Remote Web Access

An area specifically for port forwarding, firewalls and other (on-line) security related issues.
Post Reply
Dilbao
Novice
Novice
Posts: 26
Joined: Mon Aug 16, 2010 3:44 pm

Remote Web Access

Post by Dilbao » Tue Nov 22, 2011 12:14 am

Usually, I need to reach router from outside. But enabling "Remote Web Access" is not working. To do that, I had to disabled router's firewall but that doesn't feel right at all. I just want to reach web interface while firewall enabled. How can I do that?

I'm using this firmware: "routertech-ar7wrd-1350A-pspboot-firmware-4ports-20110502.zip"
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Remote Web Access

Post by thechief » Tue Nov 22, 2011 9:14 am

Personally, I would use a VPN (try openvpn or pptpd).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Dilbao
Novice
Novice
Posts: 26
Joined: Mon Aug 16, 2010 3:44 pm

Re: Remote Web Access

Post by Dilbao » Tue Nov 22, 2011 4:36 pm

This is another option, yes. But not a solution for what I asked. I mean, something is not working with firmware.

Also, I can't find vpn client all the time. For example, I can reach web with my mobile phone but it can't connect to vpn.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12066
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Remote Web Access

Post by thechief » Tue Nov 22, 2011 5:11 pm

It should work. If it is not working, then one option is to try the VPN solution (the only way that I would recommend for accessing your router from the WAN). If that is not possible, then you will need to work around the problem (e.g., some iptables commands to open up specific ports).
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Remote Web Access

Post by mstombs » Thu Nov 24, 2011 9:48 am

Remote web on 1350A certainly used to work - you have to specify an alternate port to 80, which the router swaps on receipt to keep the local web on port 80 via iptables rules. The web gui config for remote web will not therefore work if you have used the RouterTech env-var to move the local web gui port - but you should be able to get it to work via custom port forward rule.

BUT simple password security on the web gui is not very secure - so I have used this only for specific remote IP address (have static IP at work), I assume VPN with secure comms and certs etc wuld be much more secure.
Dilbao
Novice
Novice
Posts: 26
Joined: Mon Aug 16, 2010 3:44 pm

Re: Remote Web Access

Post by Dilbao » Fri Nov 25, 2011 12:10 am

Are those iptables rules generating at the boot? Because there isn't anything at the /etc/sysconfig.

It may not secure as other options but I don't really have any choice other then web gui, it has to work like this, people are used to it and it is almost impossible to change the way of their practice.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Remote Web Access

Post by mstombs » Fri Nov 25, 2011 9:09 am

The firewall rules will be generated on wan connect via the core-logic - not standard linux config.

From a lan telnet/ssh session check the output of

Code: Select all

iptables -nvL
iptables -nvL -t nat
Dilbao
Novice
Novice
Posts: 26
Joined: Mon Aug 16, 2010 3:44 pm

Re: Remote Web Access

Post by Dilbao » Sun Nov 27, 2011 4:16 pm

Without any port forwarding or anything, I'm geting this which looks normal to me:

Code: Select all

Chain INPUT (policy ACCEPT 162 packets, 25584 bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   250 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0
    2    96 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 151 packets, 14247 bytes)
 pkts bytes target     prot opt in     out     source               destination
  127 18803 ACCEPT     all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
   22  1132 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 DROP       all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 171 packets, 11141 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 3 code 4
    1   109 DROP       icmp --  *      ppp0    0.0.0.0/0            0.0.0.0/0          icmp type 3
    0     0 DROP       icmp --  *      ppp0    0.0.0.0/0            0.0.0.0/0          state INVALID
Those have added after I enabled "Remote Web Access" to port 8080:

Code: Select all

Chain INPUT (policy ACCEPT 539 packets, 111K bytes)
 pkts bytes target     prot opt in     out     source               destination
. . .
    0     0 DROP       tcp  --  ppp0   *       0.0.0.0              0.0.0.0/0          state NEW tcp dpt:8080
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0              0.0.0.0/0          state NEW tcp dpt:80
. . .
But this doesn't work, I can't reach to webgui from port 8080 or port 80. That drop rule should not be there I think. But if I choose port 80 instead, same rule for port 80 added without (drop 8080) so something with that port's rule must be changed.


I revert to state at the begining. Then I added another rule manually (iptables -I INPUT -p tcp --dport 80 -j ACCEPT) and this happened:

Code: Select all

Chain INPUT (policy ACCEPT 198 packets, 70323 bytes)
 pkts bytes target     prot opt in     out     source               destination
. . .
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:80
. . .
There are a few differences, I don't know which one is cousing problem. I found a partial solution;
(setenv RT_cmd_01 "iptables -I INPUT -p tcp --dport 80 -j ACCEPT")
which solves some of my problems.
But makes another problem actually. Whenever someone decides to forward something to port 80 or doesn't want to use webgui from outside anymore, they can't. Because of the modification I made, they have to know how to remove what I added.

Anyways, I hope one day, that option in webgui works as intended.
mstombs
RouterTech Team
RouterTech Team
Posts: 3753
Joined: Wed Jan 10, 2007 11:54 pm

Re: Remote Web Access

Post by mstombs » Sun Nov 27, 2011 7:17 pm

The toggle between 8080 and 80 should happen in "nat PREROUTING", are you running "nat translation"?
Post Reply