accessing modem behind router.

Discussion in 'Tomato Firmware' started by petm, Oct 6, 2010.

  1. petm

    petm Networkin' Nut Member

    i have a wrt54gl v1.1 with tomato 1.28 speedmod. on it's wan port for accessing the internet i have a modem which uses the ip

    to directly access the modem from my computer, i read (unfortunately without further explanation) that i should execute the following 3 lines on a linux router:

    ipconfig br0:0
    iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE
    ip addr add dev vlan1 brd +

    i tried that, the first line doesnt work, the other two do. then i could actually access the modem. so i put these two lines as firewall script into the router. it (ie accessing the modem) worked for a while, but when i tried today, it didnt. so i tried to execute the lines manually again, the third line says something like "file already exists".

    now i think it's time for me to understand what these lines do.
    could anyone explain that to me, and also help me to figure out whats wrong and how i should do that in the future?

    thanks, peter
  2. Azuse

    Azuse LI Guru Member

    You only need two lines in the firewall script. For example, my modem is 192.168.1.x and my router 192.168.0.x, so I use the script below:

    ip addr add dev $(nvram get wan_ifname) brd +
    iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d -j MASQUERADE

    The first line uses an ip on the same subnet as the modem (but no the modems ip) while the second an ip on the routers subnet (but not the routers ip). Assuming the ips you provided are correct this should work:

    ip addr add dev $(nvram get wan_ifname) brd +
    iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d -j MASQUERADE

    Just paste those two line into the firewall script page, save, reboot, profit?
  3. petm

    petm Networkin' Nut Member

    thanks so far.

    my routers address is, so my lines should never have worked? but they did.

    so i should use

    ip addr add dev vlan1 brd +
    iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE


    could you explain a little more what these lines do? why those "arbitrary" ips? what do those "/8" mean? is that a port number?

    and why the reboot? is that the only time the firewall scripts are called?

    ps: i entered that second line with the new ip, and now it works! great. thanks. but i'm still curious why, how does that work? what do these lines set up?
  4. RonWessels

    RonWessels Network Guru Member

    There is a huge difference between having your modem IP on a different network address than your LAN (eg. modem =, LAN = 192.168.1.X) and having your modem IP on an IP address that is within your LAN range (eg. modem = 102.168.1,8, LAN = 192.168.1.X).

    In the first case, you shouldn't have to do anything to communicate with your modem. Everything works just like it does for any other IP address on the WAN side of your router. This would be my recommended setup for anyone with an IP-addressable modem. If the modem's local IP address cannot be changed, simply change the LAN address of the router to make sure they are different.

    When you insist on having a device outside of your LAN being addressable as if it were part of your LAN, you have to jump through hoops. Firstly, you have to add special-case routing instructions on the router itself to know that the modem IP address is connected via the WAN port rather than the LAN port. Then you have to add routing instructions on every machine on your LAN (that you want to talk to the modem from) to say that the modem's IP address is not really on the LAN but is routed through the router.

    @Azuse, I really have no idea why the commands you specified are required in your case, since your modem is on a different network address than your LAN. What doesn't work when you don't have those there? [ I imagine there are things that don't work when you _do_ have those commands there ].

    Peter, your best option is to change you router's configuration so that your LAN address is 192.168.2.X. Then you can simply reference your modem's IP address of from any machine on your LAN and just have it work without any futzing around and possibly opening holes in your firewall that can be exploited by intelligent IP spoofing.
  5. petm

    petm Networkin' Nut Member

    my modem is at
    my router is at,
    so the modem is not in the router's subnet.

    if i dont have those lines in there, this program cant access the router:
    i dont know why, it probably somehow assumes that the modem is directly connected to the computer and should therefore be in the same ip range as the computer. maybe the picture at the bottom of the page gives a clue, it is described as an alternative solution to those lines.
  6. Azuse

    Azuse LI Guru Member

    You mean besides telling it what to do with that address and sending it out the wan port.

    ip addr add dev $(nvram get wan_ifname) brd +
    iptables -I POSTROUTING -t nat -o $(nvram get wan_ifname) -d -j MASQUERADE

    Would be what I would use, if i remember my ips correctly.

    The reason you should use $(nvram get wan_ifname) instead of vlan1 is because different routers (and firmwares) have different wan port names and telling it to get the name from the router means it will always work.

