Remote Web Acccess Not Working

[TrickyT]

OK, I'm out of ideas, and hoping someone can point out what simple little bit I've missed. I'm running gargoyle_1.8.1-ar71xx-nand-wndr4300-squashfs-sysupgrade on my Netgear WNDR4300v1. It's a secondary router, that I'm setting up for my son and his friends so they are isolated from the adult network. General concept:
Internet connection from Xfinity connected directly to the first router, called "GrownUps", running DD-WRT. The GrownUps network gateway is 10.1.1.1, and the computers and wireless devices that connect to that router start at 10.1.1.10. The second router, named "Teenagers", connects to the "GrownUps" router, with an IP of 10.1.1.2. On the "Teenagers" network, the gateway is 10.1.2.1, and the devices start at 10.1.2.10.

Web admin access is enabled for HTTP and HTTPS, and remote web admin access is enabled for HTTP and HTTPS. When connected to the "Teenagers" network, I can access the web administration just fine....Point the browser to "10.1.2.1" and boom, I'm in. Problem is, when I'm connected to the "GrownUps" network and point yon browser to 10.1.1.2, I get "Unable to Connect." Similarly, I have SSH and Remote SSH enabled, and the same issue...I can connect from the Teenagers side, but not the GrownUps. I did an nmap of the router from the GrownUps network, and the only open port it shows is port 65000, which I opened for the VNC connection to my son's laptop, but not 22, 23, or 443.

Any ideas?

[nworbnhoj]

Web admin access is enabled for HTTP and HTTPS, and remote web admin access is enabled for HTTP and HTTPS.

Funny you should mention that! Just 2 days ago I was poking around in the code and noticed (with some bemusement) that the "Remote Web Admin Access" select is not actually connected to anything! Pretty much like those "Close Doors" button in a elevator. To my knowledge you are only the second person to ever have noticed.

Similarly, I have SSH and Remote SSH enabled

I did not check this one - might be the same.

However, back to your issue. The way you have set things up is a little weird. Probably you would be better served by placing Gargoyle as the primary router and connecting both "Grown-up" and "youth" to it. There are adequate tools in Gargoyle to restrict "youth"s access to LAN and Internet resources.

The "remote admin access" is intended to provide access to Gargoyle from the Internet. While this may have some value, and should be able to be achieved securely, it is a chink in the firewall that I personally do not care to open. I probably should however fix the code for the benefit of more adventurous souls.

[TrickyT]

One of my main reasons for doing things this way is specific to our circumstances...Namely, I travel a lot, and when the wife needs to "ground" the kids while I'm not home, she can just unplug the router. Also, Gargoyle has a better interface for logging web usage, and I try to keep an eye on what my son and his friends (one of which is a little thug who likes to try to download some nasty stuff that the DNS filters don't like) are using the network for.

I use the DD-WRT based router as the main one, since the OpenVPN setup is already done from a previous use, and all our traffic goes through the VPN now, to get away from Comcast's love of throttling videos. It's been pretty reliable for that, and I'm loathe to change things around.

As for the remote access, I can see it being a chink in the armor for most uses, but since the Gargoyle isn't the primary router, it's a convenience thing for me to not have to go change the plugs around every time I need to make some changes, so if I can get a work around, I'd appreciate it. Is there a command I can use to open up those ports via SSH or Telnet interfaces?

Thanks for the help!

[nworbnhoj]

Thanks - understand your setup much better now (still think Gargoyle would be better in the primary role - can do all the openvpn etc). You are correct that opening "remote admin access" is no risk at all in your proposed setup. All good.

I just had another glance at the code and suspect I know where the problem is for remote admin access. However, I need to completely "get it" before I am comfortable to propose a fix to the code - or a manual fix for you (likely to cause more damage than I fix). I will put it on my list and spend a little time on it before too long.

[TrickyT]

Thanks for the thought on this, it really is appreciated. The good news I guess is it shouldn't be too hard, I had another router with Gargoyle 1.3 (or so) running on it, and remote access worked way back when, so unless things have greatly changed, I can't see it being too hard to put back in.

Seems kinda mean to put a page in with options that don't really do anything...Then again, check Youtube for "Useless Box" videos and you can see the definition of mean!

[nworbnhoj]

Seems kinda mean to put a page in with options that don't really do anything

I did not mean to imply that it was on purpose
(I think the elevator buttons are on purpose).

And ... I just had a proper look at the code and it looks like i should work - just not in a way that I had ever imagined. Learn something every day.

I will have to look deeper

[TrickyT]

I did not mean to imply that it was on purpose

Not an accusation, I see the humor in it more than anything else.

(I think the elevator buttons are on purpose).

Not gonna disagree with ya there, either...

As for the code, like I said before, it worked way back when, on a D-Link DIR-600 A1 running 1.3.8 I was using for a while in a similar setup....I wonder if the functionality is still there, and they just got rid of the link between the functionality and the page setting it?

Regardless, thanks for your time on this.

[nworbnhoj]

With the remote access turned on ..... can you ssh into the router and confirm that you have something like:

Code: Select all

# uci show firewall
.......etc...etc.....etc...................
firewall.ra_443_443=remote_accept
firewall.ra_443_443.local_port='443'
firewall.ra_443_443.remote_port='443'
firewall.ra_443_443.proto='tcp'
firewall.ra_443_443.zone='wan'
firewall.ra_80_80=remote_accept
firewall.ra_80_80.local_port='80'
firewall.ra_80_80.remote_port='80'
firewall.ra_80_80.proto='tcp'
firewall.ra_80_80.zone='wan'

Also can you confirm that you can access the gargoyle admin from the LAN side when the WAN is refusing

[TrickyT]

Remote access and remote web access both enabled for http and https, ports 80 and 443. Remote and local SSH both enabled. uci output:

Code: Select all

firewall.ra_443_443=remote_accept
firewall.ra_443_443.local_port=443
firewall.ra_443_443.remote_port=443
firewall.ra_443_443.proto=tcp
firewall.ra_443_443.zone=wan
firewall.ra_80_80=remote_accept
firewall.ra_80_80.local_port=80
firewall.ra_80_80.remote_port=80
firewall.ra_80_80.proto=tcp
firewall.ra_80_80.zone=wan
firewall.ra_22_22=remote_accept
firewall.ra_22_22.local_port=22
firewall.ra_22_22.remote_port=22
firewall.ra_22_22.proto=tcp
firewall.ra_22_22.zone=wan

And yes, when plugged into the "Teenager" router with IP 10.1.2.10 I can access, but when plugged into the "GrownUp" router with IP 10.1.1.30 I can't, and PuTTY shows "Connection Refused."

[ispyisail]

I haven't read this whole post but..................

If you don't use OpenVPN your router will be attempted to be hacked almost straight away.

Anecdotal evidence suggests there are people that scan for open SSH ports then proceed to hack the password. Unlike ubuntu the username is easy to find so that just leaves cracking the password.

If you do open that port make sure the password is really really long and random etc

You can tell by checking your SSH log