primexx Posted August 1, 2010 Share Posted August 1, 2010 Hi, i just noticed that I can access/login my router's web admin interface by visiting my external IP address from outside my network. i thought i shouldn't be able to do this? Is this normal or have i probably misconfigured something? here are my current settings: web access: http info-site: enabled info-site password protection: disabled info-site mac making: enabled wireless GUI access: enabled web GUI management: disabled SSH management: enabled telnet management: disabled allow any ip: enabled I'm also using the multiple-bssid setup here, if it's relevant: http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html thanks! Link to comment Share on other sites More sharing options...
Jeston Veteran Posted August 1, 2010 Veteran Share Posted August 1, 2010 Edit: misread. Just disable http web access if you don't want to be able to login outside the network. Edit 2: Actually, after looking at my router, I don't think that's the case, I don't know. Link to comment Share on other sites More sharing options...
primexx Posted August 1, 2010 Author Share Posted August 1, 2010 Edit: misread. Just disable http web access if you don't want to be able to login outside the network. Edit 2: Actually, after looking at my router, I don't think that's the case, I don't know. but that would also stop me from accessing it inside the network >< Link to comment Share on other sites More sharing options...
Jeston Veteran Posted August 1, 2010 Veteran Share Posted August 1, 2010 How about disabling "Allow any remote ip" Link to comment Share on other sites More sharing options...
primexx Posted August 1, 2010 Author Share Posted August 1, 2010 doesn't work either, that governs remote access (web gui managemnt, ssh, telnet). Link to comment Share on other sites More sharing options...
eangulus Posted August 1, 2010 Share Posted August 1, 2010 Disabling Remote HTTP access shouldn't stop internal IP addres's. It should only stop access from the WAN port. Link to comment Share on other sites More sharing options...
primexx Posted August 1, 2010 Author Share Posted August 1, 2010 Disabling Remote HTTP access shouldn't stop internal IP addres's. It should only stop access from the WAN port. "Web GUI Management" under "Remote Access" is already disabled. the "Web Access" thing is (supposed) to be for selecting the protocol of internal web access. I've tried a bunch of different things and nothing seemed to work. I'm going to try a couple other builds in case it's a bug with the one i'm using right now. Link to comment Share on other sites More sharing options...
eangulus Posted August 1, 2010 Share Posted August 1, 2010 Are you sure your accessing it externally? Like your not on a VPN or not still connected to the wireless or something of those lines. I know its a stupid question but I have made some silly mistakes before too. I would also try a reflash incase something screwed up. Link to comment Share on other sites More sharing options...
primexx Posted August 1, 2010 Author Share Posted August 1, 2010 yea i've been trying from a web proxy and also my neighbour's open wifi, can access it in both. i don't have vpn. i think the best bet right now is to re flash and see what happens, i'll update this post when i've done that :) Link to comment Share on other sites More sharing options...
primexx Posted August 2, 2010 Author Share Posted August 2, 2010 ok turns out the firewall rules were all messed up somehow. it's good now. Link to comment Share on other sites More sharing options...