    Yes, firewall scripts need a reboot.
  7. mstombs

    mstombs Network Guru Member


    You need those commands when accessing a modem in PPPoE bridge mode, you want the router to use normal TCP/IP out the WAN port, not route the packets over the PPP tunnel using the ppp0 interface.
  8. RonWessels

    RonWessels Network Guru Member

    Ding! Well that finally sunk in. Thanks. Having Cable myself, I wasn't thinking about the PPP processing. I still stand by my previous comments, but you are correct that you will need to do something to bypass the PPP processing to actually talk to the modem. It's still way easier with the modem's IP on a different subnet than the LAN, but I see from other posts that's not an issue. I was wondering why such a short script was getting apparent success.
  9. petm

    petm Networkin' Nut Member

    damn, i'm back to not working again. since a modem reboot the program wont access it any more. rebooting the router doesnt help.
    executing our two lines manually doesnt help.
    i can ping from the router and from my computer, so it would seem as if the two lines did what they were supposed to do.

    how can i troubleshoot this set up? what exactly do these two ips and their /8 mean? how can i find out what kinds of requests the program launches? how come it's ok to just use any ip in these lines? how can i find out which ip address the program actually tries to access (besides asking the author, by now i am more interested in the technical stuff than in getting the program to work)?

    thanks for any help for me (who seems to be quite the networking noob).
  10. petm

    petm Networkin' Nut Member

    update: i now used the 3 original lines from the help page of that program as firewall script:

    ifconfig br0:0
    iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE
    ip addr add dev vlan1 brd +

    it's working now. if i only understood any of this ...
  11. Toastman

    Toastman Super Moderator Staff Member Member

    What is doing what - my attempt to explain things:

    VLAN1 already exists as part of the router's internals, so luckily we don't need to create another vlan just to access the modem.


    (1) ip addr add dev vlan1 brd +

    VLAN1 already being the WAN interface, this command just assigns an IP address to it so that we may send normal IP packets out to the modem, in addition to being used for PPPOE encapsulated communications. Any IP in the subnet would do to define that subnet long as it isn't the modem's IP. The /24 just defines a subnet 169.254.1.xx that will be reachable by this port. Google for help with that (IP netmask) if you don't understand it. /8 would be a much bigger subnet, which isn't necessary or desirable.

    (2) iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE

    This routes any packets destined for the 169.254.1.xx subnet, to the vlan1 interface and hence to the modem.

    Note that the ip address has to be assigned to the interface first - before the routing will work. Because of that, most examples place line (1) in Tomato's init script box, which comes up first - and the routing line (2) in the firewall box. [This issue of timing is often why things don't work on occasions, so sometimes you will see a line such as "sleep 5" to introduce a delay before a script executes].

    Note also that the modem's address should be on a subnet assigned for private use. (We don't want stuff for the internet accidentally sent to the modem). Since subnet 169 is an APIPA address range, normally used by Windows if it can't obtain an address from a DHCP server, we mostly use or for the modem's IP since most routers default to for their own subnet. So most examples you see will not use 169. But the choice is up to you.

    Why the reboot? Well, we need to make sure the scripts are executed. The reboot ensures this. If they were only in the firewall box, then anything that restarted the firewall, such as a reconnect to the ISP, would also restart the firewall and execute the scripts.
  12. petm

    petm Networkin' Nut Member

    thanks, i think i understand that. so both lines need an ip from the modem's subnet, not the router's, right?

    especially putting the lines in different scripts makes sense to me. but i just tested it and it didnt work. seems like the first line doesnt work in the init script. i had put both lines in the firewall script since i read somewhere that only this ensures that the networking stuff is up. maybe put both in the firewall script and a sleep 5 in between?

    unfortunately i cannot change the ip address of the modem, at least i wouldnt know how. but i think it wont hurt the modem if it gets sent some stuff accidentally, right? also i will only ever be able to send anything to the modem AFTER i am successfully connected to the router already, so i will have a valid ip, not some 169.*.
  13. Toastman

    Toastman Super Moderator Staff Member Member

    Just do what works for you. If in the init section doesn't work, for example you might put a "sleep 10" above it. Whatever. Nothing is cast in stone :biggrin: The ultimate aim is to see a nice entry in the Advanced - Routing list showing that subnet sent to the WAN port via vlan1. If it's there, you've done the deed.

    see also
  14. petm

    petm Networkin' Nut Member

    do all the other processes wait for the init script? because if not i'd be afraid that a sleep 10 before the first line might cause the second line in the firewall script to be executed first.
    actually it's a shame that there is now "run now" button for these scripts, it's kinda annoying to always have to switch to putty to experiment.

    thanks for all the help.
  15. brugar

    brugar Network Guru Member

    I use the following init script to provide an additional WAN port address for access
    to my modem:

    sleep 5
    ifconfig vlan1:0 netmask

    My bridged Westell 6100 modem uses the address for
    configuration access on the net 192.168.0.x.

