Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[biohead]

Hi all, finally back up and running after the Sky G-Fast farce!

I'm looking for a bit of help to get my line stats running from the Zyxel 8924 in modem mode using just a single cable.
For info, my ISP is Talktalk Business which comes with the HG635 router. This seems to differ from Talktalk retail in that you must use PPPoE rather than just being able to use DHCP/IPoE.
I plan to move over to my full pfsense setup, but I want to get the stats working on this simple setup first to confirm it works.

So far, I've followed Chrysalis' excellent write up (copied in below), but I'm still unable to access the modem from my network.
Current setup is: Zyxel 8924 (Bridge mode, 192.168.100.1 on the bridge) > HG635 via WAN port (192.168.0.254)
Is there any sort of VLAN tagging I need to perform on the router?

banger

1 - login to UI of zyxel
2 - select networks -> vlan groups
3 - add group called bridge set vland id to 2, tick the include box on the lan port you want to use. (one used for wan)
4 - select networks -> interface grouping and assign bridge vdsl port to same lan port.
Note you may have already done steps 3 and 4 when setting up the bridge.
5 - now select networks -> home networking
6 - in group name box default is preselected, change this to bridge
7 - make a note of the ip address shown, change if you want to. (192.168.100.1)

You can now access the zyxel using that ip address on the wan cable, I didnt have to adjust my config on my router compared to my billion it just worked.

[machare]

Have you tried connecting to the Zyxel's wifi?  The Wifi should use a different SSID to the HG635.

[biohead]

WiFi is turned off on the Zyxel.

I can still connect to one of the other LAN ports on the Zyxel for now (I've got a tiny Windows box hooked up to it with two lan ports - one to the router and one to the modem) but my goal is to run it via one cable. I only have 4 drop cables in the room it's in - and to lose two to the modem is less than ideal.

[Weaver]

Hi Biohead.

I got this working with my modems (I have four modems, using PPPoEoA on ADSL2 lines connected to my Firebrick router using PPPoEoE), and I’m ashamed to say it took me many many years to work out how to get the router to pass commands and responses through, seeing as the modems were just on either non-existent LANs or LANs that we’re separate, independent compared to the main LAN on the user side of the Firebrick router. I had to create independent LANs for the modems with defined addressing schemes and then explicitly tell the router to copy stuff to and from the modems’ admin interfaces; those modems’ admin interfaces had to be given defined IP addresses (IPv4 addresses in fact were chosen). It was a nightmare and is very messy still. How easy it is or is not depends in the default behaviour of the modem in this respect - what does it do with traffic on alien LANs connected to other ports?

My solution is complicated and ugly and expressed in language that is very Firebrick router specific. I had additional difficulties because I have multiple modems. I went through my solution in numerous earlier posts, which are pretty long-winded. I would have to dig to find them and I doubt you would thank me. :-) But they’re there if they might conceivably help. In one incredibly long sentence: I assigned static IPv4 RFC1918 addresses to the modems’ LANs being 192.168.n.*, each modem itself being 192.168.n.1 and each router’s modem-facing i/f itself on that two-node LAN being 192.168.n.254, and within the router I then explicitly ordered forced routing in both directions, routing which also involved NAT and IP header rewriting, so as to get source addresses from the main LAN rewritten to be as source=192.168.n.254 as seen by the modems because there was no default gateway set up in each modem and the modem did not know what to do with addresses outside its tiny 2-node world. There could well I suppose be a rather less forced, simpler method of doing what I needed.

[Alex Atkin UK]

Surely this is only half the job, the issue is the modems won't listen for LAN traffic on the bridge port as its on its own VLAN.

Theoretically you can VLAN tag so both go out the same port, but then there is the issue of getting THAT to work which I utterly failed at.

The NAT once its working is by far the easiest part IMO.

[Weaver]

@Alex worked for me. The Firebrick is what it is.

[Alex Atkin UK]

@Alex worked for me. The Firebrick is what it is.

Sounds like you merged the WAN and the LAN interface groups which I'm really not sure about the security of doing that.

[Weaver]

Not at all. The hardware architecture of the Firebrick isn’t like that, or isn’t set up like that at any rate; I’m not sure whether or not it could be set up to have a h/w configuration more like what you could possibly be thinking about, if I’m even understanding you, that is. My apologies if not. The FB2900 manual is downloadable on the firebrick website at https://www.firebrick.co.uk/support/manuals/  if you’re interested.

I simply forced the routing by having explicit, exceptional-‘firewall’ rules telling it to take traffic that hit rfc1918 addresses and redirect it to the modem in the appropriate interface, which would be a 2-node ‘LAN’ with RFC1918 src and dest addresses by NATing. If I had made the ports into a big switch then I would have confused everything as I need a ‘physical’ port+VLAN tag num pair to act as the target to map the PPPoEoE to WAN object to. The WAN is in any event inside a PPPoEoE object and on the far side of a VLAN mux/demux because there are not enough free ports for four modems, so they are MUXed using VLAN tags by a small 8-port VLAN-speaking switch.

