I have struggled over the years to access the Management/Configuration/Logging GUIs on various Cable/VDSL Modems, when they are in their normal operating mode (i.e. connected to the WAN port of a Draytek Vigor and thence to the ISP).

The Draytek models I have used of late (2820, 2830n & 2860n) all appear to direct traffic to the Default Gateway defined for the WAN port (by the ISP). Therefore attempting to browse to (say) http://192.168.1.1 simply does not work - the traffic is sent out to the Internet instead.

I have been using the method(s) outlined on this web site: http://www.dslreports.com/faq/14772 , which, in a nutshell, require using a second Router (an older Draytek, in my case), to achieve connectivity. Although it works, it seems completely 'over-the-top' and I've continued to search for a simpler method.

I've just hit upon a scheme for the 2860n, that does what I require - and requires no additional hardware (not even a LAN port).

I present it here (more as a "Magic Spell" than a reasoned solution, because I admit to not knowing exactly how it works) :?

Assume LAN1 is (say) 192.168.0.1, and Draytek is obtaining a Real-World IP address from VDSL 'Router' in "Bridge Mode", or Virgin Media Hub in "Modem Mode". Assume ISP's device has Management Interface on 192.168.1.1

2. Add WAN IP Alias of 192.168.1.254 [ ] Do NOT add to NAT Pool
   


4. Add a rule to Load-Balance/Route Policy", directing traffic from ANY address to 192.168.1.1->192.168.1.1 via WAN 2, with Specific Gateway of 192.168.1.254.
6. In Advanced Options, ENABLE "FORCE NAT". (No idea why that is required!)


8. Set Gateway to "Specific Gateway" - i.e. 192.168.1.254 in this example

This works for the 2860n, but (and my reason for posting!), it does not work on the 2830n

Can anyone see why not? - or suggest a simpler method?

(My 2830n is 300 miles away, at the other end of a VPN, which might have influenced my test results - but I don't think it has...)

The local router would need to know about the management route specified on the remote router. Assuming LAN to LAN VPN. Without this it will just route as per what is setup in LAN to LAN / TCP IP Network settings (see local/remote networks).
If the management subnet is different to local managament subnet then you can try adding it in the 'more' section

Thanks for your response - but I don't think this is the issue; perhaps a bit more detail is in order...

At my home address, I have a 2860n which connects to a Virgin Media Hub3. There is a permanent L2TP/IPsec VPN to another property. At that remote property, a 2830n connects to Zen Internet via a Zyxel VMG1312. The 'home' LAN is 192.168.100.0/24 and the remote one is 192.168.200.0/24. In order to manage the remote Zyxel (who's management IP is (default) 192.168.1.1, I currently have a second Vigor @ the remote site (a 2820). This has a LAN-side address of 192.168.200.251 and a WAN-side address of 192.168.1.254. The WAN-side is plugged into another of the Zyxel's ports. So it's sort of a parallel route, to that already provided by the 2830n. Firewall rules are in place to stop undesirable 'loops'.

Up until recently, I'd been doing as you suggest, to get to 192.168.1.1. A "More" entry in the VPN definition, sent 192.168.1.0/24 -> VPN (remote 2830n). A static route on the 2830n re-directed 192.168.1.0/24 to the 2820, which then presumably NAT'ed it via its WAN address (192.168.1.254).

This works - but seems bleedin' complicated!

I only recently discovered the "Route-Policy" feature, but found I could define my 192.168.1.0/24 route in there, rather than the "More" feature of the VPN definition. So far so good!

Now I want to get rid of the 2820. Having mapped out a (working) scheme at my home site (using the 2860n, as described above), I've tried to implement it at the remote site. I made the appropriate additions to the 2830n and took away the static 192.168.1.0 -> 192.168.200.251 route - but it doesn't work.

The reason I believe this a 2830n issue, rather than a VPN issue - are from the responses I get when I telnet to the 2830n and use its diagnostics (i.e. as though I am at the remote site). Things still don't work

UPDATE: I've just remembered that I have a spare 2830n, so I can experiment without a VPN being involved!

I would settle for a description of how everyone else accesses the Management interface of their ISP's modem - without requiring a second Router. I can't be the only person who wants to do this, can I ? :o

hornbyp wrote: I would settle for a description of how everyone else accesses the Management interface of their ISP's modem - without requiring a second Router. I can't be the only person who wants to do this, can I ? :o

Maybe I am

EDIT

I've deleted details of an earlier experiment - I think they just confuse the issue !

I'm not entirely sure what I was seeing in my earlier experiments (which is why I deleted them); but I repeated them using my spare 2830n, which had been reset to Factory Settings:-

I connected its WAN2 port to an old TalkTalk/Huawei HG635 (GUI on 192.168.1.1) - and plugged a laptop into the Huawei as well. The laptop was running Wireshark and OpenDHCP Server.

(Assuming a STATIC or DYNAMIC IP connection on WAN2)

• Change LAN1 to a network other than its default of 192.168.1.0/24
  
• Add an appropriate IP address as WAN IP Alias. For example, 192.168.1.2 to access 192.168.1.1 Modem GUI.


• Add Route Policy to send 192.168.1.1 traffic via WAN2, but using 192.168.1.2 interface, with specific gateway of 192.168.1.1

and that was all that was required. A second laptop plugged into a LAN1 port on the 2830n, could access 192.168.1.1 and the (pseudo) real-world internet using the IP address obtained from OpenDHCP Server on the other laptop.

I then added a second Draytek Vigor (a very old 2900g) and connected its WAN port to the Huawei (along with the 2830n and the OpenDHCP Server laptop). I established an L2TP/IPsec VPN between the two Routers, plugged a laptop into the 2900g and ... hey presto, I could access 192.168.1.1 over the VPN as well.

I will cut the story short at this point

After a long process of elimination, the reason it doesn't work on my live 2830n, seems to be related to the fact that it is using PPPoE to communicate with its ISP, rather than "Static or Dynamic IP".

In this scenario, the router starts ARP'ing for the WAN Alias IP (its own!), and then gives in and sends the request to the Default Gateway itself. I've not positively proved this - due to the difficulty of adding a PPPoE Server to my test rig - but I'm fairly sure that's the issue.

(I just need to report it to Draytek and get it fixed now :wink: )

Hi,

I'm trying to do similar with a Vigor 130 on Wan2 of my 2860Vac. I have a dual WAN setup and I'd really like to be able to get to http://192.168.2.1 (the web interface of the 130) from my LAN (192.168.16.0/22). Obviously the 130 is plugged into WAN2 on the 2860 and not a LAN socket.

I try and do the above, I have setup a WAN alias of 192.168.2.2 on the WAN2 but it will not allow me to set the route policy with a gateway of 192.168.2.1 - it says it must be external??? The 130 is set to 192.168.2.1/24 as per default. It's all working well in all honesty, I just can't get to the web interface at all.

Help please

Thanks!