What's new

Log into R7800 web gui from different local subnet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

revengineer

Occasional Visitor
I moved my R7800 with Voxel firmware and configured as an Access Point to a different subnet (address now 192.168.3.2). The access point is configured with a static IP. Now I cannot connect to the admin web gui from another local subnet (192.168.1.x). I can ping the R7800 from the .1.x subnet and I can connect to the R7800 from the .1.x subnet via SSH. So the connectivity and routing seems fine, it just appears that the admin gui cannot be accessed from a subnet other than that configured in the gui. I have tested that the gui is accessible from a machine connected to the .3.x subnet.

From my observations, I conclude that gui access from different subnet may be prevented for security reasons. Since this device is on a home network behind a good firewall, I would like to relax the security to allow gui login from a different subnet.

Can anyone confirm this behavior and perhaps provide a configuration option to allow logins from other subnets?

Thank you for advice in advance.
 
Looking at the iptables on my R7800 (configured as router):
Code:
Chain loc2net (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  15M   10G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  252 74494 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp flags:!0x3F/0x02
 3730  295K DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
1870K  130M TRIGGER    all  --  *      *       0.0.0.0/0            0.0.0.0/0           [16 bytes of unknown target data] 
 4612  599K ACCEPT     all  --  *      *       192.168.2.0/24       0.0.0.0/0           
    0     0 DROP       all  --  *      *      !192.168.1.0/24       0.0.0.0/0           
1865K  129M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

That second to last line would indeed drop all traffic that is not from the same subnet.
(and the third to last line is there because I have OpenVPN-server enabled)

If an R7800 in AP-mode has similar rules, you could try running this command: (to allow all traffic from 192.168.1.0/24)

iptables -w -I loc2net -s 192.168.1.0/24 -j ACCEPT

(And if that works, you could add this rule to /opt/scripts/firewall-start.sh)
 
The chain loc2net does not seem to exist on my R7800 running Voxel firmware v1.0.2.97SF. When listing the rules, my system shows as seen below. Essentially there seems to be no rules defined. I tried adding suggested rule to chains INPUT, OUTPUT, and FORWARD but gui access still gives "404 not found" error.

Code:
root@R7800:~$ iptables -L -v -n

Chain INPUT (policy ACCEPT 2203 packets, 117K bytes)

pkts bytes target     prot opt in     out     source               destination



Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 2180 packets, 99382 bytes)

pkts bytes target     prot opt in     out     source               destination

root@R7800:~$
 
The chain loc2net does not seem to exist on my R7800 running Voxel firmware v1.0.2.97SF. When listing the rules, my system shows as seen below. Essentially there seems to be no rules defined. I tried adding suggested rule to chains INPUT, OUTPUT, and FORWARD but gui access still gives "404 not found" error.

Code:
root@R7800:~$ iptables -L -v -n

Chain INPUT (policy ACCEPT 2203 packets, 117K bytes)

pkts bytes target     prot opt in     out     source               destination



Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 2180 packets, 99382 bytes)

pkts bytes target     prot opt in     out     source               destination

root@R7800:~$

now that I think of it, that kind of makes sense.... An access point is only switching. so it only uses ebtables and not iptables.
You could check if ebtables is blocking something:
ebtables -L

Or check if the iptables on the main router is somehow dropping the tcp traffic.
 
I checked the ebtables yesterday and just again, they are empty too. So I am not sure what blocking the http access but letting through ssh and telnet. Perhaps it's in the configuration of uhttpd daemon; I looked at the config in /etc/config/uhttpd but there is nothing obvious.
 
I checked the ebtables yesterday and just again, they are empty too. So I am not sure what blocking the http access but letting through ssh and telnet. Perhaps it's in the configuration of uhttpd daemon; I looked at the config in /etc/config/uhttpd but there is nothing obvious.
something you could test: kill the telnet daemon and reconfigure the uhttpd daemon to run on port 23 (and restart it) -> if you can then access the GUI via port 23 then you know that it is not the uhttpd daemon.

