Accessing a CPE/Modem from Inside the Firewall

Most end-user Customer Premise Equipment (CPE) devices like cable or DSL modems have a web interfaces on a private IP address. Since these sit outside the firewall and do not typically have a public IP address, accessing them isn’t as straight forward as it might seem. The firewall is typically assigned a public IP, and sends all outbound traffic upstream to the ISP. The ISP won’t route the private subnet back to the modem, leaving it unreachable. This page describes the work around needed to access the management interface on the modem from the inside of the network.


The CPE management IP address must be on a different IP subnet than the internal network. If it is not, attempts to connect to it will never go to the firewall to be routed out to the modem, as hosts on the internal network would try to connect to it on the local network and fail.

Configure a new Interface

A PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port.

  • Navigate to Interfaces > Assignments

  • Set Available network ports: to the physical network card for the PPPoE WAN

    For example, if the WAN is PPPOE0(ix3), choose ix3.

  • Click fa-plus Add to assign this port as a new OPT interface

  • Navigate to Interfaces > (new OPT interface)

  • Configure the settings as follows:




    ModemAccess or a similar useful name.

    IPv4 Configuration Type:


    IPv4 Address:

    Configure an IP address in the same subnet as the modem, such as

    IPv4 Upstream Gateway:


    Do not set a gateway.

  • Click Save

  • Click Apply Changes

Configure NAT

Now NAT needs to be configured to translate traffic destined to the modem to the new interface. This is necessary so the modem sees the traffic sourced from an IP on its local subnet. Without this NAT, it would be necessary to configure a route on the modem so it knows how to reach the internal subnet. With some modems this isn’t possible, and in most cases it’s easier to NAT the traffic so routing isn’t a concern.

To add the NAT:

  • Navigate to Firewall > NAT, Outbound tab.

  • Switch to Hybrid Outbound NAT and click Save

  • Click fa-plus to add a new Outbound NAT rule

  • Configure the settings as follows:




    Network, enter the LAN subnet


    The IP subnet of the modem


    Interface Address

  • Click Save

  • Click Apply changes

It should now be possible to access the modem from LAN.