Cannot access ADSL modem setup with additional address via specific devices

Hi ChriZathens,

did I understand you right, that the only difference between the working and the non working devices is, that the devices, that can access the dsl modem´s webfrontend are handled by the transparent proxy and the non working devices are handled by firewall rules?

If yes, then I think the problem can be be explained easily. For the working devices (using transparent webproxy) the utm automatically masquerades the request behind the address 192.168.2.2 (Proxy Service).

For the non working devices, without the SNAT Configuration the clients will not be able to reach the dsl modem, even when firewalls rules are in place. Or did you configure a route for your internal network 192.168.1.0 on the dsl modem? 

Did you configure the SNAT Rule mentioned by Bob? If not, do it. I believe your setup will then work again!

Let me know ;)

BR

Sebastian

I want to add something informational. I realized, that the access to the dsl-modem is only possible, as long the pppoe link is up. As soon, as the link goes down, the secondary ip address isn´t also working any more... Just FYI..... ;)

Hi Sebastian and thanks for offering your help.

Yes that's what I thought at the beginning, but as mentioned at my first post, even after removing the devices from the skip transparent mode, I still could not access the modem

I also tried the SNAT but to no avail, although to be honest I am not really sure that I configured the rule correctly...

I described my trying here --> https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/85030/cannot-access-adsl-modem-setup-with-additional-address-via-specific-devices/319766#319766

Can you verify what to enter in the boxes, please?

Unknown said:

I want to add something informational. I realized, that the access to the dsl-modem is only possible, as long the pppoe link is up. As soon, as the link goes down, the secondary ip address isn´t also working any more... Just FYI..... ;)

 

BAlfson said:

This is strange.  What do you see if you test while running tcpdump on the Internal NIC with src the IP of the modem and dst the IP of your phone - does the UTM see responses sent to your phone?

Cheers - Bob

 

Hi again, Bob!

Neglected this.. So this is what I get

utm:/root # tcpdump src 192.168.2.1 && dst 192.168.1.25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:17:51.523242 ARP, Reply 192.168.2.1 is-at 00:1e:e5:99:63:66 (oui Unknown), length 46

EDIT: Sorry you said internal NIC, not modem address...[:$]

Here: utm:/root # tcpdump src 192.168.1.1 && dst 192.168.1.25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

(I get nothing...)

Really strange.  What app are you using to ping from your phone?  Is there anything in the Intrusion Prevention or Firewall log related to this?

Cheers - Bob

Hi,

maybe you understood me a little wrong.... You are writing: "even after removing the devices from the skip transparent mode, I still could not access the modem"

But especially after adding this two devices to the skiplist, it is necessary to create a SNAT Rule and also a firewall rule. Is this your SNAT rule? I can´t look into the objects, but from the object´s name perspective, this rule seems to be configured correctly. In my last statement, I asked the question, whether you configured a static route on the dsl modem... I assume, that you didn´t do that. So SNAT is necessary.

Regarding your second statement: "Don't think this is true.. The ethernet connection and the pppoe connection are on different ports. Even if I unplug the phone line from the modem the ethernet links talk to each other."

I think you didn´t mention, that you have two cables connected to your modem (I was talking about that situation, that you only have one connection, the pppoe link, if the pppoe link is down, and thus the whole interface, the secondary ip address on it won´t work anymore aswell ) Of course, if you have 2 cables / 2 interfaces, the one interface has nothing to do with the second and keeps on working.

To bring this "case" on the next "level" ;) I would kindly ask you to draw a picture with your physical connections (and interface names), including the clients. Please also write down the ip address configuration from your interfaces.

Regards

Sebastian

Hello again!

Yes there are two cables physically connected to the modem.

The one is an RJ-11 cable (the telephone cable) which connects to the ADSL interface of the modem.

The other is an RJ-45 cable which connects the modem itself to the WAN of sophos UTM

I will draw a sketch and will post the address details promptly

OK, I am attaching a jpg with the diagram

Explaining the diagram:

I have an ADSL modem.

This is actually an ADSL wireless modem/router with 4 ethernet ports. It is in bridge mode and from the telephone wall plug there is a telephone cable (RJ11) connected to its dedicated ADSL port (RJ11 port). 

This router has wireless and DHCP disabled and has an IP address of 192.168.2.1/24. An ethernet cable (RJ45) connects its LAN to the UTM's WAN port

 Sophos UTM:

It has two NICs, the WAN and the LAN. The WAN is setup as PPPoE (from the initial configuration wizard of Sophos) and is physically connected to the ADSL modem using the ethernet cable mentioned above. 

I also have setup an additional address to the WAN interface in order to have access to the ADSL modem:

The LAN interface of the sophos UTM has an address of 192.168.1.1/24. There is a DHCP server active on the UTM giving IP addresses to the network (192.168.1.3 - 192.168.1.30)

There is an RJ45 ethernet cable connecting UTM's LAN port to the next device (Switch& wireless)

Switch& wireless:

This is another wireless ADSL modem/router with 4 Gbit ethernet ports. It is set to bridge mode, too, with a static address of 192.168.1.2 and DHCP is disabled. The wireless interface is used to give wireless access to all phones/tablets/laptops in my home network.

