Unable to access a Draytek Vigor 130 modem from inside my Netgate SG-1100 firewall

Networking & Firewalls
1

I am trying to access my modem’s GUI. I have followed the set up instructions in the Netgate Docs also the instructions on Linuxserver.io, both with no luck.

I think the problem lies in the configuration of the Interface / Switch / VLANs options, which is different for the SG-1100.

Any help would be greatly appreciated.

Cheers

Context:
Version: 23.05.1

The modem has as static IP address of 192.168.50.2.
My computer has an IP address of 192.168.15.20, and is on VLAN 15 (VLAN named ‘Main’).
I have set up it up as follows:

In Interfaces/Interface Assignments:
Interfaces/ModemviaWAN (mvneta0.50)
IPv4 Configuration Type - Static IPv4
IPv4 addresses - 192.168.50.10
IPv4 Upstream gateway - None
Everything else as default.

In Interfaces/VLANs
VLAN Interfaces table:

Interface, VLAN tag, Description
mvneta0, 4090, WAN
mvneta0, 4091, LAN
mvneta0, 4090, LAN2
mvneta0, 15, Main
mvneta0, 50, Access modem GUI
(I have other VLANs set up for other purposes, and they all work fine)

In Interfaces / Switch / VLANs

VLAN(s) table:
VLAN group, VLAN tag, Members, Description
0, 1, 0, Default System VLAN
1, 4090, 0t,3, WAN
2, 4091, 0t2, LAN
3, 4092. 0t,1 OPT
4, 15, 0t,2t, Main

8, 50, 0t2t3t, Modem

Switching

In Firewall / NAT / Outbound

Interface – MODEMVIAWAN
Address Family – IPv4
Source – Network - 192.168.15.0/24
Destination – Network - 192.168.50.0/24
Everything else as default.

In Firewall / Rules / MAIN

Action – Pass
Interface – MAIN
Address Family - IPv4
Protocol – Any
Source – Main net
Destination – MODEMVIAWAN net

2

I was using the same modem in the past and was able to access the GUI over the network.

What I noticed was the IP address of the modem didn’t like being on anything except 192.168.2.1, perhaps changing it back to this might have an effect.

Other than that I can’t see what could be done differently.

Maybe you have made a config error on the interface you are using for the modem or in the rules.

3

Hi @Dice6921

The following guide in the Netgate forums did the trick for me… Cablem Modem Access - Behind Pfsense | Netgate Forum

Do not forget to adjust the IP ranges / addresses accordingly!

Cable Modem Access - Behind pfSense

  1. Firewall → Virtual IPs
  • Type: IP Alias
  • Interface: WAN
  • Address Type: Single address
  • Address: 192.168.100.2 (assuming your modem’s GUI is on 192.168.100.1)
  • VHID Group: 1
  • Advertising frequency: Base - 1, Skew - 0
  1. Firewall → NAT → Outbound
  • choose "Hybrid Outbound NAT rule generation
  • Add a new rule:
    a) Interface: WAN
    b) Protocol: Any
    c) Source: Any
    d) Destination: Type - Network
    e) Destination network for the outbound NAT mapping: 192.168.100.1/32
    f) Translation: Address - 192.168.100.2()
    g) Description: “Cable modem access”

Hope this helps.

4

Yes, I created a similar rule. I first created an alias that included all the devices that I want to access the cable modem from. Then I created a PASS rule under the interface where those devices reside (VLAN, etc) with a SOURCE which is the alias I created above and a DESTINATION which is the cable modem’s IP. Place that above other rules (depending on your situation and what other rules you have there) and save.

How this helps.

5

Yeah sorry, I left that part out.

In order to make it work you have to do both:

The things I posted in my previous post AND Create allow rules on the respective interfaces to which the devices are connected that need to access the modem (which you already did)