1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cannot access web interface of AP outside my LAN but I can access my Gateway

Discussion in 'Tomato Firmware' started by darksky, Jul 13, 2013.

  1. darksky

    darksky Reformed Router Member

    I have a gateway box and an AP box in my LAN both running TomatoUSB. I am able to access via https the gateway box outside my LAN, but I cannot access the AP box outside my line via https.

    Both have similar configurations:
    GATEWAY (192.168.1.1)
    Administration>Admin Access
    Remote Access = HTTPS
    Port = 33331

    AP (192.168.1.2)
    Administration>Admin Access
    Remote Access = HTTPS
    Port = 33332

    I can connect to the gateway pointing my browser to --> https://external.ip.address:33331 but I cannot connect to the AP by pointing my browser to --> https://external.ip.address:33332

    I tried forwarding port 33332 to 192.168.1.2 but this made no difference.

    Diagram of my physical setup:
    Modem <---> [Gateway] <----------------- long cat5e run ---------------> [AP]
    On Gateway:
    Basic>Network
    WAN/Internet: Type = DHCP
    LAN: IP Address = 192.168.1.1

    Wireless (2.4 GHz):
    Wireless mode = Access Point
    Channel = 1
    Wireless Network Mode = N Only
    Security = WPA2 Personal
    Encryption = AES

    Advanced>Routing
    Miscellaneous: Mode = Gateway

    On AP:
    Basic>Network
    WAN/Internet: Type = Disabled
    IP Address = 192.168.1.2
    Subnet Mask = 255.255.255.0
    Default Gateway = 192.168.1.1
    Static DNS = 192.168.1.1

    LAN:
    Bridge=br0
    STP=Disabled
    IP Address = 192.168.1.2
    Netmask = 255.255.255.0
    DHCP = Disabled
    Static DNS=192.168.1.1

    Wireless (2.4 GHz):
    Wireless mode = Access Point
    Channel = 11

    Advanced>Routing
    Miscellaneous: Mode = Router

    EDIT: The solution is in post #12.
     
  2. darksky

    darksky Reformed Router Member

    Hate to bump my own post, but it would be very useful if I could access my AP without having remote into a machine in the LAN and connect via an xsession.

    Any thoughts are deeply appreciated.
     
  3. rs232

    rs232 LI Guru Member

    I don't see why it shouldn't work, but I guess it could be related to the fact that AP doesn't really have a WAN interface and this might mess up things a bit... e.g. the port forwared access might be seen as local and not remote.

    I would try:


    1) Leave the port mapping as you specified in the original post
    2) Set up AP to respond to the same port for both local & remote

    If this still doesn't work: try to set up SNAT on the gateway and see how it behaves:

    3) run this on the Gateway device:
    Code:
    iptables -t nat -A POSTROUTING -o br0 -d 192.168.1.2 -j SNAT --to-source 192.168.1.1
    If this last point works I would restrict the SNAT to the specific port adding to the end of the above command

    Code:
    -p tcp --dport 33332
    Cheers
    rs232
     
  4. Malitiacurt

    Malitiacurt Serious Server Member


    You need to try again with port forwarding. Without it, the external.ip:33332 is expecting to be an open port on the gateway.

    You could consider using ssh.

    I use ssh to manage multiple routers and create a dynamic port to use for proxy, both on putty under Windows and ssh command line on linux. Then I use another web browser (firefox settings saved to use the proxy port) and manage my routers through that.
     
  5. Monk E. Boy

    Monk E. Boy Addicted to LI Member

    Wait a minute. You have WAN/Internet disabled on the AP and are trying to enable Remote Access on the AP? Remote Access is WAN-related traffic. With the WAN port disabled, Remote Access on the AP doesn't actually do anything except setup some port forwarding rules on the AP that can't work because port forwarding redirects traffic from the WAN port.

    You need to enable port forwarding on the Gateway router, say port 33332, directed at port 80 on 192.168.1.2. Or port 443 if you want HTTPS. Remove all remote access settings from the AP.

    SSH is certainly a better option for remote access though, since you can create your own certificates and depend on those for authentication. The username always being admin or root coupled with password length limits makes username & password on Tomato a less than ideal security setup. If you really want to use username & password then you'll need iptables rules that will automatically block connection floods caused by people trying to connect and failing (basically brute forcing your password over and over). Of course those rules will prevent you from connecting while someone is flooding, so...
     
