured on the LAN interface.

No firewall rules and no blocked traffic on the DSL-Modemconf interface?


Maybe [Tutorial] Bridged Modem Access Guide is of help?

[techvic]

The traffic is always initiated from the LAN-side, so it shouldn't require a rule on the DSL-Modemconf-Interface, however, I already put an any-rule there too for testing

[patient0]

An outbound NAT rule was configured to translate traffic from 192.168.71.0/24 to the IP address 192.168.100.1 to the IP address 192.168.100.2

You configured an outbound NAT rule on the DSL-Modemconf-Interface interface with source LAN subnet, destination 192.168.100.0/24 and Translation/target set to Interface address? And set the oubound NAT mode to 'Hybrid ...'? Then it really should work, yes.

A package capture on the DSL-Modemconf-Interface could give some inside.

[techvic]

damn, I mistakenly had the NAT outbound rule on the LAN interface. I checked the rule a thousand times and never noticed that. Thanks for you hint!

[patient0]

Glad it got sorted.

[dave79]

I am trying to do the same thing and I have fallen at the first hurdle.

@techvic Could you explain how you added the new interface? Do you mean a virtual IP? I checked the assignments page, but I am not able to add another WAN assignment:



I would very much appreciate it if you could add some screenshots of the settings you changed so I can replicate :)

It should be noted that I am not using OPNsense hardware, I am not sure if this is the reason?

Thanks

[meyergru]

Whether you need an interface or a VIP depends on how your WAN connection is set up.

• If you have DHCP on WAN, you will need a a VIP.
• If you have PPPoE over VLAN,  then your ISP modem will be accessible on the parent interface of your PPPoE WAN interface and you can configure it with an IP. This seems to be the case for @techvic.
• If you have PPPoE directly on the ethernet interface without a VLAN, you should also need a VIP - but IDK if that really works.

In each case, you will need outbound NAT rules on the modem interface to use an address for the modem's IP range.

[dave79]

Thanks for the help. My WAN IP is assigned by DHCP in OPNsense.

So far I have done this:

Virtual IP:



Outbound NAT:



LAN Firewall Rule:



I am still unable to ping or reach the modem though, what am I doing wrong?

(apologies, the last image is a bit naff because I had to zoom right out in the browser to take a screenshot)

[meyergru]

Looks right apart from one thing: The "Translation / target" IP must not be the interface address (which would be you WAN IP), but the VIP, which is the only one your modem could successfully reply to.

Oh, and BTW: see this remark.

P.S.: Do not "Block private networks" on the WAN interface.

[Bob.Dig]

My WAN IP is assigned by DHCP in OPNsense.

Then you don't have to do anything for reaching your modem. Show all your WAN-rules, maybe you are blocking private IPs.

[dave79]

I have corrected the translation target:




Block private networks on WAN was indeed checked, but now unchecked.

Still no access so here are my WAN firewall rules:



Edit: Not sure why but firewall image seems to have been reduced in size, here's a direct link: https://ibb.co/YgM2rX5

In terms of the interface being available, I didn't think of that but I am fairly sure it's still active as the ISP says it's still possible to login to the web UI to put back in router mode as opposed to resetting it. They say the IP is 192.168.0.1 in router mode and 192.168.100.1 in modem mode.

Edit2: Just in case I'm trying to flog a dead horse here, I double checked that the interface is available by connecting a laptop, and I can get to the web UI on 192.168.100.1.

Also, it might be worth mentioning here for anyone else in my situation, I have the Virgin Media SuperHub 5, when in modem mode it must be the last thing turned on as it locks the MAC of the device on the 2.5G port 4 (the only working port). So if you change a device like plugging in a laptop you must connect it powered on and reboot the hub. You can't hot swap.

[meyergru]

IDK if that translation target is actually correct. It should be /32, but it is easier to select the line with your VIP definition - the entry will look differently.

You should probably try first to ping the IP from OpnSense itself before trying to NAT from your LAN. I had a problem with that because of an outbound block rule for RFC1918 giving "ping: sendto: Permission denied".

[dave79]

Ok, I changed the subnet to /32 in the VIP config, then selected the entry in the outbound NAT page = no ping on 100.1 or 100.2.

Then I disabled the outbound NAT rule and tried again = no ping on 100.1 or 100.2

Then I deleted the VIP (bearing in mind I have now unchecked blocked private networks in WAN) = no ping on 100.1.

Surely this should be accessible somehow if it's available when connecting just a laptop?

[meyergru]

You misunderstood: Not /32 in the VIP config - in the NAT translation target. Outbound NAT is translating a full network (LAN) to one specific IP (/32), not to a network (/24). And that can be achieved by using the specific VIP entry in the dropdown for the NAT translation target, instead of specifying it directly.

However, just as I said: First get the VIP working locally on the WAN like described in the guide. It should result in a 192.168.100.2/24 address on your WAN. This would look as follows:

Code Select Expand

# ifconfig
...
igc3: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: WAN (wan)
        options=4802728<VLAN_MTU,JUMBO_MTU,TSO4,TSO6,LRO,WOL_MAGIC,HWSTATS,MEXTPG>
        ether 00:44:69:54:6d:88
        inet 100.66.90.157 netmask 0xffff0000 broadcast 100.66.255.255
        inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
...

Then try to ping 192.168.100.1. It should work without NAT from OpnSense, unless your firewall blocks it. Then add the NAT rules to make the modem accessible from your LAN.