H1(host, tunn interface IP: 1.x.x.1) --- Internet ---- router R1(tunn interface IP: 1.x.x.2, LAN IP: 192.168.7.1) ====== AP(192.168.7.2), H2(host,192.168.7.210)
AP and H2 are in R1's lan.
AP is a consumer grade router (tp-link archer c60) with stock firmware, configured in dumb AP mode by disabling DHCP and added a static lan IP.
I want to access AP's config page from H1.
I have added port forward rules in R1 for both AP and H2.
I am able to access H2's apache test page from H1. So port forward rules are working.
But the same is not working for AP's config page.
Of course AP's page is accessible over lan and it's http page.
Any reason why AP's config page will not be accessible from H1?
I will provide my configs, in case i am doing some mistake but before that I wanted to ask if it's expected behaviour.
uci -q delete firewall.ap_snat
uci set firewall.ap_snat="redirect"
uci set firewall.ap_snat.name="R1-AP-SNAT"
uci set firewall.ap_snat.src="edge"
uci set firewall.ap_snat.dest="lan"
uci set firewall.ap_snat.dest_ip="192.168.7.2"
uci set firewall.ap_snat.src_dip="192.168.7.1"
uci set firewall.ap_snat.family="ipv4"
uci set firewall.ap_snat.proto="tcpudp"
uci set firewall.ap_snat.target="SNAT"
uci commit firewall
service firewall restart
It's a big security risk to open a simple device web config page to everyone on the Internet-- be it LuCI or a vendor.
Have you tried a SSH tunnel? SSH into the OpenWrt main router with the -L option to open a tunnel to one of your LAN devices. This requires no setup of the firewall other than being able to accept SSH from outside. And it is secure.
Thanks but it didn't work.
To remind, from H1 to R1 the connection is through a tunnel, interface name edge0 on R1; firewall zone name 'edge'.
If you notice the port forward rules, src is 'edge'.
So, from the H1 I do in browser 1.x.x.2:13201, I am able to see the H2 apache page.
Now do I not need to modify the SNAT rule for the AP accordingly?
I updated original post with some more info.