dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
764
dsl4ever
join:2014-12-08

1 edit

dsl4ever

Member

[Other] Connect to a Non-Routable IP across a firewall? SOLVED

Hi guys,

Noob question

The setup:
PC -> (LAN)Firewall(pppoe WAN) -> (LAN)Bridged Modem(WAN) -> ISP

PC -> 192.168.1.X
FW-Lan -> 192.168.1.1
FW-Wan -> Public IP from ISP (PPPOE)
Modem (Lan) -> 192.168.2.1

What rule(s) do I have to put in the firewall to get the PC to establish a connection to the web interface of the modem (»192.168.2.1)
The packets needs to find their way to the modem and return to the PC.

Thanks.
pb2k
join:2005-05-30
Calgary, AB

pb2k

Member

Re: [Other] how to connect to a Non-Routable IP across a firewall?

This has bad idea written all over it, but without needing to fiddle around with static routes and firewalls you could try this:
If just one of the ports on the modem is bridged, see if you can change the modem IP to the same subnet as your internal lan, and just connect to one of the unbridged ports.
dsl4ever
join:2014-12-08

1 edit

dsl4ever

Member

I was thinking about doing it... I'm not technical enough to picture how an attacker could bypass the bridge to the firewall and land in the internal network.

I'm just scared of the unknown

If someone spoofs a private IP and hit the BRIDGED public IP, will the modem forward it straight on its lan (now also connected to the private side of the firewall)?

uh...
(I think I'll go plan B - Since the Modem also got WiFi, I'll reach its management interface via a WiFi connection.)

eibgrad
join:2010-03-15
united state

eibgrad to dsl4ever

Member

to dsl4ever
I’m confused. Why is 192.168.2.x unroutable in this configuration? The 192.168.2.x network resides on the other side of the FW’s WAN. Unless you’re claiming that because it’s PPPoE, this WAN to LAN connection is really LAN to LAN (layer 2). Is that how it should be interpreted? If so, and if you only need access from the one PC, why not just add a second IP address to the PC on the same network as the modem (i.e., multi-homed)?
dsl4ever
join:2014-12-08

dsl4ever

Member

said by eibgrad:

Why is 192.168.2.x unroutable in this configuration?

You tell me And btw - no claims at all. I'm cluelessly noticing.

I just tried to multihome the single nic I have on the PC side. It doesn't cross the firewall gateway.

eibgrad
join:2010-03-15
united state

eibgrad to dsl4ever

Member

to dsl4ever
Then it probably just has to do w/ the way bridging the modem works. Perhaps it’s taking the modem off the LAN (maybe it has an option to enable/disable this when configured as a bridge) and as a result it’s not even responding to ARP. And if that happens, even if the FW routes the request over its WAN, it can’t determine the MAC address of the modem, and thus it’s unreachable over ethernet. What you might try doing (provided your FW supports it) is define a static ARP entry for the modem’s LAN MAC address and its LAN ip. You might also have to bind the FW’s WAN to the modem’s network (multi-home it). I feel somewhere in this mix is the answer. But without knowing all that much about your hardware, it’s hard to say what’s possible or practical. Since you don’t typically fuss w/ a modem once configured, it might just be easier to plug a PC/laptop directly into the modem when you need it. And btw, if you plug a PC/laptop in directly and it doesn’t respond, that’s a bad sign.

davidg
Good Bye My Friend
MVM
join:2002-06-15
00000

davidg to dsl4ever

MVM

to dsl4ever
what firewall are you using?

I have a Ubiquiti ER-POE and all I had to do to reach my cable modem(192.168.100.1) was add a second IP to that WAN port of 192.168.100.2 and set a route. If your FW does not allow for multiple WAN IPs I don't know if you can do it since the modem would be on a different subnet.

The easy way is if you have a switch laying around put it to the modem, then to the FW. run a second NIC in your machine(or simply plug over when needed) and set to the subnet of the modem.
dsl4ever
join:2014-12-08

2 recommendations

dsl4ever

Member

Wassup with the dog pictures guys?

Eibgrad - You lost me at about 1/3 of your reply.
Davidg - My FW can't multihome a WAN port but have multiple WAN ports. So I just patched a cable from another FW WAN port to an available LAN port on the modem... I configured the new FW WAN to 192.168.2.x with a 192.168.2.1 gateway and BOOM. All my PC's can now access the management port of the MODEM.

Problem SOLVED. Thanks guys.

eibgrad
join:2010-03-15
united state

1 recommendation

eibgrad to dsl4ever

Member

to dsl4ever

Re: [Other] Connect to a Non-Routable IP across a firewall? SOLVED

Because our dogs are prettier than most of us.

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to dsl4ever

MVM

to dsl4ever

Re: [Other] how to connect to a Non-Routable IP across a firewall?

said by dsl4ever:

What rule(s) do I have to put in the firewall to get the PC to establish a connection to the web interface of the modem (»192.168.2.1)
The packets needs to find their way to the modem and return to the PC.