It’s discussed more fully in an older thread somewhere. If it helps I can post up the config that I used.

Another reason why it’s secure is that there are special ACLs allowing only whitelisted machines to access the modems’ admin i/fs through the firebrick; These ACLs are set up by whitelisted MAC addresses of sysadmins’ machines only. The machines in the main LAN have IPv4 addresses which are global/routable, not RFC1918, and each modem’s admin i/f is 192.168.n.1, is not in the same LAN according to addressing and is not in the same LAN by definition ie. not in the same broadcast domain; traffic from the main LAN to a modem admin i/f is routed through the firebrick, as default gateway, to the modem as its address is outside the LAN address range. Anyway, random users on the main LAN have a firewall rule blocking their attempts to ping a modem’s admin i/f.

[Typo corrected as requested - roseway]

[Chunkers]

I have two zyxel modems on the wan side of my pfsense router.  The only way I could get them to be accessible on my LAN as modems was to set each modem up on a completely separate network range e.g. 10.X.X.X and 172.X.X.X

Once I did that and configured separate interfaces for each in pfsense then I was able to access them on my LAN, its messy though

Good luck!

C

[biohead]

So, I've been trying a bit more and still not getting anywhere - and it's getting quite frustrating!
I'm by no means an expert on networking so I could be doing something really stupid!
Would someone mind sanity checking my screenshots to see if I'm missing the obvious?

On pfsense (at 10.11.10.1) I have setup my WAN to use PPPoE.igb2 - which works fine (IGB2 is the physical port connected to the Zyxel). I've setup a new "MODEM" interface, for VLAN20 on igb2, and a static IP of 192.168.2.5. I've setup a NAT rule to route all traffic to 192.168.2.0/24 from the LAN via the MODEM interface.

On the Zyxel, I have created an interface group with PTM0.1 on LAN1. I have created a bridge, with the IP set to 192.168.2.1, and a VLAN Group called Bridge on VLAN20 on LAN1 (untagged). If I tag it, I lose all WAN connectivity and still can't ping the modem from the LAN.

[burakkucat]

I don't see a VLAN, with a tag of 101, on the WAN (xDSL) interface.   

(Normally the modem would be your endpoint of that VLAN.)

[biohead]

That's all setup under the xDSL settings and working OK.

This is specifically about trying to get into the management of the modem when only using a single LAN cable between the modem and router.

[mrk26]

For me working without vlan tags but I use asus router.
Not sure if I can post link to other forum but I use this setup based on instructions for draytek and also working with zyxel:

Firstly, ensure the Draytek 130 Modem is on a different subnet to that of the ASUS router.
E.g
Draytek Vigor 130 – 192.168.2.1 (default)
ASUS Router – 192.168.1.1 (default)

(you can use whatever subnets you wish, just substitute your IP values to suit)

Then on the ASUS Router, go to Advance Settings > LAN > LAN IP and ensure IP address is 192.168.1.1
Then go to Advanced Settings > WAN >  Internet Settings and Select – Get the Wan IP Address Automatically, and select the No radial button, and manually enter ……

IP Address – 192.168.2.2 (Draytek Modems Spare IP Address)
Subnet – 255.255.255.0 (Draytek Modems Subnet Address)
Default Gateway 192.168.2.1 (Draytek Modem actual IP Address)

Note, WAN DNS may need to be added, I used Google’s
8.8.8.8 and 8.8.4.4

Now you should be able to telnet to the Draytek Modem via 192.168.2.1 and via browser, Draytek Modem UI via http://192.168.2.1

Plus settings on zyxel from first post, and I can access with one cable to stats whether I use zyxel or draytek (just changing ip in asus as they got assigned different ip)

[Moderator edited to wrap the quoted text with [quote][/quote] tags.]

[hushcoden]

That's all setup under the xDSL settings and working OK.

This is specifically about trying to get into the management of the modem when only using a single LAN cable between the modem and router.

Not sure if it will help you, but I used to have an Asus router (with Merlin firmware) connected to my VMG1312-B10A in bridge mode.

The ZyXEL was configured as showed in your pictures, but I didn't have/need any VLAN (I never used a pfsense router) and in order for me to access the ZyXEL web GUI (WAN side) from the WAN of the router, I only needed the following two lines:

Code: [Select]

ifconfig $(nvram get wan0_ifname):0 192.168.2.2 netmask 255.255.255.0

iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -j MASQUERADE


[Alex Atkin UK]

I tried to do this on the Zyxel and struggled too.  I tried it on the Home Hub 5A running OpenWRT and was stunned how easy it was.

All I had to change from the default configuration (using two different cables) was the WAN port VLAN1 from off to tagged, then create the interface on pfSense and add it to the LAN bridge.