As mentioned above, its LAN1 is connected to the UTM. There is another cable which connects its LAN4 port to a homeplug. The homeplug is used to connect to another homeplug and then a switch which is located in my home office and gives network access to a windows PC and 2 servers. LAN 2&3 of this device are also used to give network access to a Network media player and my TV (Just for the record)

The name of the modem is InsomniaModem. as mentioined, its IP is 192.168.2.1. Ping from the UTM works normally

My Windows PC is wired via the homeplug. I can access InsomniaModem's WEBUI without any issues

My tablet is connected using wireless. I can access InsomniaModem's WEBUI without any issues

My wife's smartphone is connected using wireless. It can access InsomniaModem's WEBUI without any issues

My iPhone and my Nexus (my two phones) are connected using wireless. None of those can access InsomniaModem's WEBUI.

My iPhone and my Nexus are in "Skip Transparent Mode Hosts/Nets" for both source and destination. They can normally access InsomniaModem's WEBUI if I connect to my home using OpenVPN.

As you mentioned, since, they are in "Skip Transparent Mode Hosts/Nets" they correctly can't access InsomniaModem's WEBUI. If I delete them from the "Skip Transparent Mode Hosts/Nets" list, they still cannot access InsomniaModem's WEBUI.

Adding the SNAT rule (yes the one you linked to) does not change things. Still can't access InsomniaModem's WEBUI from my two phones

(What I told the UTM in this rule - please correct me if there is any mistake): For traffic from my internal network (192.168.1.0/24) using any service, going to InsomniaModem (192.168.2.1/24), change the source to Additional Address (192.168.2.2/24) 

Thanks a lot for all your time, guys!!!!!

Hi,

that´s pretty much like a game, it makes a lot of fun ;) And you created a pretty interesting game here ....

And thanks for the big picture ;) But we still had some misunderstandings... I thought you had two RJ45 ethernet links to your modem, but now I see you meant your RJ11-cable to the providers wall phone plug... And here my statement applies, as the pppoe link on the UTM goes down (link is shown as down in webadmin), you will not be able to access the modem, because in your WAN Interfaces on the sophos will be down. Anyhow, this is the behaviour I saw on different UTM.

But now I can also state, that I have no idea in the moment, whats the difference between your two wireless devices and the other ones??? Do you have static dhcp reservations that could, in combination with certain firewall rules, result in different behaviours?

Without transparent skiplist entries for your wireless devices (so any devices uses the webproxy) do you see the requests coming from one of YOUR phones in the webfilter log? If yes, how does the logfile entry look like? What for a site/message does the browser display?

Can you run a tcpdump at the same moment? Whats the output? Is eth1 your wan interface, otherwise please change eth1 to the appropriate interface.

tcpdump -nvi eth1 host 192.168.2.1

Another question, do you have proxy arp configured on your interfaces?

Regards

Sebastian

Unknown said:

Hi,

that´s pretty much like a game, it makes a lot of fun ;) And you created a pretty interesting game here ....

 

And thanks for the big picture ;) But we still had some misunderstandings... I thought you had two RJ45 ethernet links to your modem, but now I see you meant your RJ11-cable to the providers wall phone plug... And here my statement applies, as the pppoe link on the UTM goes down (link is shown as down in webadmin), you will not be able to access the modem, because in your WAN Interfaces on the sophos will be down. Anyhow, this is the behaviour I saw on different UTM.

I am pretty sure that in the past, when I had ISP issues, I could normally connect to the modem's webui and see the line status, even when the WAN link was down. But you seem pretty confident about this, so I started doubting myself about it - might have to double check by pulling the RJ11 cable

(I have a backup 3G connection, though, although I doubt it is relevant. It is a different interface and the additional address is on WAN interface, not the Uplink Interfaces - I don't have this option anyway)

Unknown said:

But now I can also state, that I have no idea in the moment, whats the difference between your two wireless devices and the other ones??? Do you have static dhcp reservations that could, in combination with certain firewall rules, result in different behaviours?

 

I do have static dhcp reservations for those two "problematic" devices, but the same applies to e.g. my tablet and/or my windows PC (both of them can access the modem's webui)

Unknown said:

Without transparent skiplist entries for your wireless devices (so any devices uses the webproxy) do you see the requests coming from one of YOUR phones in the webfilter log? If yes, how does the logfile entry look like? What for a site/message does the browser display?

Can you run a tcpdump at the same moment? Whats the output? Is eth1 your wan interface, otherwise please change eth1 to the appropriate interface.

tcpdump -nvi eth1 host 192.168.2.1

   

I will have to check this

Unknown said:

Another question, do you have proxy arp configured on your interfaces?

   

No I have not checked proxy arp on the internal interface (the other interfaces don't have that option anyway)

Thanks a lot!