Remote access in router mode (vs gateway)

Discussion in 'Tomato Firmware' started by Mike, Jan 24, 2008.

  1. Mike

    Mike Network Guru Member

    I can only use Remote Access (i.e. get http access on the WAN port) in Gateway mode. If I switch to Router mode (under Advanced/Routing) access thru the WAN port is disabled.

    I have Remote Access enabled (tried both HTTP and HTTPS, ports 80 and 8080). This has not worked for quite a while - probably since Tomato 1.06 or earlier.

    It would be great if this worked - it makes it hard to access the routers on my internal LAN.

  2. supaJ

    supaJ LI Guru Member

    I have the same issue on tomato version v1.09.

    I can't access http or SSH remotely.

    I have verified my IP address and ports.

    As a matter of fact I can access my IP remotely
    simply by forwarding the 3389(RDP protocol) port.
    Would I be able to access my router remotely by
    forwarding the http port and the SSH port to the
    internal address of the gateway?

    I would appreciate any help on this problem.

    Thank you.

  3. SlickNetAaron

    SlickNetAaron LI Guru Member

    I am unable to access remotely as well.

    running in router mode with wireless as the LAN (Wireless client).

  4. mstombs

    mstombs Network Guru Member

    Pteron has already posted that the firewall is completely non-effective in Router mode and has sent proposed mods to Jon the Tomato author (architect/ magician?).

    You should be able to manually add iptables filtering rules through the firewall or wan-up script to do what you want though.
  5. SlickNetAaron

    SlickNetAaron LI Guru Member


    Thanks for the note on it being a known issue.

    Anybody know how what iptables filter would get us up and running? I have no clue.

  6. mstombs

    mstombs Network Guru Member

    I don't run router mode, but suspect all access from the WAN port (The wired wan port is usually vlan1) is blocked by a default INPUT drop rule, so you just need to try Inserting a new rule like

    iptables -I INPUT -s a.b.c.d -j ACCEPT

    to tell the internal router to accept all requests from the machine with local source ip address a.b.c.d. If that works and you have a service running and listening on that port it should communicate with that machine.

    You may then like to add further restrictions to which interface, ports, or allow any internal IP address range...

    Experiment from a telnet/ssh session from the local side of the router, then a simple reboot will clear any tempoarary rules! If you accidently block access with built-in scripts, its a hard reset job and full reonfiguration... Do consider security - do you trust all your local machines?


    I'm assume nat is off in router mode so nothing in

    iptables -L -vn -t nat
    but rules in filter (default) table are still operational

    iptables -L -vn
    iptables -L -vn -t filter
  7. supaJ

    supaJ LI Guru Member

    Another forum member, Voxabox, pointed out here that SSH remote login works fine with tomato V1.13. Can anyone confirm this?

    I am currently running v1.09 and it works very well. I have modified several settings in the past, including, QoS, port forwarding rules, static routes etc. I also have scripts to backup my bandwidth log to ftp, check individual IP bandwidth usages, etc. Hence I am a bit fearful of upgrading to a later version. Will all my settings, scripts, rules, etc be restored after an upgrade? What if I do a back of my configuration(Administration->Configuration), can I used that to restore ALL my settings?

    Thanks for your help.
  8. mstombs

    mstombs Network Guru Member

    ssh remote login works fine in GATEWAY (nat router) mode in V1.13

    You should only restore to the same version.

    I don't think there have been significant nvram variable changes since v1.09 so good chance you would keep all settings, but jffs must be backed up reformatted/repopulated if you are using that for scripts . BUT if any strange behaviour results you will be advised to reset to defaults and type everything back in! so keep printouts/ screendumps/ text copies of all entries!
  9. Mike

    Mike Network Guru Member

    Thanks to mstombs and others, the following worked to solve my problem with routing:

    iptables -P INPUT ACCEPT

    Notice that I do trust the other devices on my (internal) LAN.

  10. ericmule

    ericmule LI Guru Member

    I'm having the same issue with remote administration when using router mode. Can someone tell me exactly what needs to be done to resolve this? I've added the "iptables -P INPUT ACCEPT" to the firewall scripts via the web gui and still no access.
  11. BeHappy

    BeHappy Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice