Is your Asus's WAN IP your external IP ? otherwise, if the Asus is hidden behind your ISP's modem/router-bridge, you won't see anything...
Security bug : Administration reachable over WAN
- Thread starter Zuultroet
- Start date
Is your Asus's WAN IP your external IP ? otherwise, if the Asus is hidden behind your ISP's modem/router-bridge, you won't see anything...
I just tried from my cell phone, connected to 3G only : http://78.217.xx.xx/ (my IP) lead to the router's admin page. The router's firewall is ENABLED, and OpenVPN server 1 is enabled too, which triggers the problem.
Sorry to have lost my temper, I was concerned I was not getting the message across. I'm doing my best to try to solve what appears to be a serious issue.
L&LD
Part of the Furniture
We're all here to help each other, instead of misinterpreting a post; try to provide more specific information of the problem.
Again; I'm not the expert here, I'm here to learn too. But what I do know is that it seems like your test or your settings are wrong somewhere?
Again; I'm not the expert here, I'm here to learn too. But what I do know is that it seems like your test or your settings are wrong somewhere?
speedingcheetah
Senior Member
Well.... I run a web sever that has ports 80 and 443 forwarded in the router....so..yea..
I do have OpenVPN sever on..I have stock firmware....so there is no "server 1" option...I think Asus uses a different OpenVPN setup page than in Merlin's firmware.
For the hell of it....I did disconnect my server...and turned off port forwarding....and I don't get anything trying to access my IP from my 4g phone. I only do when I go to my IP:9999, which is what i have WAN admin access set to.
I'm fairly sure this is a configuration or network topology issue, because port 80 is closed for everyone else. We just need to figure out where the issue lies.
Is NAT still enabled in addition to the firewall on your router?
Is the connection between the ISP router and the Asus router connected this way?
ISP router: LAN port
to
Asus router: WAN port
Make sure there is no loop in your network (for instance, a connection going from the ISP router LAN to the Asus router LAN - that would totally bypass the Asus's firewall by giving direct LAN access to the ISP router)
Do you have any special DMZ configuration (either in the ISP router or the Asus router)?
Is the Asus router still in Router mode (and not AP or Repeater mode)?
When you connect on port 80, is it actually the Asus's web page that comes up (to make sure it's not something else port forwarding itself on port 80, or the ISP router itself having a web interface on port 80).
Is NAT still enabled in addition to the firewall on your router?
Is the connection between the ISP router and the Asus router connected this way?
ISP router: LAN port
to
Asus router: WAN port
Make sure there is no loop in your network (for instance, a connection going from the ISP router LAN to the Asus router LAN - that would totally bypass the Asus's firewall by giving direct LAN access to the ISP router)
Do you have any special DMZ configuration (either in the ISP router or the Asus router)?
Is the Asus router still in Router mode (and not AP or Repeater mode)?
When you connect on port 80, is it actually the Asus's web page that comes up (to make sure it's not something else port forwarding itself on port 80, or the ISP router itself having a web interface on port 80).
Here is my methodology : to make sure my settings were not the problem :
- I reset the router to factory default (on+WPS)
- set it to router mode using the wizard that is started after a NVRAM reset,
- enabled OpenVPN server 1
As set by default, the router's firewall is enabled, and access to the Admin page from the WAN is disabled.
A scan from the WAN side, using either a PC or grc.com, shows port 80 is open. Opening it with a browser leads to the Admin page.
Ford Prefect
Senior Member
Yes, it is....and I can connect with my openVPN Client from outside.
Testing with my 3G-mobile router.
...I can do the same *and* expose the ASUS to the ISP side by enabling a complete IP-portforward in my ISP-Router.....same result...ASUS is dark, while openVPN clients can connect from external internet via 3G.
speedingcheetah
Senior Member
Not sure if I am interpreting this right.....but...
If your Asus is getting a 192.168.0.x as its WAN IP...then that is the ISP modem/router assigning the Asus as a DHCP client.
I suggest u put your ISP modem/router in bride mode and let the Asus handle the authentication from ISP (That's what i do with my CenturyLink DSL (PPPoE)) How you do that depends on what ISP and modem u have.
And...yes...you are scanning it from the isp router...ur connected to the same network then...so it would go to the admin page.
This is all very confusing based on the information given.
Last edited:
- On my ISP's modem/router, NAT is disabled. It justs hands my external IP to he WAN side of the ASUS.
