How to access my ONT (bridge mode) from router (via VPN Server)

amplatfus

Senior Member
Hi,

I was wondering: would be technical possible to connect to ONT (in bridged mode) while being connected to LAN remotely via build-in VPN Server (Asuswrt-Merlin)? (i.e. LAN, SSH are accessible).
I mention that connectivity LAN <>ONT can be configured like mentioned here > [Solved] How to access my ONT from router.

Or it would be a loop?

Thank you,
amplatfus
 
Last edited:

Kyo

New Around Here
Hello

It should be possible as long as the VPN LAN IP addressing, LAN IP addressing, ONT IP addressing doesn't overlap, I think the router VPN push the local routes to clients...
 

amplatfus

Senior Member
Hi,

Thank you for help. I think this condition is met, there is no overlap:
VPN Server IP belongs to 10.*
ONT have 192.168.100.1
LAN have 172.*

Also, I mention that I can access the LTE USB stick used as Secondary WAN:
(192.168.3.1) ------- LTE ------[Secondary WAN] --> working from VPN Server
(192.168.100.1) -- ONT ---- [bridge mode] -------> failed connectivity using VPN Server (I have ping fired from VPNS to 192.168.100.2 but failing to 192.168.100.1)

Both are working from LAN.

I solved LTE USB for LAN by adding into nat-start below rule:
iptables -t nat -I POSTROUTING -o eth8 -j MASQUERADE

I solved ONT for LAN by adding into nat-start below rule:
ifconfig $(nvram get wan0_ifname):0 192.168.100.2 netmask 255.255.255.0

Please find below some outputs:

Code:
AX88>191716/tmp/home/root#:ip route
10.xx.xx.xx/24 dev tun21  proto kernel  scope link  src 10.xx.xx.x 
192.168.7.0/24 dev eth8  proto kernel  scope link  src 192.168.7.122 
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.2



System Log - Routing Table
IPv4 Routing table
Destination_______Gateway_______Genmask________Flags____Metric____Ref_____Use_____Iface
169.254.0.0__________*________255.255.0.0__________U_________0_______0_______0_______MAN
192.168.7.0__________*________255.255.255.0_______U__________0_______0_______0_______WAN
192.168.100.0________*________255.255.255.0______U__________0_______0_______0_______MAN
[...]   



AX88>191726/tmp/home/root#:ifconfig -a
eth0      Link encap:Ethernet 
          inet addr:169.254.x.xxx  Bcast:169.254.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:45091850 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24841698 errors:0 dropped:104 overruns:0 carrier:0

eth0:0    Link encap:Ethernet
          inet addr:192.168.100.2  Bcast:192.168.100.255  Mask:255.255.255.0
[...]
eth8      Link encap:Ethernet
          inet addr:192.168.7.122  Bcast:192.168.7.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15033 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39437 errors:0 dropped:0 overruns:0 carrier:0



AX88>191736/tmp/home/root#:netstat -rn
Kernel IP routing table
Destination _____Gateway______Genmask _______Flags____MSS Window  irtt____Iface
192.168.7.0______0.0.0.0______255.255.255.0 _____U________0_____0______0____eth8
192.168.100.0____0.0.0.0______255.255.255.0_____U________0_____0_______0____eth0
[...]



AX88>033349/tmp/home/root#:iptables -t nat -L POSTROUTING -n -v --line-numbers
Chain POSTROUTING (policy ACCEPT 69 packets, 4227 bytes)
#num____pkts____bytes_____target_____________prot_______opt____in_____out_______source_________destination         
#5_______59______358______MASQUERADE_____all_________--_____*______eth8_____0.0.0.0/0__________0.0.0.0/0
#9________0________0_______MASQUERADE_____all_________--_____*______eth0_____!169.254.x.xxx____ 0.0.0.0/0

[Maybe #1]:
I have to add something like below --- -because I cannot see a rule for eth0:0 at last command 033349 -- (I tested below, but this one is not working):
iptables -t nat -I POSTROUTING -o eth0:0 -j MASQUERADE

[Maybe #2]:
because of #9 and this negative: !169.254.x.xxx? >:
#9 0 0 MASQUERADE all -- * eth0 !169.254.x.xxx 0.0.0.0/0

[Maybe #3]:
ifconfig $(nvram get wan0_ifname):0 192.168.100.2 netmask 255.255.255.0 --> [gui for www is 192.168.100.1 not x....2]
Please, if anybody have a clue, please share. I will search myself in the meantime in order to mark this thread as solved to help us all :)

BR,
amplatfus
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top