Remote Web Access
Remote Web Access
Usually, I need to reach router from outside. But enabling "Remote Web Access" is not working. To do that, I had to disabled router's firewall but that doesn't feel right at all. I just want to reach web interface while firewall enabled. How can I do that?
I'm using this firmware: "routertech-ar7wrd-1350A-pspboot-firmware-4ports-20110502.zip"
I'm using this firmware: "routertech-ar7wrd-1350A-pspboot-firmware-4ports-20110502.zip"
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Remote Web Access
Personally, I would use a VPN (try openvpn or pptpd).
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Remote Web Access
This is another option, yes. But not a solution for what I asked. I mean, something is not working with firmware.
Also, I can't find vpn client all the time. For example, I can reach web with my mobile phone but it can't connect to vpn.
Also, I can't find vpn client all the time. For example, I can reach web with my mobile phone but it can't connect to vpn.
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Re: Remote Web Access
It should work. If it is not working, then one option is to try the VPN solution (the only way that I would recommend for accessing your router from the WAN). If that is not possible, then you will need to work around the problem (e.g., some iptables commands to open up specific ports).
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
Re: Remote Web Access
Remote web on 1350A certainly used to work - you have to specify an alternate port to 80, which the router swaps on receipt to keep the local web on port 80 via iptables rules. The web gui config for remote web will not therefore work if you have used the RouterTech env-var to move the local web gui port - but you should be able to get it to work via custom port forward rule.
BUT simple password security on the web gui is not very secure - so I have used this only for specific remote IP address (have static IP at work), I assume VPN with secure comms and certs etc wuld be much more secure.
BUT simple password security on the web gui is not very secure - so I have used this only for specific remote IP address (have static IP at work), I assume VPN with secure comms and certs etc wuld be much more secure.
Re: Remote Web Access
Are those iptables rules generating at the boot? Because there isn't anything at the /etc/sysconfig.
It may not secure as other options but I don't really have any choice other then web gui, it has to work like this, people are used to it and it is almost impossible to change the way of their practice.
It may not secure as other options but I don't really have any choice other then web gui, it has to work like this, people are used to it and it is almost impossible to change the way of their practice.
Re: Remote Web Access
The firewall rules will be generated on wan connect via the core-logic - not standard linux config.
From a lan telnet/ssh session check the output of
From a lan telnet/ssh session check the output of
Code: Select all
iptables -nvL
iptables -nvL -t nat
Re: Remote Web Access
Without any port forwarding or anything, I'm geting this which looks normal to me:
Those have added after I enabled "Remote Web Access" to port 8080:
But this doesn't work, I can't reach to webgui from port 8080 or port 80. That drop rule should not be there I think. But if I choose port 80 instead, same rule for port 80 added without (drop 8080) so something with that port's rule must be changed.
I revert to state at the begining. Then I added another rule manually (iptables -I INPUT -p tcp --dport 80 -j ACCEPT) and this happened:
There are a few differences, I don't know which one is cousing problem. I found a partial solution;
(setenv RT_cmd_01 "iptables -I INPUT -p tcp --dport 80 -j ACCEPT")
which solves some of my problems.
But makes another problem actually. Whenever someone decides to forward something to port 80 or doesn't want to use webgui from outside anymore, they can't. Because of the modification I made, they have to know how to remove what I added.
Anyways, I hope one day, that option in webgui works as intended.
Code: Select all
Chain INPUT (policy ACCEPT 162 packets, 25584 bytes)
pkts bytes target prot opt in out source destination
3 250 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
2 96 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 151 packets, 14247 bytes)
pkts bytes target prot opt in out source destination
127 18803 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
22 1132 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 171 packets, 11141 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
1 109 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID
Code: Select all
Chain INPUT (policy ACCEPT 539 packets, 111K bytes)
pkts bytes target prot opt in out source destination
. . .
0 0 DROP tcp -- ppp0 * 0.0.0.0 0.0.0.0/0 state NEW tcp dpt:8080
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0 0.0.0.0/0 state NEW tcp dpt:80
. . .
I revert to state at the begining. Then I added another rule manually (iptables -I INPUT -p tcp --dport 80 -j ACCEPT) and this happened:
Code: Select all
Chain INPUT (policy ACCEPT 198 packets, 70323 bytes)
pkts bytes target prot opt in out source destination
. . .
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
. . .
(setenv RT_cmd_01 "iptables -I INPUT -p tcp --dport 80 -j ACCEPT")
which solves some of my problems.
But makes another problem actually. Whenever someone decides to forward something to port 80 or doesn't want to use webgui from outside anymore, they can't. Because of the modification I made, they have to know how to remove what I added.
Anyways, I hope one day, that option in webgui works as intended.
Re: Remote Web Access
The toggle between 8080 and 80 should happen in "nat PREROUTING", are you running "nat translation"?