Unless your NAT router (firewall+PPPoE) can handle two IP addresses on it's WAN port, you can't do what you want. I think some third party firmware is capable, but I have not investigated.

With most DSL there is also the issue of ATM.

One way you could do it is put an inexpensive switch between the router ("(LAN)Firewall(pppoe WAN") and modem ("(LAN)Bridged Modem(WAN)"). Requires at least one computer with two network adapters.

If the modem is a bridged RG, you can gain access through an unused LAN port; though I haven't tried it with th modem configured in the LAN subnet.

Network with two connections.


Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Natsumi
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : aosake.net
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : aosake.net
   Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
   Physical Address. . . . . . . . . : 00-1A-73-BA-80-33
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2602:24a:de40:7d90:ecb7:fb20:4c40:1239(Preferred)
   Temporary IPv6 Address. . . . . . : 2602:24a:de40:7d90:e8ae:3d14:e657:1d66(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ecb7:fb20:4c40:1239%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.102.137(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, December 20, 2014 11:01:21 AM
   Lease Expires . . . . . . . . . . : Sunday, December 21, 2014 11:01:21 AM
   Default Gateway . . . . . . . . . : fe80::62a4:4cff:fedc:9198%10
                                       192.168.102.1
   DHCP Server . . . . . . . . . . . : 192.168.102.1
   DHCPv6 IAID . . . . . . . . . . . : 151001715
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-B0-79-1A-00-16-D3-F8-12-0A
 
   DNS Servers . . . . . . . . . . . : 2602:24a:de40:7d90::1
                                       192.168.102.1
   Primary WINS Server . . . . . . . : 192.168.102.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       aosake.net
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
   Physical Address. . . . . . . . . : 00-16-D3-F8-12-0A
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::7829:ed26:6429:52fc%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 167778003
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0E-B0-79-1A-00-16-D3-F8-12-0A
 
   DNS Servers . . . . . . . . . . . : 2001:470:20::2
                                       2001:470:0:45::2
                                       2001:418:3ff::53
                                       208.201.224.11
                                       208.201.224.33
   NetBIOS over Tcpip. . . . . . . . : Enabled
 

I believe that the wired connection is outside of the ATM tunnel endpoint, thus no Internet access; but I configure it as a "Public network" anyway. The modem is the only device on 192.168.1.0/24 which I am interested in seeing.

shdesigns
Powered By Infinite Improbabilty Drive
Premium Member
join:2000-12-01
Stone Mountain, GA
(Software) pfSense
ARRIS SB6121

shdesigns

Premium Member

said by NormanS:

Unless your NAT router (firewall+PPPoE) can handle two IP addresses on it's WAN port, you can't do what you want.

It only needs one IP address as PPPoE is not TCP/IP.
dsl4ever
join:2014-12-08

dsl4ever

Member

Since the problem is now solved. It's just for sake of discussion.

I don't think the PPPOE on the FW WAN as anything to do with the inability to route.
But once the WAN gests a public IP and a Public Gateway it lost its ability to see the private IP on the modem. No?

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS to shdesigns

MVM

to shdesigns
said by shdesigns:

It only needs one IP address as PPPoE is not TCP/IP.

It gets the Public IP address from the PPPoE session. It would also need a private IP address in the modem subnet; else how would it communicate with the modem?
NormanS

NormanS to dsl4ever

MVM

to dsl4ever
said by dsl4ever:

I don't think the PPPOE on the FW WAN as anything to do with the inability to route.

I believe otherwise. If packets aren't local to the router, they get sent to the upstream PPPoE device. I suspect the router would need the intelligence to distinguish between the modem, as a destination, and the aggregation router. I am certain it could be done with a properly configured routing table; I am guessing the added complexity would result in a higher production cost, with little perceived value to the manufacturer.

shdesigns
Powered By Infinite Improbabilty Drive
Premium Member
join:2000-12-01
Stone Mountain, GA
(Software) pfSense
ARRIS SB6121

1 recommendation

shdesigns to NormanS

Premium Member

to NormanS
said by NormanS:

It gets the Public IP address from the PPPoE session. It would also need a private IP address in the modem subnet; else how would it communicate with the modem?

It needs the IP to talk to the modem, so that needs to be added to the interface. The public IP is not assigned to the interface, it is assigned to the PPPoE link.

As is, the interface has no IP address assigned; PPPoE does not use IP addresses to communicate between the modem and router.

davidg
Good Bye My Friend
MVM
join:2002-06-15
00000

davidg to dsl4ever

MVM

to dsl4ever
said by dsl4ever:

Wassup with the dog pictures guys?

that is Hooch, my best bud for seven years until he went roaming and got hit by a car.