- On the Asus, NAT is enabled, the PC I'm on is currently plugged on the LAN port of the Asus, with an IP of 192.168.x.X
the setup is currently :
[ISP's Modem] Lan port -> WAN port (blue) [ASUS]
The only thing plugged in the Asus's LAN (yellow) ports is the PC I'm typing on, and every devices's WIFI has been turned off to be sure.
The ISP's modem is set as a transparent modem, it just hands the external IP to the Asus's WAN side, as I can check in the Asus's nertwork map.
The Asus's DMZ is disabled.
The network map page states : "Operation Mode:Wireless router"
I am currently logged on it, from my phone connected to 3G : It is my router's admin page, I can access it and make changes to the settings.
I hope this will help
Ford Prefect
Senior Member
...this would result in a double-NAT setup.
However, even then the ASUS got a WAN side and should be dark/inaccessible from that side.
The OP stated that both kind of configs had been run/tested...fuly bridged with ISP Internet-IP as WAN on ASUS, and double NAT set-up.
speedingcheetah
Senior Member
Putting ISP router to bridge mode auto disables NAT on it....so that should be fine...
And no....the asus would be on the lan side if it was getting such an address....(192.168.0.x)
I'm lost at this point...other than to say don't enable Open vpn(if i recall, u said that fixes the issue?) Maybe someone else can figure it out....
And....i've read to many posts and threads in the last few hours....can't keep every detail straight....lol
Last edited:
Sorry, I'll try to be more clear :
my initial configuration was :
[ISP's router] -> 192.168.0.x -> [ASUS] -> 192.168.1.x -> LAN
I did this for testing purposes, to be able to configure the Asus without exposing it to the Internet.
Then a few posts later, to be able to scan the Asus from grc.com, I switched the ISP's router as a simple modem, which was to be my setup, once I had validated the Asus :
[ISP's modem] -> 78.217.x.x -> [ASUS] ->192.168.x.x -> LAN
Hence, at the beginning of this thread, scanning while connected to the ISP's router allowed me to scan the WAN side of the Asus. Subsequently I made the changes mentioned to make the discussion simpler.
Last edited:
speedingcheetah
Senior Member
When i try to plug in a pc to my isp router switch ports....that is in bridge mode....It doesn't work....because DHCP is disabled and device does not get a valid ip assignment.
I'm confused by this part. If that were the case, then your Asus router's shouldn't have a 192.168.0.x as its WAN IP, but the actual ISP WAN IP. Did you configure any particular routing rules on either devices? All netmasks are left to 255.255.255.0?
I am currently logged on it, from my phone connected to 3G : It is my router's admin page, I can access it and make changes to the settings.
I hope this will help
Make sure your phone isn't also connected to Wifi (I've seen a user previously mention having firewalling issues while testing with his phone, until he realized his phone was actually connected to his Wifi network and not 3G). Also make sure it didn't automatically connect to the OpenVPN server, as that would allow your phone to totally bypass the firewall. That might explain why the issue only appears when the OpenVPN server is started.
Can you post the current firewall rules on your Asus router while you are seeing port 80 being reachable? Go to the Tools -> Run Cmd page, and run the following command:
Code:
iptables -L -vThis would confirm whether your firewall is properly working, or if it failed to properly get applied (that can happen when there is an invalid rule, for instance).
yep, here my ISP's router can be configured as a bridge (hands the external IP to one single device), or as a full NAT router. This way I can test both configurations
speedingcheetah
Senior Member
Yea.....actually turn the wifi off completely inthe phones toggles/or settings...some apps will auto turn on wifi too....depends on the device.
speedingcheetah
Senior Member
yep, here my ISP's router can be configured as a bridge (hands the external IP to one single device), or as a full NAT router. This way I can test both configurations
What is your ISP and what model ISP modem/router are u using?
Similar threads
Similar threads
Similar threads
-
-
-
-
OpenVPN / site to site with special security/routing constraints
- Started by MarkusI
- Replies: 7
-
Isolating home security cameras and providing remote access?
- Started by MadPup
- Replies: 5
-
-
-
-
-
Minor UI Bug: On Mobile Devices Drag and Drop Functionality Not Working in Bandwidth Monitor- Started by cowboy
- Replies: 0
Latest threads
-
-
[ANNOUNCEMENT] Asuswrt-Merlin 386_x devices are no longer supported- Started by RMerlin
- Replies: 0
-
Release Asuswrt-Merlin 3006.102.3 is now available for WIfi 7 devices
- Started by RMerlin
- Replies: 6
-
Need advice: Asus BQ16 vs BT10 vs BT8 ?
- Started by MultiDoc
- Replies: 3
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!