Remote Administration: Remote Admin Port Reassignment

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
hammmy
DD-WRT Novice


Joined: 12 Nov 2009
Posts: 8

PostPosted: Thu Nov 12, 2009 23:03    Post subject: Remote Administration: Remote Admin Port Reassignment Reply with quote
I have a five-device network running WDS with DD-WRT: two WAP54Gs and one each of WRT54G/S/L. The WRT54GS is the hub for the WDS network and is wired to a WRT54G3G-ST (sixth device, Linksys firmware, wireless disabled) that is the edge router.

I need remote administration access to the devices on this network as I'm an hour away from the site. I currently have access by forwarding a sequential block of ports to the WRT54GS (port *1), which then translates the *2-*5 ports to port 80 of the LAN address of the destination device2-5.

What I originally wanted to do, and thought I could, was to simply send port *1 to device1, port *2 of device2, etc., and (with the remote admin port set to *X in the web GUI) log into the web GUI from this port. However, I found that I could not as the remote admin port seems to be only listened for on the WAN side of the device and I disable the WAN connection in order to reassign the WAN port to the LAN switch. On the WAP54Gs, this is a necessity so that the host PCs can connect and it is a nice thing on the WRT54Gs and as the WLAN acts as the WAN as well, the WAN port is vestigial for any of my uses except changing the remote admin port, apparently.

My intention with this post is to ask if the remote admin interface can be made to listen over the switch. My apologies if this is a redundant thread: the search was returning thousands of threads that were not relevant.

Also, as an aside, is anyone using DD-WRT on a WRT54G3G-ST? I would like to flash it as it drops its 3G WAN connection for 20 minutes before reconnecting after making configuration changes and is generally unstable--plus there are only ten entries for port forwarding--but I cannot afford to take it offline for extended monkeyshine as the network users are handy with the pitchforks and torches.

Oh, and another thing: is there a micro build that enables HTTPS? I would like more secure remote logins to the WRT54G (v6) and the WAP54Gs (v3.1).

Finally, I'd like to give credit to the Wi-Fi Guru column at wi-fiplanet.com (http://www.wi-fiplanet.com/tutorials/article.php/3802491) for giving me the answer to why remote administration wasn't working for me and how to work around it.
Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Thu Nov 12, 2009 23:29    Post subject: Reply with quote
Forward from port *X to [destination device IP] port 80 for http or port 443 for https.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
hammmy
DD-WRT Novice


Joined: 12 Nov 2009
Posts: 8

PostPosted: Thu Nov 12, 2009 23:44    Post subject: Reply with quote
phuzi0n wrote:
Forward from port *X to [destination device IP] port 80 for http or port 443 for https.


Yep, that's what I do now. I was wanting to make a suggestion that the remote admin interface listen over WLAN/LAN as well as WAN.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Nov 13, 2009 0:37    Post subject: Reply with quote
All the "remote admin" settings do is create a couple iptables rules to NAT the WAN port to the LAN IP/port that the service is listening on. ie. "remote admin" is a port forward to itself. Since it already listens on the LAN, there wouldn't be much purpose for such an option.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
hammmy
DD-WRT Novice


Joined: 12 Nov 2009
Posts: 8

PostPosted: Fri Nov 13, 2009 0:55    Post subject: Reply with quote
phuzi0n wrote:
All the "remote admin" settings do is create a couple iptables rules to NAT the WAN port to the LAN IP/port that the service is listening on. ie. "remote admin" is a port forward to itself. Since it already listens on the LAN, there wouldn't be much purpose for such an option.


I don't think I'm following your logic here. You're saying that because the Remote Admin option on the web GUI merely NATs port X on the WAN to port Y on the LAN that there isn't a point in making the Remote Admin interface do something different.

Ok, thank you for explaining what the Remote Admin interface is and does. Now, I would like to suggest that the Remote Admin interface do something else: listen for X port on WAN/LAN/WLAN and avoid the need for NAT from WAN to LAN. If this means changing the underlying service to support that ability, then that's my suggestion.
soul1601
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 38
Location: Austin MN

PostPosted: Wed Apr 14, 2010 18:29    Post subject: Similar problem Reply with quote
I think my problem falls along these lines as well, but I don't think I'm fully following the fix.

I use 3 DD-WRT formatted routers.

1 Linksys WRT54G
2x ASUS WL-520gc

1 asus is the primary AP - wan disabled
1 asus is a client mode (wan enabled, different ip scheme)
Linksys is a home made "game adapter" for my xbox360.
Client Brdige - wan disabled

Each have own 8081,8082,8083 ports assigned, and are forwarded through my main gateway/firewall, to their static assigned IPs.

The only router I can reach remotely is the 2nd ASUS that has its WAN still enabled. As I do not want PCs connected to this router to have access to the rest of my network.

