Can no longer access modem from behind router - VLAN question

[CHaynes112]

ISP Modem - Arris NVG448BQ
Router - ASUS GT-AC5300

This setup is running in bridge mode. Previously, I had ADSL2+ and was able to access the Arris modem from behind the ASUS router by entering this command:

ifconfig eth0:0 192.168.254.253 netmask 255.255.255.0

It created a subinterface for eth0 (the WAN port) and assigned it an IP address on the modem subnet. Recently, I upgraded to VDSL2. It took a little while to get bridge mode working as I was unaware that Frontier VDSL2 required VLAN tagging. Once I set the WAN VID to 101, I was able to get bridge mode working again. However, now that the VLAN tag is in the mix, I can no longer access my modem. I assume the basic fuctionality is still there, but I probably need to slightly modify the command mentioned above. The ASUS routing table does show a VLAN101 now. I tried the following commands without any luck...

ifconfig eth0:1 192.168.254.253 netmask 255.255.255.0
ifconfig eth0:101 192.168.254.253 netmask 255.255.255.0
ifconfig vlan101 192.168.254.253 netmask 255.255.255.0
ifconfig vlan101:0 192.168.254.253 netmask 255.255.255.0

I just now noticed that the VLAN101 route shows the MAN interface (as opposed to the WAN interface).

I'm hoping that someone has some suggestions?

Thanks

 

[eibgrad]

Are you saying this is a different modem from the prior modem that worked?

Is in fact the modem's IP network still accessible while in bridge mode? Can you connect a desktop/laptop to its LAN side and still access the GUI?

I would assume so, since you had to reconfigure it, but let's be sure.

Perhaps what you could do instead is bind 192.168.254.253 to the LAN side (br0:1), then run a cable LAN to LAN between the modem and router. Not pretty, but might be the easier solution.

 

[eibgrad]

P.S. You may have to NAT that traffic as well.

iptables -t nat -I POSTROUTING -d 192.168.254.0/24 -j SNAT --to 192.168.254.253

 

[CHaynes112]

This is the exact same modem (Arris NVG448BQ).

With ADSL2+, I used "ifconfig eth0:0 192.168.254.253 netmask 255.255.255.0" and could access the modem from behind the router.

When I upgraded to VDSL2, I initially couldn't get PPPoE (bridge mode) working on the router. After some research, I figured out that ADSL2 requires VLAN tagging. As soon as I added Internet VID 101 to the ASUS router, PPPoE would connect and bridge mode would work. However, when I added the VLAN tag, I could no longer access the modem via 192.168.254.254.

 

[eibgrad]

This is the exact same modem (Arris NVG448BQ).

With ADSL2+, I used "ifconfig eth0:0 192.168.254.253 netmask 255.255.255.0" and could access the modem from behind the router.

When I upgraded to VDSL2, I initially couldn't get PPPoE (bridge mode) working on the router. After some research, I figured out that ADSL2 requires VLAN tagging. As soon as I added Internet VID 101 to the ASUS router, PPPoE would connect and bridge mode would work. However, when I added the VLAN tag, I could no longer access the modem via 192.168.254.254.

Ok, but presumably there's no tagging on the LAN side. Not if you can still reach it w/ a laptop/desktop connected directly to the modem. So try what I suggested.

 

[eibgrad]

When bridging the Arris to the router, does it require your router to connect to a specific LAN port on the Arris, or will *any* LAN port do the job?

I'm asking because I see a potential problem w/ my suggestion. With this arrangement, there are effectively two (2) DHCP servers available from br0; both the LAN and ISP. We'd have to block the latter. But I'm hoping NOT all the modem's LAN ports can reach the ISP.

P.S. Of course, if you're NOT using DHCP w/ your ISP (perhaps a static IP), then it's NOT an issue.

 

[CHaynes112]

I have connected a cable from Port 2 on the modem to Port 8 on the router. I ran the command "ifconfig bri0:0 192.168.254.253 netmask 255.255.255.0". The router can ping 192.168.254.253 and 192.168.254.254. However, a client behind the router can't ping/access 192.168.254.254. I also tried bri0:1 as well.

When I bridge, I have always used Port 1 on the modem. I'm not sure if that's a requirement or not, but I don't think it is.

This is a PPPoE setup, not pure DHCP from the ISP, but the IP is obtained automatically. Since PPPoE is only enabled on the router's WAN port and the modem doesn't have DHCP enabled, would your concern still be an issue?

I have not done the NAT stuff yet.

 

[eibgrad]

I'm only concerned about DHCP wrt the ISP if in fact the ISP is using it to initialize the WAN. But if PPPoE does NOT rely on DHCP, then it's a NON issue.

The ARRIS doesn't have very good online documentation, it's mostly a black box, so how it works is a bit of a mystery. From what I could find, others claim it's NOT even a true bridge mode, but closer to a U-verse device that simply maps its own WAN (and DMZ) over to the connected device.

Anyway, you'll just have to try it and see what happens. And I believe the NAT rule is required.

 

[CHaynes112]

I believe it does have a true bridge mode now (called Transparent Bridging). In the earlier firmwares, it didn't exist and you had to use DMZ Pass Through.

A PC behind the router can ping 192.168.254.253 (the subinterface on the router).

I will test NAT.

 

[CHaynes112]

I added the following command "iptables -t nat -I POSTROUTING -d 192.168.254.0/24 -j SNAT --to 192.168.254.253". It looks to have applied without any errors, but I still can't access the modem.

 

[eibgrad]

If you connect a laptop/desktop to the ARRIS directly, can you access it for administrative purposes while in bridge mode? I assume it has disabled its DHCP server, so it may require a static configuration on the client itself.

 

[CHaynes112]

Yes. If I static a device on the 192.168.254.0/24 network and connect directly to the modem, I can access it even when it's in bridge mode.

 

[eibgrad]

Try adding the following firewall rule as well.

iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.254.0/24 -j ACCEPT

I'm assuming your local IP network is 192.168.1.0/24, if not, adjust accordingly.

 

[eibgrad]

If it still doesn't work, it might be worth dumping a few things to see exactly what's going on (keep the firewall rules I suggested in place).

ifconfig
ip route
iptables -t nat -vnL
iptables -vnL

Of course, you can obscure your public IP.

 

[CHaynes112]

It started pinging for a while before I made any other changes (like out of nowhere). I have three ping -t running. One to the router (less than 1ms). One to 8.8.8.8 (17-18ms). One to 192.168.254.254. Previously it was less than 1ms. Now it is replying around 24-26ms?! Then it will miss a packet, then be like 6ms, then be at 25ms again. Could this be some sort of routing issue? I did add the firewall command you advised (making the subnet change for my internal network), but that didn't seem to change anything.

 

[CHaynes112]

And while I can ping it, I still can't access it via a browser.

A tracert looks normal - first hop is the router and second hop is the modem.

 

[CHaynes112]

I did "ifconfig br0:0 down" and the pings stopped. Then I did "ifconfig bri0:1 192.168.254.253 netmask 255.255.255.0" and it started replying again, but at 25ms...?!

 

[CHaynes112]

So even when I ping 192.168.254.254 from the router I get 20ms responses.

 

[CHaynes112]

How can I remove the NAT and Firewall rules without rebooting? I am doing some more testing but my knowledge of Linux command/switches is atrocious.

 

[eibgrad]

The following will delete the rules.

iptables -t nat -D POSTROUTING -d 192.168.254.0/24 -j SNAT --to 192.168.254.253
iptables -D FORWARD -s 192.168.1.0/24 -d 192.168.254.0/24 -j ACCEPT

This approach may not be worth the trouble anyway. I can't be sure exactly what's happening within the modem itself. It would have been better to create a VLAN specifically for the 192.168.254.x network in order to isolate it. But that's NOT easy to due given the limits of the firmware. Instead, I tried to have 192.168.1.0/24 and 192.168.254.x share the same LAN, which may be problematic in this case.