Glad you got it going, it is always nice to be able to see the modem stats without having to do a bunch of plugging/unplugging.

tschmidt
MVM
join:2000-11-12
Milford, NH

tschmidt to dsl4ever

MVM

to dsl4ever

Re: [Other] Connect to a Non-Routable IP across a firewall? SOLVED

So how did you solve the problem?

/tom
dsl4ever
join:2014-12-08

1 recommendation

dsl4ever

Member

said by tschmidt:

So how did you solve the problem?

Like I wrote "I just patched a cable from another FW WAN port to an available LAN port on the modem... I configured the new FW WAN to 192.168.2.x with a 192.168.2.1 gateway and BOOM. All my PC's can now access the management port of the MODEM."

NormanS
I gave her time to steal my mind away
MVM
join:2001-02-14
San Jose, CA
TP-Link TD-8616
Asus RT-AC66U B1
Netgear FR114P

NormanS

MVM

said by dsl4ever:

Like I wrote "I just patched a cable from another FW WAN port to an available LAN port on the modem... I configured the new FW WAN to 192.168.2.x with a 192.168.2.1 gateway and BOOM. All my PC's can now access the management port of the MODEM."

Just so I understand:

"Modem" is something like a Pace 4111N "Residential Gateway". One RJ-11 telephone port, four RJ-45 LAN ports.

Pace 4111N.


"Firewall" is something like a Cisco RV042. Two RJ-45 WAN ports, four RJ-45 LAN ports.

Cisco RV042.


"Modem" is bridged; patch cord from one of the LAN ports to one of the "Firewal" WAN ports.

Second "Firewall" WAN port has patch cord to another "Modem" LAN port.

Second port configured to LAN segment IP address.

Fascinating. Might try to see if I can configure the ASUS RT-AC66U in "dual WAN" mode.
dsl4ever
join:2014-12-08

dsl4ever

Member

You got it right NormanS

Two of the firewall WAN ports connected to two of the Modem LAN ports.

MODEM set in bridge mode
One FW WAN port setup with PPPOE
The other FW WAN port setup with Static IP in the same subnet as the Modem private IP

I even iced the cake by sending the modem SYSLOGs to the firewall with port forwarding to a monitoring application behind the firewall.

Works great... I'm happy.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to dsl4ever

MVM

to dsl4ever
said by dsl4ever:

said by NormanS:

said by dsl4ever:

The setup:
PC -> (LAN)Firewall(pppoe WAN) -> (LAN)Bridged Modem(WAN) -> ISP

PC -> 192.168.1.X
FW-Lan -> 192.168.1.1
FW-Wan -> Public IP from ISP (PPPOE)
Modem (Lan) -> 192.168.2.1

What rule(s) do I have to put in the firewall to get the PC to establish a connection to the web interface of the modem

192.168.2.1)

"Modem" is something like a Pace 4111N "Residential Gateway". One RJ-11 telephone port, four RJ-45 LAN ports.

"Firewall" is something like a Cisco RV042. Two RJ-45 WAN ports, four RJ-45 LAN ports.

Two of the firewall WAN ports connected to two of the Modem LAN ports.
MODEM set in bridge mode
One FW WAN port setup with PPPOE
The other FW WAN port setup with Static IP in the same subnet as the Modem private IP

Think a (similar) issue was discussed in this thread before... and yeah, it was not a pretty picture. As others have said, The Right Way(TM) would the "firewall" basically needs to know and share a route to the 192.168.2.x network from its WAN interface to its LAN interface.

...if it works and you're happy with it, OP...
said by dsl4ever:

I was thinking about doing it... I'm not technical enough to picture how an attacker could bypass the bridge to the firewall and land in the internal network.

...source-routing the packets would be one way... or spoofing the source address of the packets.

My 00000010bits

Regards
dsl4ever
join:2014-12-08

dsl4ever

Member

said by HELLFIRE:

...source-routing the packets would be one way... or spoofing the source address of the packets.

But in bridge mode, I thought the modem was not doing any TCPIP processing. Just plain forwarding to the next device. Which is in this case the the PUBLIC wan Interface of the firewall. Not dumb enough to move spoofed IPs in the PRIVATE zone. I know that as a fact because I was curious and set a rule in the firewall to log incoming non-routable IPs attempts. It does show some occurrences.

If the WAN interface of the modem in bridge mode can be compromised to give access to its LAN side, then I agree it's game over.

I feel much more confident of the current setup.
FW WAN1(PPPOE)/WAN2(Static IP) to MODEM LAN1/LAN2

There is also a positive side effect of this setup. I can seamlessly flip the modem to router mode and bridge mode without annoying the family. Because either way, this configuration provides Internet services to the LAN side of the firewall.

Which brings another thing to my attention. It seams that not all router modes are born equal. I couldn't mount a VPN behind the Firewall with my previous modem in Router mode. I had no issues when it was in bridge mode. With this new modem, Bridged or Routered doesn't seam to make any difference. I can mount the VPN in both modes.