The ZyXel modem doesn’t have ‘rules’ or ‘forwarding’ in my case because it isn’t a router, it’s just a dumb pppoe copying modem. So the config determines which ports are used by pppoe frames. And
its config determines how/where it outputs admin Ip packets.
It’s not as if there are Ip packets coming from somewhere and getting redirected within the B10A. Make sense?
My Firebrick router redirects stuff from the main LAN to the B10As if the dest IPv4 address in 192.168.n.1 where n is the nth modem 1..4. All IPv4 going into the B10A’s admin i/f gets its headers rewritten by the Firebrick (not by the B10A, for the avoidance of doubt) so that the source address is 192.168.n.254, and the B10A thinks it is hearing something in the same /24 where it’s own admin if lives. It then replies to 192.168.1.254. The .n.254 address is set up by the Firebrick to be the address of the Firebrick’s modem-facing interface in the small (only two nodes) lan that is one bit of straight wire. This is crucial; the B10A does not know how to to talk to any address outside it’s own /24 (or whatever range is chosen by the netmask set in its config) because it doesn’t have a default gateway defined, so it would not know where in L2 to send the frames to, ie to which Ethernet address an outside-my-range ip packet needs to go to to be handled by the gateway off this lan. this step is only there in order to fix the problem caused by the networking in the B10A not being fully set up, since the default gateway setting is missing. Since we are talking to .n.254 in my case, that’s an in-lan-range address and so no default gateway address arp lookup is required, so all is well and the B10A can send to .n.254. The Firebrick then has to redirect the packet received on .n.254 to wherever the corresponding request in the other direction originally came from on the main lan. It can do this by using its normal Nat mapping tables which turn an IP address into a distinctive source tcp port value. When the response comes back from the B10A the Firebrick already has a nat table entry set up dynamically from the earlier request heading towards the B10A and remembers where the response has to go back to by consulting that mapping in the table and rewrites the header again putting it onto the main lan with a source IP address rewritten to look like the response is coming from .n.1, the B10A. So all pretty ugly.
The non-obvious bit for me was the whole extra step needed because the default gateway setting is lacking in my B10A config and I can’t see anywhere in the b10a’s xml to declare it. It’s all about making sure that the B10A will not see incoming addresses that it cannot handle, addresses that it simply cannot talk to, which means anything outside its own netmask range (/24 in my case), all because of the lack of this crucial setting.
That is going to be true for use with any router. If this doesn’t make sense then I’m not surprised, as it hurt my head, which is very fuzzy anyway at the best of times.
It doesn’t seem to want to let you set a netmask of 0.0.0.0 iirc, btw, ie to declare ‘the whole universe is my lan’ so the B10A can just send packets to any ip dest addresses regardless of what they are and no default gateway lookup is then ever needed. I don’t know exactly what it does, but I seem to recall that it grinds its teeth if you try and set it up like that - can’t remember the details. But that would be a very sensible fix. The authors just thought presumably that setting up a netmask like that was an obvious bug, isn’t it (no) and so checked for it.