John Peterson Posted September 3, 2010 Share Posted September 3, 2010 Hi, i just noticed that I can access/login my router's web admin interface by visiting my external IP address from outside my network. i thought i shouldn't be able to do this? Is this normal or have i probably misconfigured something? No it's the default behavior. The web gui will by default listen on wan:80 with a password that everyone knows! And even if I can change the password I want to disable listening on wan:80 completely. The only way I'm able to disable access to wan:80 is to forward wan:80 (i.e. wan ip port 80 for example 92.151.5.90:80) to nowhere in the NAT server from NAT / QoS > Port Forward. And I can't seem to be able to disable listening on wan:80 in Administration > Management even though I have disabled Remote Access for Web GUI Management like the attached image shows. I would like the option to disabled Remote Access for Web GUI Management to mean that it's not listening on wan:80, only on local:80 (i.e. for example 192:168.0.1:80). Without having to forward port 80 to nowhere. ok turns out the firewall rules were all messed up somehow. it's good now. You mean you hadn't forwarded port 80? I have to forward port 80 to nowhere (a non-existing ip) in NAT / QoS > Port Forward to disable remote access of the web gui. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 3, 2010 MVC Share Posted September 3, 2010 (edited) so your worried about web gui access from remote - but you think its ok to allow telnet? Also 192.168.0.1 to 254 is not a REMOTE IP -- thats a private address -- so nobody is going to be able to access telnet that way - why not just disable it? I don't use my dd-wrt as my external router, so would have to fire it up --- but easy enough to test when I get home will just plug a box into the external side of the router and setup IPs. My guess with the OP problem was he stated he was running a multiple BSSIDS, which calls for making direct rules with iptables.. example from what he linked too # Make sure br1 has access to the internet: iptables -I INPUT -i br1 -m state --state NEW -j logaccept iptables -I FORWARD -i br1 -o $wanif -m state --state NEW -j ACCEPT So its quite possible he jacked up something in those rules - or maybe they are jacked up as written.. Have not really looked that deep at them yet.. But from the send rule there where he is doing $wanif ACCEPT could be the problem. but to your problem - if you have not manually made any manipulates of the rules with iptables like he did in the example. Does not matter what if listening on 0.0.0.0 (all IPs) Just look at your specific rules with iptables.. So with remote web gui disabled, you see these rules root@wrt54g:~# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 So now if enabled remote web notice the rules change root@wrt54g:~# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 Now I don't have my router actually connected to anything on the wan side, so its difficult to verify anything from here.. But as you can see with web gui remote access disabled there is a specific DROP rule in your input chain, when you enable remote gui access, those rules go away. If you have the DROP rule in their for those ports, I don't see how it would be possible for anything to access your routers web gui from the remote side. So why don't you post up your iptables -nL and we can take a look at your rules. You can learn more about setting up rules with iptables on dd-wrt here http://www.dd-wrt.com/wiki/index.php/Iptables_command#Listing_the_rules_in_a_chain BTW -- notice when I disable remote web gui, shazam those rules are back. root@wrt54g:~# iptables -nL INPUT Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:69 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 root@wrt54g:~# edit: BTW from you screen shot you posted your public IP, you might want to edit your screenshot to block that out. Edited September 3, 2010 by BudMan Link to comment Share on other sites More sharing options...
John Peterson Posted September 3, 2010 Share Posted September 3, 2010 but you think its ok to allow telnet? Also 192.168.0.1 to 254 is not a REMOTE IP -- thats a private address -- so nobody is going to be able to access telnet that way - why not just disable it? No I don't think it's ok. I didn't understand the Telnet access was always enabled for local ips. I disabled the Telnet Management option now. And I can still access telnet from a local ip. If you have the DROP rule in their for those ports, I don't see how it would be possible for anything to access your routers web gui from the remote side. Ok. I understand. The confusing thing is that httpd listens on *:80 so that I can connect to wan:80 from a local ip. But the DROP rules disallow any connections to wan:80 from a wan address so the purpose of disallowing external access is fulfilled. edit: BTW from you screen shot you posted your public IP, you might want to edit your screenshot to block that out. Thanks. I fixed that by removing the attachment. After some testing I think this is how it works: Web AccessHTTP/HTTPS: Enable or disable httpd, it will automatically listen on *:80, i.e. on both wan:80 and lan:80 Remote Access Web GUI Management: This controls if external ips can access httpd on wan:80 (given that the Web GUI Port is 80). If disabled local ips can still acess wan:80, but not external ips. If enabled and set to port 8080 httpd will listen on wan:8080 and lan:80 (but access to wan:8080 may be blocked by the Allow Any Remote IP setting). Allow Any Remote IP: This applies to both Telnet and Web GUI. This setting is only in addition to the local ip range, so even if you don't include the local ip range here, for example 192.168.0.1-254, and set the Allowed Remote IP Range to for example 1.0.0.1-1, local ips for example 192.168.0.100 will still be allowed access. So the confusing thing is that it listens on wan:80 even when Web GUI Management is disabled. It's only external access to wan:80 that's disallowed. It would be less confusing in my opinion if Web GUI Management disabled meant that httpd stopped listening on wan:80 and listened only on local:80. Link to comment Share on other sites More sharing options...