  6. koitsu

    koitsu Network Guru Member

    Also, just throwing this out there:

    The topology diagram given does not indicate what ports the CAT5 are plugged into on each device (AP and Gateway).

    It matters. Big time.
     
  7. darksky

    darksky Reformed Router Member

    @k - I have a cat5e cable connected on the LAN port of the Gateway which runs to the AP to a LAN port. I did not connect the cat5e to the WAN port on either box.
     
  8. Monk E. Boy

    Monk E. Boy Addicted to LI Member

    I'm going to assume you're using the WAN port on the gateway router since "WAN/Internet: Type = DHCP" wouldn't make any sense whatsoever without it being connected to your internet provider.
     
  9. mvsgeek

    mvsgeek Serious Server Member

    I have a similar setup, biggest difference being that my gateway ---> AP link is wireless due to geographical restrictions.

    This works for me :

    GATEWAY (192.168.1.1)
    Administration>Admin Access
    Remote Access = HTTPS
    Port = 8081
    Allow Wireless Access : Checked

    Port Forwarding :
    TCP 8084 forwards to 192.168.1.4:8084

    Advanced>Routing
    Miscellaneous: Mode = Gateway

    AP (192.168.1.4)
    Administration>Admin Access
    Local Access = HTTP & HTTPS
    HTTP Port = 80
    HTTPS Port = 8084

    Remote Access = Disabled
    Allow Wireless Access : Unchecked

    Advanced>Routing
    Miscellaneous: Mode = Router

    I can access both Gateway & AP from the WAN using https://external.ip.address:8081 and https://external.ip.address:8084 respectively.



    Edit : I suspect that the AP access is being treated as 'local' rather than 'remote' because you've cleared the gateway and are now on the LAN.
     
  10. darksky

    darksky Reformed Router Member

    Thanks for the reply. The question for me is how to connect (wire) the gateway to the AP? Should the cable go into the WAN or LAN port on the AP?

    Gateway--[LAN Port] <-------------> [LAN Port]--AP
    or
    Gateway--[LAN Port] <-------------> [WAN Port]--AP
     
  11. mvsgeek

    mvsgeek Serious Server Member

    Gateway--[LAN Port] <-------------> [LAN Port]--AP

    The AP is on your LAN, with the same subnet as the Gateway, so its WAN port should be disabled. The only active WAN port should be on the Gateway. Unless you want to set your AP up with a different subnet and its own DHCP server, you can cheerfully ignore all WAN ports except the one which connects to your ISP (i.e. the Gateway's WAN port).
     
  12. darksky

    darksky Reformed Router Member

    OK... it works now. My problem was not defining 443 as the int port as Monkeyboy suggested in post #5. For completeness:

    GATEWAY (192.168.1.1)
    Administration>Admin Access
    Local Access = HTTPS
    HTTPS Port = 443
    Remote Access = HTTPS
    Port = 33331

    Port forwarding>Basic
    Proto = TCP
    Ext Port = 33332
    Int Port = 443
    Int Addy = 192.168.1.2

    AP (192.168.1.2)
    Administration>Admin Access
    Local Access = HTTPS
    HTTPS Port = 443
    Remote Access = HTTPS
    Port = 33332
     
  13. Monk E. Boy

    Monk E. Boy Addicted to LI Member

    Yes, APs and gateways should be wired together using LAN ports (or via WLAN, which is typically bridged to LAN). The only router that can control what ports are or aren't available remotely is your gateway, because that's the only router connected to the internet.

    You don't need "Remote Access" anything on the AP. It won't hurt anything to have it there, but it may confuse you later since it does absolutely nothing. In your setup between the AP and the Gateway there is only a LAN.

    Port forwarding on the gateway works because it takes an arbitrary "remote" port on its WAN and forwards it to an IP address (the AP) on your LAN to whatever port you choose (443) at that address. Unless you had the AP in gateway mode (which would only be useful if you wanted a 2nd network) and were using the WAN port on the AP, there's no way for remote rules on the AP to have any effect (and in that case you'd need port forwarding setup on the gateway plus remote access setup on the AP).

    Just edited this to try and be a little clearer...
     

Share This Page