How to access cable modem "in front of" firewall

Hello.
I've got a cable modem with the standard 192.168.100.1 address for
it's internal web server.
I'd like to be able to access this for diagnostics but it's outside my
firewall.

Firewall is IPCop.

Network looks like:

Internet -> cable modem (with 192.168.100.1 IP for web interface) ->
Red interface @ 68.x.x.x via DHCP -> IPCop @ 192.168.1.1 -> LAN pcs at
192.168.1.x

I can add a route to the cable modem through the Red interface

route add -host 192.168.100.1 eth1

I think this should get a PC on the Green interface to the cable modem
but I think I need to open a hole in the firewall to let the traffic
back through the firewall to my internal PC.

Any help is greatly appreciated.
Erik

Re: How to access cable modem "in front of" firewall

junk@shanesreef.com writes:

> Hello.
> I've got a cable modem with the standard 192.168.100.1 address for
> it's internal web server.
> I'd like to be able to access this for diagnostics but it's outside my
> firewall.
>
> Firewall is IPCop.
>
> Network looks like:
>
> Internet -> cable modem (with 192.168.100.1 IP for web interface) ->
> Red interface @ 68.x.x.x via DHCP -> IPCop @ 192.168.1.1 -> LAN pcs at
> 192.168.1.x

Your IP numbering choices have conspired against you. Since you've
numbered your LAN as you have (assuming that you're using a 24 bit
netmask of 255.255.255.0), the router won't get involved and send your
traffic to the cable modem since 192.168.100.1 is on your local
network as far as it's concerned.

If you put your lan on any other subnet than 192.168.100.0/24 it
should work just fine.

192.168.10.0 netmask 255.255.255.0 for instance, for the LAN.


I'm not sure if a static route added in the router device itself might
be able to override that, but really it's cleaner to get your LAN ip
range to be mutually exclusive to fix this issue.

Best Regards,
--
Todd H.
http://www.toddh.net/

Re: How to access cable modem "in front of" firewall

Thanks Todd.
My LAN is on a different subnet (192.168.1.1, 255.255.255.0) from the
cable modem (192.168.100.1)

I'm pretty sure adding the "route add ..." will get me out of the
firewall and to the modem (as opposed to "through" the modem to talk
to the modem it will have be able to get back to me.

I'm not sure how to make that part work.



Todd H. wrote:
> junk@shanesreef.com writes:
>
> > Hello.
> > I've got a cable modem with the standard 192.168.100.1 address for
> > it's internal web server.
> > I'd like to be able to access this for diagnostics but it's outside my
> > firewall.
> >
> > Firewall is IPCop.
> >
> > Network looks like:
> >
> > Internet -> cable modem (with 192.168.100.1 IP for web interface) ->
> > Red interface @ 68.x.x.x via DHCP -> IPCop @ 192.168.1.1 -> LAN pcs at
> > 192.168.1.x
>
> Your IP numbering choices have conspired against you. Since you've
> numbered your LAN as you have (assuming that you're using a 24 bit
> netmask of 255.255.255.0), the router won't get involved and send your
> traffic to the cable modem since 192.168.100.1 is on your local
> network as far as it's concerned.
>
> If you put your lan on any other subnet than 192.168.100.0/24 it
> should work just fine.
>
> 192.168.10.0 netmask 255.255.255.0 for instance, for the LAN.
>
>
> I'm not sure if a static route added in the router device itself might
> be able to override that, but really it's cleaner to get your LAN ip
> range to be mutually exclusive to fix this issue.
>
> Best Regards,
> --
> Todd H.
> http://www.toddh.net/

Re: How to access cable modem "in front of" firewall

erik writes:

> Thanks Todd.
> My LAN is on a different subnet (192.168.1.1, 255.255.255.0) from the
> cable modem (192.168.100.1)
>
> I'm pretty sure adding the "route add ..." will get me out of the
> firewall and to the modem (as opposed to "through" the modem to talk
> to the modem it will have be able to get back to me.
>
> I'm not sure how to make that part work.

Are we dealing with a software or hardware firewall?

Another issue possibly at play is that 192.168.100.1 being an RFC1918
"private" address that shouldn't hit the internet, may not get routed
by your router to the WAN interface. I imagine implementations of
that egress filtering vary.

Not being familiar with which firewall you're dealing with, I can't
say more but to guess at that maybe being at play.

There should be another IP by which you can talk to your cable modem.
Check out the broadbandreports.com forums and see if anyone talking
about your provider specifically might have it included in a post, or
a procedure on how to figure it out.

--
Todd H.
http://www.toddh.net/

Re: How to access cable modem "in front of" firewall

Got it. Pretty boring though.
I spent all this time thinking about how to do it without ever trying
it. Now that I'm home I gave it a try and without changing anything
after the default install of IPCop I can view the modem's status page.

I can reach 192.168.100.1 from 192.168.1.49 with a NM of
255.255.255.0.
Can't imagine how.

Now I almost wish it didn't work so I could figure how to make it
work.

Thanks for the dialog anyway, Todd.


Erik


On Jul 20, 4:18 pm, comph...@toddh.net (Todd H.) wrote:
> erik writes:
> > Thanks Todd.
> > My LAN is on a different subnet (192.168.1.1, 255.255.255.0) from the
> > cable modem (192.168.100.1)
>
> > I'm pretty sure adding the "route add ..." will get me out of the
> > firewall and to the modem (as opposed to "through" the modem to talk
> > to the modem it will have be able to get back to me.
>
> > I'm not sure how to make that part work.
>
> Are we dealing with a software or hardware firewall?
>
> Another issue possibly at play is that 192.168.100.1 being an RFC1918
> "private" address that shouldn't hit the internet, may not get routed
> by your router to the WAN interface. I imagine implementations of
> that egress filtering vary.
>
> Not being familiar with which firewall you're dealing with, I can't
> say more but to guess at that maybe being at play.
>
> There should be another IP by which you can talk to your cable modem.
> Check out the broadbandreports.com forums and see if anyone talking
> about your provider specifically might have it included in a post, or
> a procedure on how to figure it out.
>
> --
> Todd H.http://www.toddh.net/