Posted: Thu Nov 12, 2009 23:03 Post subject: Remote Administration: Remote Admin Port Reassignment
I have a five-device network running WDS with DD-WRT: two WAP54Gs and one each of WRT54G/S/L. The WRT54GS is the hub for the WDS network and is wired to a WRT54G3G-ST (sixth device, Linksys firmware, wireless disabled) that is the edge router.
I need remote administration access to the devices on this network as I'm an hour away from the site. I currently have access by forwarding a sequential block of ports to the WRT54GS (port *1), which then translates the *2-*5 ports to port 80 of the LAN address of the destination device2-5.
What I originally wanted to do, and thought I could, was to simply send port *1 to device1, port *2 of device2, etc., and (with the remote admin port set to *X in the web GUI) log into the web GUI from this port. However, I found that I could not as the remote admin port seems to be only listened for on the WAN side of the device and I disable the WAN connection in order to reassign the WAN port to the LAN switch. On the WAP54Gs, this is a necessity so that the host PCs can connect and it is a nice thing on the WRT54Gs and as the WLAN acts as the WAN as well, the WAN port is vestigial for any of my uses except changing the remote admin port, apparently.
My intention with this post is to ask if the remote admin interface can be made to listen over the switch. My apologies if this is a redundant thread: the search was returning thousands of threads that were not relevant.
Also, as an aside, is anyone using DD-WRT on a WRT54G3G-ST? I would like to flash it as it drops its 3G WAN connection for 20 minutes before reconnecting after making configuration changes and is generally unstable--plus there are only ten entries for port forwarding--but I cannot afford to take it offline for extended monkeyshine as the network users are handy with the pitchforks and torches.
Oh, and another thing: is there a micro build that enables HTTPS? I would like more secure remote logins to the WRT54G (v6) and the WAP54Gs (v3.1).
Finally, I'd like to give credit to the Wi-Fi Guru column at wi-fiplanet.com (http://www.wi-fiplanet.com/tutorials/article.php/3802491) for giving me the answer to why remote administration wasn't working for me and how to work around it.
Forward from port *X to [destination device IP] port 80 for http or port 443 for https. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
All the "remote admin" settings do is create a couple iptables rules to NAT the WAN port to the LAN IP/port that the service is listening on. ie. "remote admin" is a port forward to itself. Since it already listens on the LAN, there wouldn't be much purpose for such an option. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
All the "remote admin" settings do is create a couple iptables rules to NAT the WAN port to the LAN IP/port that the service is listening on. ie. "remote admin" is a port forward to itself. Since it already listens on the LAN, there wouldn't be much purpose for such an option.
I don't think I'm following your logic here. You're saying that because the Remote Admin option on the web GUI merely NATs port X on the WAN to port Y on the LAN that there isn't a point in making the Remote Admin interface do something different.
Ok, thank you for explaining what the Remote Admin interface is and does. Now, I would like to suggest that the Remote Admin interface do something else: listen for X port on WAN/LAN/WLAN and avoid the need for NAT from WAN to LAN. If this means changing the underlying service to support that ability, then that's my suggestion.
Posted: Wed Apr 14, 2010 18:29 Post subject: Similar problem
I think my problem falls along these lines as well, but I don't think I'm fully following the fix.
I use 3 DD-WRT formatted routers.
1 Linksys WRT54G
2x ASUS WL-520gc
1 asus is the primary AP - wan disabled
1 asus is a client mode (wan enabled, different ip scheme)
Linksys is a home made "game adapter" for my xbox360.
Client Brdige - wan disabled
Each have own 8081,8082,8083 ports assigned, and are forwarded through my main gateway/firewall, to their static assigned IPs.
The only router I can reach remotely is the 2nd ASUS that has its WAN still enabled. As I do not want PCs connected to this router to have access to the rest of my network.
I can access all three routers locally either via 192.*:808* or simply its 192.x IP
How i do this for my routed network is enable remote management in the router on port 80, then in my NAT tables in my internet facing router i do the following port policy. mind you this is a routed network, where each routers WAN is different from its LAN but nat is disabled and its literally a router.
that will work if you tend to connect to the routers via their WAN port, so that if you are using its Radio and not its lan ports you can disable webUI via the wl0 interface and only hook up its WAN port.
If you wanted to use the router as a switch and still get access to its UI via the interent you just point to its Private LAN based IP instead of its routed WAN ip
Well there must be some kind of HTTP request in the packet or something. The firewall knows some how where to properly send requests from the WAN. Otherwise virtual domains wouldn't work. Anyway...
I have 3 separate ports assigned, only the one with its WAN works. But yet internally they all work the same. So there must be a connection between WAN being off that causes the router to not be reached from the outside. It seems that since the WAN is off, the router just ignores HTTP requests that don't come from the same local network.
Posted: Thu Apr 15, 2010 1:29 Post subject: Re: Similar problem
soul1601 wrote:
I think my problem falls along these lines as well, but I don't think I'm fully following the fix.
I use 3 DD-WRT formatted routers.
1 Linksys WRT54G
2x ASUS WL-520gc
1 asus is the primary AP - wan disabled
1 asus is a client mode (wan enabled, different ip scheme)
Linksys is a home made "game adapter" for my xbox360.
Client Brdige - wan disabled
Each have own 8081,8082,8083 ports assigned, and are forwarded through my main gateway/firewall, to their static assigned IPs.
The only router I can reach remotely is the 2nd ASUS that has its WAN still enabled. As I do not want PCs connected to this router to have access to the rest of my network.
I can access all three routers locally either via 192.*:808* or simply its 192.x IP
For the AP and CB you need your gateway router to forward to port 80. Also be absolutely sure that you have assigned them their gateway address so that they have a default route out to the internet.
Remote admin settings are to open the port on the WAN side of the router when there is a WAN. When you disable the WAN there is no longer any need for remote admin, instead you just access the real port directly. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
That would be great, if I was running a DD-WRT router as my gateway but I am not. I have a LB2 Hotbrick.
I think I have found the correct setting in my hotbrick to accomplish the same feat, however I'm not able to add more then one entry to for a different local IP using the same port. I change the Local lan IP to 1.3 and the wan port range to 8083 an I get:
Quote:
The WAN IP/Port is already in use by 192.168.1.2 and enabled, unable to add this entry !
So I'm able to reach the main AP (1.2:8082) with its WAN disabled remotely, but still not the Client Bridge (1.3:8083) that has no WAN.
EDIT: Here is the part that everyone can chime in and call me networking retarded.
I just realized what I was doing wrong when it came to enabling the fwd through the firewall. The GUI isn't very organized, and I am able to specify a different inside port to route to on my firewall. Problem is solved, and all my routers are reached from a WAN address. I've looked at the page many times, I don't know how I didn't realize it sooner.
I thank you all for your feed back, and helping me realize my mistakes.