DSL modem: PPPoE and access to webinterface at the same time?

I own a Turris Omnia and a brigde (V)DSL modem (ZYXEL VMG4005-B50A).
The DSL modem has a DHCP server and a nice webinterface e.g. showing DSL speed.

If I connect DSL modem to WAN port (eth2) and set Turris to DHCP, I can access DSL modem webinterface ( through devices connected in LAN. But obviously there’s no internet access.

Now I want to have internet access and switch WAN port to PPPoE, enter internet credentials and set VLAN ID to 7.
WAN is connected to pppoe-wan and eth2.7 is up.
Now internet access works, but webinterface access obviously doesn’t work anymore.

As far as I understand, pppoe-wan uses eth2.7 - so eth2 (without VLAN) should be free again.

Thus I create a new (IPv4 only, that’s enough) MODEM Zone, add eth2 to it:


config interface 'wan'
        option ipv6 '1'
        option proto 'pppoe'
        option username '[redacted]'
        option password '[redacted]'
        option device 'eth2.7'

config interface 'modem'
        option device 'eth2'
        option proto 'dhcp'
        option peerdns '0'
        option defaultroute '0'


And allow forwarding from LAN to MODEM:

Kernel adds a route as expected:

I can ping DSL modems webinterface from Turris:

But I can’t access/ping it from LAN Zone.
If I would enable this setting in MODEM interface:
My Internet connection would break and DSL modem webinterface still not be accessible.

Is the configuration I am trying to archive even possible?
What might I have overlooked?

Yes it is possible. You could add default route and add metric of lets say 150 and see if it works or simply add it to the WAN zone

Okay, I still don’t unterstand it in detail… but webinterface is accessible with the configuration I explained in first post:

It’s just that ping doesn’t work from LAN:

I always tried to ping it to see if my configuration was correct…

Okay, with this default route, internet still works:

It’s just that ping from LAN still doesn’t work.

What if modem is in WAN zone? There are firewall rules for WAN zone already allowing ping. Thats why I propose that

Nope, sadly ping doesn’t work that way:

I doubt that’s a firewall thing in that way, because in LuCi → Network → Firewall → Traffic Roules I can’t find rules for ICMP WANLAN. I only can find rules for ICMP WANTurris.
And I earlier set up an IoT Zone (not shown in screenshots above, but configured the same way, just that Turris is DHCP server there), and Ping from LANIoT works out of the box.

So maybe the modem has firewall allowing ping only from its own subnet

Indeed it has, thanks for remembering me.

I added my LAN subnet to the Trust Domain of the modem firewall, and enabled ping for this:

Now it works!

But this has to be a coincidence…
I wouldn’t get why HTTP (and SSH and FTP) work without this. And indeed, I now removed the Trust Domain config again … and Ping still works.

Found a bug in LuCI Dashboard:


It shows the route with higher metric value (but thus lower metric priority) as internet route - which is wrong.
Could set the WAN route to 200 metric, then the display would show my internet IP - but obviously internet for my local net wouldn’t work anymore.

Testing this setup more I found out that the reason why webinterface access works with WAN interface is: Masquerading
So I can disable default route again.
If I put it back to that modem zone and enable Masquerading for this:

webinterface access works.
Ping again is broken since my next tries… might figure it out another time, but seems as time plays a significant role too.