    My LAN is on the net 192.168.1.x with my router address at

    My router uses DHCP to get its internet address for the WAN port.

    The resulting router table:

    xxx.x.xx.x * 0 vlan1 (WAN)
    yyy.yy.yyy.yyy xxx.x.xx.x 0 vlan1 (WAN)
    yyy.yy.yyy.yyy xxx.x.xx.x 0 vlan1 (WAN) * 0 br0 (LAN) * 0 vlan1 (WAN)
    xxx.x.x0.0 * 0 vlan1 (WAN) * 0 lo
    default xxx.x.xx.x 0 vlan1 (WAN)

    where xxx.x.xx.x is the internet gateway and yyy.yy.yyy.yyy domain name server
    assigned by my internet provider.
  16. Toastman

    Toastman Super Moderator Staff Member Member

    petm, don't forget you can paste lines into the TOOLS-SYSTEM box to execute them
  17. petm

    petm Networkin' Nut Member

    yes toastman, i've heard about that but not using RAF yet, only speedmod. i heard that i have to manually restore the configuration after the switch, and i was too lazy so far.

    brugar, are you saying that you are doing what is discussed here with only one line?
  18. brugar

    brugar Network Guru Member

  19. Toastman

    Toastman Super Moderator Staff Member Member

    brugar/petm - remember both you and mstombs use a cable connection, not PPPOE, so it's quite a different problem. But anyway, that line is just another way to assign an IP address to the WAN port. It still needs routing. See post 7 ...
  20. petm

    petm Networkin' Nut Member

    now some years later and on windows 7 i have trouble with my internet connection speed and thought i'd have a look at the modem stats. everything is set up as discussed here, i.e.

    my modem is at
    my router is at

    and my tomato firewall script contains
    ip addr add dev vlan1 brd +
    sleep 5
    iptables -I POSTROUTING -t nat -o vlan1 -d -j MASQUERADE

    yet the modem cannot be reached any more.

    it says i need to execute

    route -p ADD MASK

    for it to work. i can execute this successfully, but still no connection.

    so my questions:

    1. why this extra step for windows 7?
    2. how can i troubleshoot this situation? how can i see where the flow of data goes wrong?

  21. gfunkdave

    gfunkdave LI Guru Member

    Why not just type your modem's address into the Route Modem IP on Basic -> Network?
  22. petm

    petm Networkin' Nut Member

    i do not see that option in tomato 1.28.
  23. Monk E. Boy

    Monk E. Boy Network Guru Member

    Yeah, that feature was added relatively recently to Tomato, so if you're still on JonZ's build of Tomato you won't have it.

    You could try putting Shibby on there but you really should erase NVRAM and set it up from scratch, which can be a bit of work if you're not the kind of person who documents every setting on every page. And even then I'm not sure if it'd be present.
  24. eibgrad

    eibgrad Network Guru Member

    I can't tell if that image is supposed to be an actual image of YOUR modem, or just a representation of a similar modem. But if it does represent your modem (at least wrt the modem IP and network), I can see the problem. It doesn't work because the modem is defined as a SINGLE HOST network!

    The address you're trying to use ( is actually the only other IP on that network, and it's the broadcast IP.

    Seems to me the modem is not configured properly. is called an APIPA address. That's the result of the modem trying to use DHCP to get its network assignment, and getting no response. So then it self-assigns an IP in the network. But in this case, it actually made itself more restrictive by reducing the number of additional hosts to ZERO (/31).

    Perhaps you need to go into the modem's web interface and assign a static IP and network, something you can work with (e.g.,
  25. petm

    petm Networkin' Nut Member

    the modem has no web interface and the ip cannot be changed. the whole thing worked before, i dont know why it's different with windows 7.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice