How to Access Your Modem's Web Interface with OPNsense

post-thumb

Photo by bedo from iStock

Table of Contents

Modems have a web-based interface which allows you to view information about the status of your modem including signal strength and quality as well as logs about the connectivity to your ISP. The information can be a useful diagnostic tool when troubleshooting various issues. You may also view the firmware version to see if you are using the latest version.

The IP address to access the modem’s web interface is often 192.168.100.1 by default since that is an address not typically used by consumer-grade routers. If you are using a consumer-grade router, you can simply visit 192.168.100.1 to access the webpage since they typically allow access to all internal networks by default. Consumer routers typically assume a flat network where everything is on the same network with no network segregation.

If you are using OPNsense in its default configuration where the LAN interface has an “allow all” rule, you should be able to access your modem’s web interface the same as with a consumer router. However, if you have your network locked down tighter and segmented for increased security (which I highly recommend), you are likely not able to access your modem’s interface. There is also one gotcha which I will mention below.

Allow Access to Your Modem’s Web Interface

To allow access to your modem’s web interface when you are not using the default “allow all” rule on your LAN or another network with an “allow all” rule, you will need to add a firewall rule for each VLAN or specific device on your network where you want to allow access. Since the modem web interface contains important information, it may not be a bad idea to only allow access from your management LAN/VLAN. In this example, I am going to use the LAN interface.

Option Value
Action Pass
Interface LAN
TCP/IP Version IPv4+IPv6
Protocol TCP
Source LAN net
Destination 192.168.100.1 (consult the modem’s user manual for the exact IP address)
Destination Port HTTP (unless the modem uses a different port – consult the modem’s user manual)
Description Allow LAN access to the modem’s web interface

Make sure you only allow the port used by the web interface because some modems have a spectrum analyzer that is exposed on a different port which may be vulnerable to attack. The difficult part about if your modem gets hacked, you will have very little to no visibility that it is occurring. Refer to my guide on how to prevent the Cable Haunt vulnerability for more information.

The Potential Gotcha

One word of caution is to ensure that you do not create any networks/VLANs in the same address range as your modem. So if your modem’s IP address is 192.168.100.1, do not create VLAN 100 with the address range of 192.168.100.1 - 192.168.100.254. You will not be able to access your modem’s web interface since your VLAN 100 interface shares the same IP. Rather than the IP addresses conflicting, VLAN 100 seems to operate normally like any other interface (traffic to 192.168.100.1 will go to the VLAN 100’s interface rather than your modem).

comments powered by Disqus