Access To Modem Configuration

From DD-WRT Wiki

Jump to: navigation, search

Contents


[edit] Bridged modem

[edit] Introduction

In this case the router itself creates the PPPoE connection to the ISP server; but to work, the connection between the modem and the router must have an IP address. Usually the modem gives an address to the client; but this address will never be used except to access the configuration interface of the modem.

My modem is a Speedtouch 510, is IP address is 10.0.0.138 and it gives the 10.0.0.1 address to the device connected to it. The easiest way to know these addresses is to connect the modem directly to your computer and take a look at your network card configuration. The default gateway is the Modem address and the Card address is the one provided by the modem.

Note: Many modems come configured to use the 192.168.1.x subnet. This is the same subnet that DD-WRT uses for the LAN by default. You need to either set the modem to use a different subnet or set the router's LAN to use an IP in a different subnet such as 192.168.2.1 so that they're not using the same subnet.

So it looks like this.

image:access.to.modem.png

By default if you type the IP address of the modem you have an "Impossible to contact the server" error.


[edit] Primary Method

Replace the 10.0.0.2 with an IP in the same range as the modem. If your modem is 10.0.0.1, you should use 10.0.0.2. If your modem is 192.168.0.1, use 192.168.0.2

  • Go to Administration -> Commands
  • Enter
ifconfig `nvram get wan_ifname`:0 10.0.0.2 netmask 255.255.255.0

and click on Save Startup

  • Enter
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

and click on Save Firewall

Notes:

  1. `nvram get wan_ifname` gets the WAN port of your router automatically. If you wish to enter it manually, you should run echo `nvram get wan_ifname` to get your WAN interface name.


[edit] Success Report

Environment

  • ADSL2+ service with static IP (no PPPoE or DHCP)
  • TP-LINK TD-8817 ADSL2+ Modem Router, configured as bridge, web page at 192.168.1.1
  • Linksys E1200v2 with DD-WRT 21676, LAN address 192.168.2.1, WAN admin port 8080

Objective

WAN access to modem on external IP port 8081 in addition to LAN access
(with WAN access to DD-WRT on external IP port 8080).

Administration > Commands

ifconfig `nvram get wan_ifname`:0 192.168.1.2 netmask 255.255.255.0

[Save Startup]

iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE

[Save Firewall]

NAT / QoS > Port Forwarding

 Application        Protocol      Source Net      Port from      IP Address        Port to      Enable    
 DSL Modem  Both   8081 192.168.1.1 80

[so modem web page can be accessed from WAN on port 8081 (as well as LAN on port 80)]

Important: With WAN access enabled, set strong passwords in both modem and DD-WRT.


[edit] Alternate Method

An alternate way to execute the above commands on startup if you have JFFS enabled is the following:

  • Log in via ssh/telnet
  • create a file with the following content:
#!/bin/sh 
ifconfig `nvram get wan_ifname`:0 10.0.0.2 netmask 255.255.255.0
  • save it as "/jffs/etc/config/modem.startup"
  • create another file with the following content:
#!/bin/sh 
iptables -t nat -I POSTROUTING -o `nvram get wan_ifname` -j MASQUERADE
  • save it as "/jffs/etc/config/modem.wanup"
  • make them executable:
chmod +x /jffs/etc/config/modem.*


[edit] SSH Method

A good, secure method for accessing modem interface (configuration) is SSH port forwarding, which can be accomplished with the following steps (with Apply Settings on each screen):

1. DD-WRT build with working SSH

SSH broken in 21061, fixed in 21676 (recommended build)

2. Enable SSH service

DD-WRT: Services > Services > Secure Shell > SSHd > Enable

  • No need to enable SSH TCP Forwarding for inbound connections.
  • If Password Login is enabled, set a strong administrative password (12-14 random characters), and SSH login to the "root" account with that password. (See Telnet/SSH and the command line)
  • Recommend changing Port to deter port scanners (e.g., 8022).

3. Enable SSH remote management

DD-WRT: Administration > Remote Access > SSH Management > Enable

  • Recommend changing SSH Remote Port to deter port scanners (e.g., 8022).

4. Setup route to modem

DD-WRT: Administration > Commands

Assumes LAN subnet 192.168.2.nnn and modem at 192.168.1.1 (change as appropriate):

ifconfig `nvram get wan_ifname`:0 192.168.1.2 netmask 255.255.255.0

[Save Startup]

5. Configure SSH port forward

See Example below.

6. Reboot DD-WRT and test

  • ConnectBot is a good SSH client for Android.
  • Mac OS X Terminal supports SSH. (guide)
  • PuTTY is a good SSH client for Windows.

Example

  • Assumes LAN subnet 192.168.2.nnn and modem at 192.168.1.1
  • DD-WRT forward in PuTTY: L1080 192.168.2.1:80 (access at http://localhost:1080)
  • Modem forward in PuTTY: L1081 192.168.1.1:80 (access at http://localhost:1081)


[edit] Notes

  • Modem and LAN should be different subnets as in the examples above. It's not good network topology to have router WAN port and LAN ports on the same subnet (even when 'it works').