Posted: Sat Mar 11, 2023 3:51 Post subject: [SOLVED] Remote management IP range restriction no effect.
Router/Version: Netgear R6300v2 File/Kernel: v3.0-r51976 std (03/08/23) Previous/Reset: upgraded from a 2019 build, already 30-30-30 as well as web gui reset Mode/Status: Gateway mode, WAN is tied to 5G wifi Client mode DHCP, LAN + 2.4G wifi AP mode static address different from WAN Issues/Errors: remote management - allow any IP doesn't seem to work correctly when set to disable
When allow-any-ip is set to disable, it reveals the option to enter what IP range allowed.
It doesn't seem to impose any restriction by the IP entered.
Once remote management enabled, it's enabled for all.
If I disable remote management, but turn off SPI firewall, then anyone can remote it too (this one is understandable since firewall is off; but I thought they could be two separate functions)
The WAN is 192.168.2.105/24
the LAN is 10.0.0.1/24
The admin computer is in another net 192.168.1.0/24
If I disable allow-any-ip, and enter allow only 192.168.1.170-180,
save, apply, wait for the 5G client link to re-connect,
then try to connect to the web gui from 192.168.2.0/24 network, it goes through.
the WAN is technically within the same net of any other 192.168.2.x/24 hosts, so I'm guessing this isn't really remote; unsure if this is the expected behavior. Perhaps the remote has to be in a different net for the firewall to consider it remote?
Then I tried to connect from 192.168.1.160 (still not within the allowed 170~180 range), but it goes through too.
So I'm a little lost now..
Looks like the IP range restriction just has no effect.
With your intended remote management configuration, presuming it is ssh or http(s), what is the output of iptables -vnL? Remote management should add firewall rules. Only possible bug would be if the wireless interface used as WAN is somehow not correctly tied to the proper interface for the firewall to work properly. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
It doesn't show any entry with the address 192.168.1.175-178 as I entered.
I run that command after save and apply, no change,
then re-run after a reboot, still the same.
firewall disabled, but entered an address for remote management:
Code:
Chain INPUT (policy ACCEPT 58 packets, 9626 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 DROP tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * eth2 !192.168.2.105 0.0.0.0/0 state INVALID
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth2 * 0.0.0.0/0 224.0.0.0/4
0 0 TRIGGER all -- eth2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- eth2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- eth2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- eth2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
eth2 seems to be the 5G wifi WAN, accepting tcp 443 for https.
Actually, I now realized that with the firewall enabled,
I can't even reach it via the WAN address.
For now with firewall enabled (but all the boxes unchecked),
I can only reach the web gui via the 10.0.0.1 address, either while connected to the 10.0.0.0/24 LAN, or from another net with policy routing and set gateway to the WAN of the client router (the 5G wifi WAN IP 192.168.2.105).[/code]
Connecting from 192.168.0.58 so outside this range is blocked.
So it works for me and allowing traffic in range and not outside this range
Note if you disable the firewall you do not need remote management just set a static route on the main router and you can connect to the router itself.
:trigger_out - [0:0]
:upnp - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
:grp_11 - [0:0]
:advgrp_11 - [0:0]
:grp_12 - [0:0]
:advgrp_12 - [0:0]
:grp_13 - [0:0]
:advgrp_13 - [0:0]
:grp_14 - [0:0]
:advgrp_14 - [0:0]
:grp_15 - [0:0]
:advgrp_15 - [0:0]
:grp_16 - [0:0]
:advgrp_16 - [0:0]
:grp_17 - [0:0]
:advgrp_17 - [0:0]
:grp_18 - [0:0]
:advgrp_18 - [0:0]
:grp_19 - [0:0]
:advgrp_19 - [0:0]
:grp_20 - [0:0]
:advgrp_20 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i eth2 -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth2 -p tcp -d 10.0.0.1 --dport 443 -j ACCEPT
-A INPUT -i eth2 -p icmp -j ACCEPT
-A INPUT -i eth2 -p igmp -j ACCEPT
-A INPUT -i eth2 -p tcp --dport 113 -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -s 192.168.2.105 -o eth2 -p tcp -m state --state INVALID -j DROP
-A FORWARD -j upnp
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -o eth2 -s 10.0.0.1/24 -p tcp --dport 1723 -j ACCEPT
-A FORWARD -o eth2 -s 10.0.0.1/24 -p gre -j ACCEPT
-A FORWARD -i eth2 -p udp --destination 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth2 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i eth2 -o eth0 -j TRIGGER --trigger-type in
-A FORWARD -i eth0 -j trigger_out
-A FORWARD -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth2 -o eth1 -j TRIGGER --trigger-type in
-A FORWARD -i eth1 -j trigger_out
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth2 -o vlan1 -j TRIGGER --trigger-type in
-A FORWARD -i vlan1 -j trigger_out
-A FORWARD -i vlan1 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -j DROP
COMMIT
okay, guessing my brain hadn't waked up..
Just realized I forgot the :8080 when trying to connect via the WAN address, as the internal and external https use different port numbers. Don't know why I were blind on that 8080 just above the IP setting. (was on the LAN side during initial setup, then moved to the WAN side and simply changed address, forgot to add the :8080 or change the default 8080 port to 443) duh..
egc wrote:
It should be in the DNAT rule
Yup, you got it; I've also changed the default remote management port 8080 to 443 too just in case