Accessing a CPE/Modem from Inside the Firewall¶
Most end-user Customer Premise Equipment (CPE) devices like cable or DSL modems have a web interfaces on a private IP address. Since these sit outside the firewall and do not typically have a public IP address, accessing them isn’t as straight forward as it might seem. The firewall is typically assigned a public IP, and sends all outbound traffic upstream to the ISP. The ISP won’t route the private subnet back to the modem, leaving it unreachable. This page describes the work around needed to access the management interface on the modem from the inside of the network.
Note
The CPE management IP address must be on a different IP subnet than the internal network. If it is not, attempts to connect to it will never go to the firewall to be routed out to the modem, as hosts on the internal network would try to connect to it on the local network and fail.
Configure a new Interface¶
A PPPoE WAN is actually assigned to a virtual PPPoE adapter, not the physical port.
Navigate to Interfaces > Assignments
Set Available network ports: to the physical network card for the PPPoE WAN
For example, if the WAN is PPPOE0(ix3), choose ix3.
Click Add to assign this port as a new OPT interface
Navigate to Interfaces > (new OPT interface)
Configure the settings as follows:
- Enable:
Checked
- Description:
ModemAccess
or a similar useful name.- IPv4 Configuration Type:
Static
- IPv4 Address:
Configure an IP address in the same subnet as the modem, such as
192.168.1.5/24
.- IPv4 Upstream Gateway:
None
Do not set a gateway.
Click Save
Click Apply Changes
Configure NAT¶
Now NAT needs to be configured to translate traffic destined to the modem to the new interface. This is necessary so the modem sees the traffic sourced from an IP on its local subnet. Without this NAT, it would be necessary to configure a route on the modem so it knows how to reach the internal subnet. With some modems this isn’t possible, and in most cases it’s easier to NAT the traffic so routing isn’t a concern.
To add the NAT:
Navigate to Firewall > NAT, Outbound tab.
Switch to Hybrid Outbound NAT and click Save
Click to add a new Outbound NAT rule
Configure the settings as follows:
- Interface:
ModemAccess
- Source:
Network, enter the LAN subnet
- Destination:
The IP subnet of the modem
- Translation:
Interface Address
Click Save
Click Apply changes
It should now be possible to access the modem from LAN.