neufuse Veteran Posted September 3, 2010 Veteran Share Posted September 3, 2010 What ISP do you have? some IPS's like Comcast block port 80 and 8080 outbound so you can't run websites on those default ports... try a non default port Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 3, 2010 MVC Share Posted September 3, 2010 "It would be less confusing in my opinion if Web GUI Management disabled meant that httpd stopped listening on wan:80 and listened only on local:80. " To me a firewall rule that states DROP!! is pretty straight forward an crystal clear ;) To change the what ports a service is listening on would normally mean a restart of that service -- so your on the GUI when you make the change, having to restart that service you connected to change if listens on a specific IP could cause you issues with your connection to the service. Also -- Im not exactly sure how they have the httpd configured - but for example in apache you don't call out the interface you want to listen on, you put in IP(s) or use 0.0.0.0 to state ALL IPs. So if you were going to call out a specific wan IP - what happens when your dynamic wan IP changes, do you have to restart the service again?? When that service starts its not really binding to the interface, but the IP.. So I could see issues if the IP on the wan changes. Your lan IP is static - so thats not a big deal.. Its easier to manage if I turn on or off firewall rules vs dicking with settings in a httpd service. if you ask me. Thats my take on it anyway. Link to comment Share on other sites More sharing options...
John Peterson Posted September 3, 2010 Share Posted September 3, 2010 Also -- Im not exactly sure how they have the httpd configured - but for example in apache you don't call out the interface you want to listen on, you put in IP(s) or use 0.0.0.0 to state ALL IPs. So if you were going to call out a specific wan IP - what happens when your dynamic wan IP changes, do you have to restart the service again?? When that service starts its not really binding to the interface, but the IP.. So I could see issues if the IP on the wan changes. Your lan IP is static - so thats not a big deal.. Its easier to manage if I turn on or off firewall rules vs dicking with settings in a httpd service. if you ask me. Good point. It's just that I haven't used any router web gui before this one that listens on wan:80 for internal ips. So at first I thought it was listening on wan:80 for external ips too until I tested it from a proxy and was disallowed access. But now that I understand exactly how it works and the reason for it I'm of course fine with that. Link to comment Share on other sites More sharing options...
kuttypapa Posted February 2, 2011 Share Posted February 2, 2011 Can somebody help me I removed the Http option from the webaccess I'm not able to access my router page, is there an alternate way to get my router page access any help would be appreciated my router details router: Netgear 834B v2 Firware: DDWRT V24 sp2 mini (12548M) Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 2, 2011 MVC Share Posted February 2, 2011 Well use https, or telnet or ssh access to it.. dd-wrt has many ways to access its interface. Link to comment Share on other sites More sharing options...
kuttypapa Posted February 2, 2011 Share Posted February 2, 2011 Well use https, or telnet or ssh access to it.. dd-wrt has many ways to access its interface. can you please how to use https I tried https://192.168.1.1 it does not work telnet& ssh is not possibleI think as I disabled them the aloow any remote connections is enabled thanks Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 2, 2011 MVC Share Posted February 2, 2011 well if you disabled all the methods of accessing -- its going to be kind of hard to access huh ;) Reset it to default -- and this time don't turn off **** you need ;) Link to comment Share on other sites More sharing options...
PGHammer Posted February 2, 2011 Share Posted February 2, 2011 Hi, i just noticed that I can access/login my router's web admin interface by visiting my external IP address from outside my network. i thought i shouldn't be able to do this? Is this normal or have i probably misconfigured something? here are my current settings: web access: http info-site: enabled info-site password protection: disabled info-site mac making: enabled wireless GUI access: enabled web GUI management: disabled SSH management: enabled telnet management: disabled allow any ip: enabled I'm also using the multiple-bssid setup here, if it's relevant: http://www.pennock.nl/dd-wrt/Multiple_BSSIDs.html thanks! It's normal, but disabled by default due to it also being a security hole. That is an *advantage* of most third-party firmware (including DD-WRT) - more features than the proprietary firmware it was designed to replace. (Standard firmware doesn't even offer the option of wireless access from *inside* the LAN; it is typically required that you access/administer the router from a wired PC.) Link to comment Share on other sites More sharing options...
Recommended Posts