Dd-wrt
From BE Usergroup Technotes
Contents |
How to access your modem when in bridge mode via a device running DD-WRT, OpenWRT or Tomato
Introduction
If you run your router in bridge / modem only mode, with a device running DD-WRT, OpenWRT or Tomato acting as the network 'host', you will normally be unable to connect to the BeBox's web admin (nor ping it). Your DD-WRT device effectively becomes the public-facing Internet device, with the connection's public IP address assigned to it, as well as performing all NAT, port forwarding and DHCP responsibilities.
Since the BeBox is now technically outside the scope of your Local Area Network (as it is plugged into the WAN port on your router), a route has to be established to let LAN traffic pass solely to and from the BeBox. To re-establish connectivity you will need to add a masquerading rule if you wish to be able to access the config page of the modem without binding your computer to an additional IP on the modem's range, or using another piece of cable.
There are a few steps you need to go through to get this to work correctly (assuming you have the BeBox already configured as a bridge). They are:
- Decide which IP address the BeBox will have
- Ensure the BeBox can accept http and telnet from the internal LAN
- Route the traffic out of the LAN to the BeBox
Deciding which IP address the Bebox will have
The BeBox bridging scripts all give the BeBox two IP addresses that it will listen out on - 192.168.1.254 and 10.0.0.138. These address ranges (192.168.x.x and 10.x.x.x) are reserved addresses that never get used on the internet. They were reserved for people to be able to implement internal networks and assigned to ensure no clashes ever occurred between internally managed networks and "the internet". For more technical details, see here.
The choice as to which address to use to access the BeBox is determined by what your IP addresses of everything else is on the network. What is clear though is that the BeBox and LAN have to be on different IP ranges for this to work.
- If you have a LAN that has IP addresses in the range 192.168.1.x, the easiest thing to do is access the BeBox at 10.0.0.138.
- If your LAN has any other IP address range (e.g. 192.168.0.x), then probably the IP address 192.168.1.254 is the easiest to choose as Be tech support use this in any links they post on the board and is the address you would access the config pages if the BeBox were your router too.
The key message is that the BeBox and LAN have to be on different IP ranges for this to work. Shall I repeat that your internal network needs to be on a different range to the IP your modem listens on.
In this guide I will assume you want to access the modem configuration page via 10.0.0.138.
Ensuring the BeBox can respond to telnet/http
The next thing to do before you put the router between the LAN and the bridged BeBox is to ensure that when you access the BeBox, it actually responds to you. This is needed as the BeBox as shipped will only accept telnet and http. To check what yours accepts, firstly telnet into the BeBox with it directly connected to your network (i.e. no router in the way) and execute:
service system list name=TELNET expand=enabled
This gives:
1 TELNET tcp 23
<some stuff deleted>
NAT Portmap Weight ........ 30
Ip Access List............. 87.194.4.5 87.194.39.4 87.194.0.[1-254] 212.39.68.[249-254] 192.168.1.[1-254]
Interface Access List...... any
Interface Group Access List lan wan
Map List................... 23
Logging.................... disabled
The line Ip Access List means the box will only respond to the addresses explicitly stated. They are:
- 87.194.4.5 87.194.39.4 87.194.0.[1-254] 212.39.68.[249-254] (all Be* office machines)
- 192.168.1.[1-254] (the "default" LAN)
When you plug your router into the BeBox, it "sees" the router as effectively a machine on that address range (my BeBox which is accessed at 10.0.0.138 sees my router as 10.0.0.1). You now need to add the IP address range that you will be using to the list of both http and telnet, so for my example 10.0.0.138, I'll add the address range 10.0.0.* by:
service system ipadd name=TELNET ip=10.0.0.[1-254] service system ipadd name=HTTP ip=10.0.0.[1-254] saveall
Note, that if you choose the 192.168.1.254 address to access the BeBox, it is likely that you already have this done, so you can probably skip the step.
Routing the traffic out of the LAN
Now you can connect up the router and BeBox. First connect the ADSL port of the router to the phoneline filter and then the routers WAN port to one of the LAN ports on the BeBox.
Now you need to route the traffic destined for the BeBox out of the WAN port on the router. To do this, add this to your startup script (accessed on dd-wrt by clicking on the Administration tab, then clicking on Commands) on the router (again for 10.0.0.138, that would be):
ip addr add 10.0.0.1/24 dev vlan1 brd +
Note: there is an alternative to this line at this link at dd-wrt.
What this is doing is adding the address range to be routed out through the vlan1 interface. On most routers, this is the WAN port, but it appears that on some others, you may have to use eth1 instead. For more information, see: here. Note the vlan1 does not mean it is using a VLAN (Virtual LAN), it's just the device name in use in these firmwares.
Also add this to your firewall script:
/usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -d 10.0.0.0/24 -j MASQUERADE
What this is doing is adding an entry to the routing tables (the POSTROUTING nat table) to say to route anything on the destination subnet (in the above case 10.0.0.[1-254]) out through the WAN port. The MASQUERADE does this dynamically so that your IP address can change if you are on a dynamic IP (kinda obvious but...) so this avoids you having to change this rule each time your Be* IP changes.
After you have committed both scripts to memory, reboot the router one more time (Administration->Management->Reboot Router button at the bottom of the page). Congratulations, you should now be able to both ping the BeBox and log in to its web interface just as before.
Some information taken from the Tomato wiki: http://en.wikibooks.org/wiki/Tomato_Firmware
