1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

No remote Web Admin access after switching to Router mode

Discussion in 'Tomato Firmware' started by free2share, Dec 26, 2012.

  1. free2share

    free2share Networkin' Nut Member

    Upgrade w/ After flashing, erase all data in NVRAM memory
    tomato-K26USB-1.28.7501MIPSR2Toastman-RT-VPN-NOCAT.trx on RT-N16

    I was able to gain remote admin access up until I changed it from gateway to router mode. I'm not using NAT but a routed segment from the ISP (1 IP/30 on WAN and 6 IP/29 on the LAN).

    Advanced/Routing/Miscellaneous/Mode -- Router (was Gateway)
    Local Access: HTTP & HTTPS
    HTTP Port: 80
    HTTPS Port: 443
    Remote Access: HTTPS
    Port: 8080
     
  2. GhaladReam

    GhaladReam Network Guru Member

    If Tomato is not your main router, and is not operating in gateway mode, you need to disable remote access and change the local port to something else other than 80, and forward that port on your gateway. One you do this you should be able to access tomato remotely.
     
  3. free2share

    free2share Networkin' Nut Member

    These are all public routable IPs. I can ping www.www.www.22 and xxx.xxx.xxx.161 but I can only web admin from LAN side to 161. When connected from the internet I can still ping 22 and 161 but I can't web admin it either (80, 443, 8080). I do not know too much about the firewall rules, but I believe it might be the problem since it's in router mode and don't have the proper rules created automatically.

    I have disabled the remote access and changed port but still doesn't work from WAN side. I do not have any gateway, only the one tomato in router mode. All ports are open and not blocked by ISP (confirmed when putting into gateway mode and can access 8080 WAN from internet)

    WAN:
    Mask: 255.255.255.252​

    LAN: 161 acting as router/gw for 162-166
    IP: xxx.xxx.xxx.161​
    Mask: 255.255.255.248​
     
  4. free2share

    free2share Networkin' Nut Member

    Dec 27 14:47:38 TomatoUSB user.warn kernel: DROP IN=vlan2 OUT= MACSRC=00:00:00:00:00:42 MACDST=00:00:00:00:00:c5 MACPROTO=0800 SRC=iii.iii.iii.10 DST=www.www.www.22 LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=15781 DF PROTO=TCP SPT=37291 DPT=8080 SEQ=1670573056 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B40402080A4A25D4920000000001030307)

    From Internet: iii.iii.iii.10
    I enabled logging and noticed this being dropped as I'm trying to connect to router from the internet to the WAN. I assume this is being prevented by firewall or iptables? I do not know much about iptables.

    iptables -L

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    logaccept icmp -- anywhere anywhere
    logaccept udp -- anywhere anywhere udp dpts:33434:33534
    logdrop all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain logaccept (2 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `ACCEPT '
    ACCEPT all -- anywhere anywhere

    Chain logdrop (1 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `DROP '
    DROP all -- anywhere anywhere

    Chain logreject (0 references)
    target prot opt source destination
    LOG all -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning tcp-sequence tcp-options ip-options macdecode prefix `REJECT '
    REJECT tcp -- anywhere anywhere reject-with tcp-reset

    iptablesL.JPG
     
  5. free2share

    free2share Networkin' Nut Member

    How do you forward the port?

    I was able to get it 443 to work on the LAN IP (xxx.xxx.xxx.161) from the internet once I added this command. With this I'm able to remotely admin the router, but I would like to know how to access it from the WAN IP address. Any help if the iptables guru would be appreciated.

    Code:
    iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
    iptables -nvL

    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
      332 69364 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
        1    64 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0           
      39  2028 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0           
        1    28 ACCEPT    icmp --  *      *      0.0.0.0/0            0.0.0.0/0           
        2  120 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 
     
    Chain FORWARD (policy ACCEPT 14 packets, 6408 bytes)
    pkts bytes target    prot opt in    out    source              destination         
    3398  165K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
     
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination          
     

Share This Page