Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

This is a fragment of some Firebrick FB2000 series router's config XML, which another user provided as an example for NATing the 192.168.1.* address for each modem's admin UI ideally to something accessible from the LAN and by remote admin.

<rule-set name="Modems" source-ip="2001:8b0::/47 90.155.42.0/24 81.187.81.0/24" target-ip="81.187.xx.yy" target-port="81-82" no-match-action="continue">
 <rule name="Modem_1" target-port="81" set-source-ip="192.168.1.33" set-nat="true" set-target-ip="192.168.1.1" set-target-port="80" set-table="1" action="accept" comment="Get to Modem 1"/>
<rule name="Modem_2" target-port="82" set-source-ip="192.168.1.33" set-nat="true" set-target-ip="192.168.1.2" set-target-port="80" set-table="2" action="accept" comment="Get to Modem 2"/>
</rule-set>

[Weaver]

I have three modems, easy enough to change. I use 10.*.*.* /8 for admin duties internally, but I don't ever use NAT so I would want to allocate a fake IP in my real /26 of public IPv4 address space so that A & A could access the modems remotely as well as me.

[Weaver]

I have zero idea about a lot of what is going on. I don't want the modems to be accessible to everyone on the LAN, so I can either password-protect them, or firewall them internally, or both. The modems are DLink DSL-320B-Z1 devices btw.

[kitzuser87430]

Ok....lets break this down.

another user provided as an example

Your best bet is to ask them to walk you through it.

I presume the source IP ranges in the first line source-ip="2001:8b0::/47 90.155.42.0/24 81.187.81.0/24" are the IP addresses to accept connections from.


target-ip="81.187.xx.yy" this  will be an external IP address

target-port="81-82"  in this example the NAT translates these ports to port 80 on the modems.

"Modem_1" target-port="81 to access modem 1 from outside the LAN you connect to 81.187.xx.yy:81 (this will also work from inside your LAN if the firebrick supports loopback i would have thought)

set-source-ip="192.168.1.33" this is an IP address in the Modems IP range

set-target-ip="192.168.1.1" This is modem 1's IP address


So in your setup I would try

<rule-set name="Modems" source-ip="2001:8b0::/47 90.155.42.0/24 81.187.81.0/24" target-ip="ONE OF YOUR IP ADDRESSES" target-port="81-83" no-match-action="continue">
 <rule name="Modem_1" target-port="81" set-source-ip="192.168.1.33" set-nat="true" set-target-ip="192.168.1.1" set-target-port="80" set-table="1" action="accept" comment="Get to Modem 1"/>
<rule name="Modem_2" target-port="82" set-source-ip="192.168.1.33" set-nat="true" set-target-ip="192.168.1.2" set-target-port="80" set-table="2" action="accept" comment="Get to Modem 2"/>
<rule name="Modem_3" target-port="83" set-source-ip="192.168.1.33" set-nat="true" set-target-ip="192.168.1.3" set-target-port="80" set-table="3" action="accept" comment="Get to Modem 3"/>
</rule-set>

Set Modem 1 Lan IP to 192.168.1.1.....modem 2 to 192.168.1.2....modem 3 to 192.168.1.3

and set strong passwords for them.

I am not 100% sure it will work with your /26 range of external IP's....it probably will not.

Ian

[Weaver]

Thanks Ian, makes sense.

I would possibly need to allocate proper IP addresses to the map targets, so that they could be accessed by remote users at A & A.

The firebrick as it stands doesn't do NAT at all. All IP addresses are currently global public routable IPs in the range 81.187.147.192/26. (I do use the odd 10.0.0.0/8 address as an alias to give me easy-to-remember addresses. But apart from that no private addresses at all.)

[kitzuser87430]

Looking here https://support.aa.net.uk/FireBrick_2700_Configuration_run-through

towards the bottom of the page "Accessing the Modem"

Code: [Select]

<interface name="WAN" port="WAN1">
   <subnet ip="192.168.1.1/24" comment="IP subnet on WAN for router config"/>
</interface>
You need to triplate this for your 3 wan ports setting the LAN IP's on the modems to 192.168.100.100, 192.168.101.100 and 192.168.102.100

Then add the config
<interface name="MDM1" port="WAN1">
   <subnet ip="192.168.100.1/24" comment="IP subnet on modem1 for router config"/>
</interface>
<interface name="MDM2" port="WAN2">
   <subnet ip="192.168.101.1/24" comment="IP subnet on modem2 for router config"/>
</interface>
<interface name="MDM3" port="WAN3">
   <subnet ip="192.168.103.1/24" comment="IP subnet on modem3 for router config"/>
</interface>

This will make the Modems accessible from the LAN only; this would be a lot safer as is there not a security problem with your modems in router mode? (ie.accessible from WAN)

[Weaver]

@kitzuser87430 thank you, you've been very generous with your time. 