(or alternatively, kill uhttpd, reconfigure telnet to run on port 80 and test if you can telnet to port 80)
 
I tried a lot of things but do not seem to get it right. I see others complaining about this issue across the internet without a solution. I think I may just have to accept that this router is flawed and move on.
 
Reply
I tried a lot of things but do not seem to get it right. I see others complaining about this issue across the internet without a solution. I think I may just have to accept that this router is flawed and move on.


Thinking out of the box. Did you ever consider adding a static route to your access point from your primary router?

Some versions of Netgear firmware prevented access to the modems GUI from the router. See attached.
 

Attachments

  • Static Route for Modem.pdf
    169.2 KB · Views: 93
Reply



Thinking out of the box. Did you ever consider adding a static route to your access point from your primary router?

Some versions of Netgear firmware prevented access to the modems GUI from the router. See attached.
Thank you for the pointer to static routes. My understanding is that static routes are for traffic originating from the access point, and not for incoming packets from other subnets. I am happy to be corrected if I misunderstood.

I reiterate that the routing generally seems to work because I can log into the access point from another subnet via SSH. Only for port 80, this seems to be block on this device. I have other brand/model access points on other subnets, and the access of port 80 seems to be fine on those devices. This makes me think that the traffic to the web GUI is blocked internal to the R7800. Unfortunately, I do not know how to continue the troubleshooting within the Voxel firmware.
 
Thank you for the pointer to static routes. My understanding is that static routes are for traffic originating from the access point, and not for incoming packets from other subnets. I am happy to be corrected if I misunderstood.

I reiterate that the routing generally seems to work because I can log into the access point from another subnet via SSH. Only for port 80, this seems to be block on this device. I have other brand/model access points on other subnets, and the access of port 80 seems to be fine on those devices. This makes me think that the traffic to the web GUI is blocked internal to the R7800. Unfortunately, I do not know how to continue the troubleshooting within the Voxel firmware.

I do not think you can configure an access point with a static route. The intent was to put the static route in the router that provides DHCP services to your other subnet and point it toward your access point IP.

It should be easy enough to test and see as part of your troubleshooting efforts.
 
Understood! I have now tried this route on my pfsense firewall, which is my DHCP server and is the link between the two subnets. Unfortunately, without success. I think it's because the route into the subnet, where the access point resides, is generally working.
 
I have the same issue and have not found a fix either. I'm wondering if it's got something to do with the router wanting to redirect to routerlogin.net? There's an article on Netgear site that might be relevant: https://kb.netgear.com/61/How-to-di...ration-assistant-welcome-screen-hijack-screen

However, this web page does not exist on the R7800 AFAIK. Is there any way to kill that routerlogin.net feature from the command line through telnet or ssh?
 
I have the same issue and have not found a fix either. I'm wondering if it's got something to do with the router wanting to redirect to routerlogin.net? There's an article on Netgear site that might be relevant: https://kb.netgear.com/61/How-to-di...ration-assistant-welcome-screen-hijack-screen

However, this web page does not exist on the R7800 AFAIK. Is there any way to kill that routerlogin.net feature from the command line through telnet or ssh?
I found a workaround in pfsense!

  1. Go to Firewall / NAT / Outbound:
  2. Change the Mode to Hybrid and click Save.
  3. Create a new mapping as shown. Click Save and Apply the changes.
Screenshot 2023-05-20 at 11-52-47 pfSense.home.arpa - Firewall NAT Outbound.png


My VLAN is called UNTRUSTED. My main LAN subnet is 192.68.69.0/24 and the R7800 configured as an AP is on the VLAN (subnet 192.68.70.0/24) as 192.168.70.250. It has a static IP configured in the DHCP settings, so 192.168.70.250 will always be the R7800.

This mapping will give whatever IP is accessing the R7800 an IP from the UNTRUSTED subnet. All communication with the R7800 will appear as if it's coming from the UNTRUSTED subnet.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top