Last Updated on December 16, 2022 by Thiago Crepaldi
Most Internet Service Providers (ISP) install devices in our houses, such as a cable/DSL modems or a ONT/ONU for optical, which have a web interfaces on a private IP address of its own. Since the device is not connected to any port of your local network switch, and therefore, sit outside your your network, accessing them isn’t possible – by default, at least.
In this post we are going to discuss how you could fix that by using NAT to route your WAN management IP from your LAN network.
Assumptions
In order for this workaround to succeed, you need to make sure that the Internet modem/equipment is not on the same network domain as your LAN. This means that if your LAN is 192.168.1.0/24, the equipment must be 192.168.0.0/24 or something like that. If that is not the case, go to your modem Web UI and change its network first.
Configuring the WAN interface
This step might vary a little bit depending on the type of modem/equipment that you have. For ISPs that require PPPoE protocol for authentication, you have a virtual WAN interface on top of the actual physical WAN. For services that use a simple DHCP for getting public IP, it will use the actual physical WAN.
For our mission, we are interested in the physical WAN interface. Go to Interface >> Assignments >> Interface assignments to view the list of interface. Look for an Interface called WAN with Network port named, say, igb0. If there is such interface, skip to the next step. If you don’t have a WAN interface yet, let’s add on. At the bottom of the page there is a drop down menu Available network ports and select the appropriate physical interface and click on Add.
After that, an entry will be added to the interface list with a name starting with OPTxxx, such as OPT0. Click on this interface to configure it:
- General Configuration
- Enable: checked
- Description: WAN or WAN_MGMT
- IPv4 Configuration Type: DHCP or whatever your ISP uses
- IPv6 Configuration Type: leave as None unless your ISP uses it (I doubt it)
- MAC Address: leave empty
- MTU: leave empty
- MSS: leave empty
- Speed and Duplex: Default (no preference, typically autoselect)
- DHCP Client Configuration (if your configuration type is DHCP)
- leave everything empty, as is
- Reserved Networks
- Block private networks and loopback addresses: leave unchecked
- Block bogon networks: leave unchecked
Click Save and Apply changes to complete this step.
Configuring NAT
Now that you have an interface, the next step is creating a NAT outbound to drive traffic from LAN to your modem management network. That NAT entry would fake the source IP to be one of the WAN’s management network instead of one from your LAN. An alternative would be creating a static route, but this is doesn’t work for all ISP equipment.
Go to Firewall >> NAT >> Outbound and switch Outbound NAT Mode to Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below) and click on the usual Save and Apply changes. At the Mappings table, click on Add to create a new Outbound rule:
- Edit Advanced Outbound NAT Entry
- Disabled: leave unchecked
- Do not NAT: leave unchecked
- Interface: WAN (or WAN_MGMT or whatever you named it)
- Address family: IPvA+IPv6
- Protocol: Any
- Source:
- Network
- 10.0.0.0/24 (or whatever your LAN network is)
- Destination:
- Network
- 192.168.1.0/24 (or whatever your WAN network is)
- Not: leave unchecked
- Translation
- Address: Interface Address
- Port or Range:
- leave empty
- Static port: leave unchecked
- Misc
- No XMLRPC Sync: leave unchecked
- Description: My ISP device network
Click on Save and Apply changes to complete the configuration.
To test your configuration, just type the modem’s IP on your browser, say, 192.168.1.1 and verify you can access the modem’s management interface.