[tickmike]

Are all your modems 192.168.1.1 ?.

Do they use PPPoE and your firebrick has your isp un & pw details. ?

You said you do not use NAT     your firebrick does it for you !.

Did you try to 'Telnet' in to them ?.

Have your tried http://192.168.1.1 in a web-browser ?.

I have no trouble accessing my modem though my hardware firewall, I use PPPoE and my set of fixed IP's from my isp get fed strait though the modem.

[Weaver]

> all your modems 192.168.1.1 ?.

Yes, their admin I/f is there, the default

> Do they use PPPoE and your firebrick has your isp un & pw details. ?

Yes

> You said you do not use NAT     your firebrick does it for you !.
No the firebrick does not do NAT. The boxen on my LAN have routable public global IP addresses, not RFC1918 private addresses. The Firebrick does not need to do NAT and doesn't do NAT as our glorious eternal leader, RevK, has said that NAT is evil. :-)

I take it you haven't used a global public IP block yourself for your LAN boxes?

> Did you try to 'Telnet' in to them ?.
No

> Have your tried http://192.168.1.1 in a web-browser ?.
Yes. Lock up

How could this work even if a router for some reason routed a main LAN to modems? I have three modems all with the same admin I/f IPv4 address. Which one would I get, given a three-way IP address clash?

My modems are in separate spaces with no address space allocated to them by the Firebrick as far as I can see.

You have only one modem and its in the same RFC1918 subnet 192.268.*.*/16 according to the RFC not merely /24, so the router has no problem mapping address space to include your one modem somewhere sensible.

Many thanks for your helpful sanity check and for taking an interest! Very good of you (all) to give your time.

[Weaver]

I have to be careful how I do this, as I could open up a security hole giving the LAN access to my modems' admin interfaces. If I can't be confident I've done this properly, then I will pester Andrews and Arnold who are also Firebrick sales and support people. They've done this for other people but I have multiple modems and am not on RFC1918 and no existing NAT that's why their new config snippet won't just slot into my XML Firebrick config.

Does that make sense?

I can talk to a modem by disconnecting it from the FB and putting its Ethernet cable straight into the LAN switch, then I can simply access the (one and only) 192.168.1.1 by reconfiguring a machine to be in that same /24 first.

[Weaver]

Please Santa, belatedly, there has to be an excuse for a Raspberry Pi somewhere here later on. Xmas wish list. Need two Ethernet I/fs though ?

[aesmith]

I don't know the Firebrick but from what you've said yours routes only, no NAT.  If that's the case could you use RFC1918 addressing for the Firebrick to modem links? For example three separate /30s.   Lets say Modem 1 is 192.168.1.6, Firebrick i/f 192.168.1.5.   Then you need to add routes, without NAT between the chosen address range(s) and your internal LAN.   The modems wouldn't be accessible from elsewhere since they're not on Internet routed addresses.

That's how I'd do it with Cisco, where you can apply an IP address to an interface completely independent of PPPoE over the same interface.

[Weaver]

@aesmith I had debated whether or not to use RFC1918 addresses, since it's all going to the Firebrick anyway, which is the default gateway, then there's no reason not to, it saves on space in my public /26. The firebrick seems to automatically sort out the routing table when you declare an address range, as I haven't seen the equivalent of a separate "route" command (Firebrick uses XML config file, not individual commands and doesn't have a CLI, only a friendly web UI, which I never use, and the XML config file.)

Many thanks for your help. Very much appreciated.

[aesmith]

One thing that occurred to me is that you'd need to make sure the D-Links each have the other end of their /30 as their default gateway.  Looking at the D-Link manual I can't see how that would be done.  An alternative would be to NAT your internal source address onto the same subnet as the D-Link's management address, for example onto the IP used by the Firebrick interface.

[Weaver]

The latter, I think. Did I show you the suggested config snippet? NATing the devices to map them somewhere into an accessible space was the suggested way, but I appreciate your point.