Exposed WAN - http://IPAddress/webpages/login.html
Why is the default webpage /webpages/login.html accessible from the WAN IP?
Please add a way to disable access through the WAN IP, or am I missing a simple firewall rule? This should be off by default though, I shouldn't have to add a firewall rule, it should be common security knowledge to not have the WAN IP expose the router login page.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @ibphantom
Thanks for posting in our business forum.
A public IP address with an open port, can be accessible from the Internet. This is how the Internet works. 80 and 443 are enabled by default if you disable it, how do you log in to the router admin web?
You can access it from the Internet, then did you enable Remote Management in the settings? This is not enabled by default. By default, this is blank.
- Copy Link
- Report Inappropriate Content
Why is the default webpage /webpages/login.html accessible from the WAN IP?
Are you using the WAN IP from a machine on the LAN ?
If so then the NAT loopback function of the router will be detecting that and redirecting the address back. It will appear as though the router is accessible from the internet, but it isnt as the request never gets beyond the router.
Unless you've got Remote Management enabled as @Clive_A says, then the router is not actually accessible from the internet
- Copy Link
- Report Inappropriate Content
Hey Clive and MisterW! I understand that port 80 and 443 are enabled by default, that's why I made this post. It shouldn't be by default for an edge router.
If it is enabled, it should be set on a different port as the Omada controller is (:18043)
I'm using an Omada Controller, so I don't have that view, all of the settings are taken away because this ER8411 is linked to an Omada controller.
Within the Omada controller, there isn't a way to disable remote management as far as I cant tell.
I get this page through the local IP and through the WAN IP. I'd like to disable this page from being seen through the WAN IP address.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hey @Clive_A
No, I'm hosting the Omada controller through a docker container.
- Copy Link
- Report Inappropriate Content
Hi @ibphantom
Thanks for posting in our business forum.
Did you test this access from your cellular phone without connecting to the LAN?
- Copy Link
- Report Inappropriate Content
Hey @Clive_A
Yes, I've tried from my Verizon LTE, my friends AT&T LTE, and friends Comcast ISP from a town away and all 3 are able to connect to the ER8411 /webpages/login.html from outside of my network - That's why I opened the discussion. There should be a fix for this to be off by default.
- Copy Link
- Report Inappropriate Content
Hi @ibphantom
Thanks for your valuable feedback and post here. This request has been forwarded to the developer team for further diagnostics and evaluation.
For now, I'd like to collect some information and give a workaround after consulting the senior engineers.
What's the controller version? Firmware of your ER8411, is it V1.1.0?
There is no port forwarding configuration on ER8411 map 192.168.0.1(Default GW IP) and forward 80 and 443, is there?
Temporarily, you can set up ACL to block access to the destination = Management Page.
- Copy Link
- Report Inappropriate Content
Hey @Clive_A !
Outstanding, I appreciate the efforts! Thank you.
The Omada Controller is version 5.9.31 ; ER8411 is v1.1.0.
The default Gateway has been changed to 172.16.0.254 and I do NOT have any NAT/Port Forwarding rules set for the default gateway at 172.16.0.254, nor do I to the Omada controller at 172.16.0.62, correct.
Although, I know this isn't a question you asked and am sure it doesn't affect this problem, With the modem(Nokia BGW320-505 v4.23.4) set to Passthrough to the ER8411, essentially the ER8411 is in DMZ because of the nature of Passthrough.
There are no port forwarding rules on the modem whatsoever.
I did setup a firewall rule on the modem to drop 80 and 443 to 172.16.0.254 from WAN, I'll also add an ACL rule on the ER8411 to drop 80 and 443 to the destination 172.16.0.254
Thank you, again!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 846
Replies: 9
Voters 0
No one has voted for it yet.