I can access all three routers locally either via 192.*:808* or simply its 192.x IP
jmounts79
DD-WRT User


Joined: 20 Sep 2007
Posts: 218

PostPosted: Wed Apr 14, 2010 19:11    Post subject: Reply with quote
you can do this one of 2 ways.


How i do this for my routed network is enable remote management in the router on port 80, then in my NAT tables in my internet facing router i do the following port policy. mind you this is a routed network, where each routers WAN is different from its LAN but nat is disabled and its literally a router.

RouterA>IP:192.168.1.2>externalport:8082>Internalport:80


RouterA>IP:192.168.1.3>externalport:8083>Internalport:80


RouterA>IP:192.168.1.4>externalport:8084>Internalport:80

that will work if you tend to connect to the routers via their WAN port, so that if you are using its Radio and not its lan ports you can disable webUI via the wl0 interface and only hook up its WAN port.

If you wanted to use the router as a switch and still get access to its UI via the interent you just point to its Private LAN based IP instead of its routed WAN ip
soul1601
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 38
Location: Austin MN

PostPosted: Wed Apr 14, 2010 23:17    Post subject: Reply with quote
Redirecting traffic to port 80 isn't a option.
I also host a http/ftp/media server behind my firewall.

Port 80 is spoken for on the regular http traffic.

Why does disabling WAN on the router prevent outside access? The one with WAN still enabled is reachable with my configurations I put in the firewall.
jmounts79
DD-WRT User


Joined: 20 Sep 2007
Posts: 218

PostPosted: Wed Apr 14, 2010 23:23    Post subject: Reply with quote
Port 80 exists internally only, you are using a random port on the external to talk to the internal port 80.



this is also known as port redirection.
soul1601
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 38
Location: Austin MN

PostPosted: Thu Apr 15, 2010 0:02    Post subject: Reply with quote
Well there must be some kind of HTTP request in the packet or something. The firewall knows some how where to properly send requests from the WAN. Otherwise virtual domains wouldn't work. Anyway...


I have 3 separate ports assigned, only the one with its WAN works. But yet internally they all work the same. So there must be a connection between WAN being off that causes the router to not be reached from the outside. It seems that since the WAN is off, the router just ignores HTTP requests that don't come from the same local network.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Thu Apr 15, 2010 1:29    Post subject: Re: Similar problem Reply with quote
soul1601 wrote:
I think my problem falls along these lines as well, but I don't think I'm fully following the fix.

I use 3 DD-WRT formatted routers.

1 Linksys WRT54G
2x ASUS WL-520gc

1 asus is the primary AP - wan disabled
1 asus is a client mode (wan enabled, different ip scheme)
Linksys is a home made "game adapter" for my xbox360.
Client Brdige - wan disabled

Each have own 8081,8082,8083 ports assigned, and are forwarded through my main gateway/firewall, to their static assigned IPs.

The only router I can reach remotely is the 2nd ASUS that has its WAN still enabled. As I do not want PCs connected to this router to have access to the rest of my network.

I can access all three routers locally either via 192.*:808* or simply its 192.x IP

For the AP and CB you need your gateway router to forward to port 80. Also be absolutely sure that you have assigned them their gateway address so that they have a default route out to the internet.

Remote admin settings are to open the port on the WAN side of the router when there is a WAN. When you disable the WAN there is no longer any need for remote admin, instead you just access the real port directly.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
jmounts79
DD-WRT User


Joined: 20 Sep 2007
Posts: 218

PostPosted: Thu Apr 15, 2010 15:49    Post subject: Reply with quote
Here is a screen shot of my working NAT rules.

this is exactly what you are trying to do.



NAT-QoS.jpg
 Description:
 Filesize:  158.26 KB
 Viewed:  15507 Time(s)

NAT-QoS.jpg


soul1601
DD-WRT Novice


Joined: 18 Nov 2009
Posts: 38
Location: Austin MN

PostPosted: Fri Apr 16, 2010 17:21    Post subject: Reply with quote
That would be great, if I was running a DD-WRT router as my gateway but I am not. I have a LB2 Hotbrick.

I think I have found the correct setting in my hotbrick to accomplish the same feat, however I'm not able to add more then one entry to for a different local IP using the same port. I change the Local lan IP to 1.3 and the wan port range to 8083 an I get:

Quote:
The WAN IP/Port is already in use by 192.168.1.2 and enabled, unable to add this entry !


So I'm able to reach the main AP (1.2:8082) with its WAN disabled remotely, but still not the Client Bridge (1.3:8083) that has no WAN.


EDIT: Here is the part that everyone can chime in and call me networking retarded.

I just realized what I was doing wrong when it came to enabling the fwd through the firewall. The GUI isn't very organized, and I am able to specify a different inside port to route to on my firewall. Problem is solved, and all my routers are reached from a WAN address. I've looked at the page many times, I don't know how I didn't realize it sooner.

I thank you all for your feed back, and helping me realize my mistakes.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum