Port Forward to a dumb Access Point

rakesh · March 10, 2019, 9:16am

My setup:

H1(host, tunn interface IP: 1.x.x.1) --- Internet ---- router R1(tunn interface IP: 1.x.x.2, LAN IP: 192.168.7.1) ====== AP(192.168.7.2), H2(host,192.168.7.210)

AP and H2 are in R1's lan.
AP is a consumer grade router (tp-link archer c60) with stock firmware, configured in dumb AP mode by disabling DHCP and added a static lan IP.
I want to access AP's config page from H1.

I have added port forward rules in R1 for both AP and H2.
I am able to access H2's apache test page from H1. So port forward rules are working.
But the same is not working for AP's config page.
Of course AP's page is accessible over lan and it's http page.
Any reason why AP's config page will not be accessible from H1?
I will provide my configs, in case i am doing some mistake but before that I wanted to ask if it's expected behaviour.

vgaetera · March 10, 2019, 9:28am

rakesh · March 10, 2019, 9:29am

Didn't get this.
Aren't AP and H2 exactly same as far as network is concerned?

vgaetera · March 10, 2019, 9:34am

What about default route?
Most likely AP network configuration is missing gateway option.

rakesh · March 10, 2019, 9:51am

In the AP config, gateway is being asked for WAN port and under DHCP.
Both sections are non-relevant in Access Point mode.

vgaetera · March 10, 2019, 10:00am

You need to specify default gateway in the same section where you set up static IP.
Otherwise AP has no route outside your LAN.

rakesh · March 10, 2019, 10:16am

It's not asking for gateway.

vgaetera · March 10, 2019, 10:21am

So, it is AP firmware limitation.

You can create firewall SNAT-rule as a workaround:

rakesh · March 10, 2019, 10:23am

This workaround I need to add in router (R1) or AP?
Because AP's firmware is vendor locked.

vgaetera · March 10, 2019, 10:24am

R1 that runs OpenWrt of course.

rakesh · March 10, 2019, 4:16pm

Will give this a try when I am back to this again in a few days.
I appreciate your help. Thanks @vgaetera

rakesh · March 26, 2019, 11:47am

@vgaetera
I am not fully clear how SNAT will help, but I gave it a try.
Not able to access the AP page.
Able to access the H2 apache page.

Below is my /etc/config/firewall.
'edge' is the vpn zone.

Port forward For H2:
config redirect
option target 'DNAT'
option src 'edge'
option dest 'lan'
option proto 'tcp udp'
option src_dport '13201'
option dest_ip '192.168.7.210'
option dest_port '80'
option name 'Forward_PC'

Port Forward for AP:
config redirect
option target 'DNAT'
option src 'edge'
option dest 'lan'
option proto 'tcp udp'
option src_dport '13202'
option dest_ip '192.168.7.2'
option dest_port '80'
option name 'Forward_AP'

SNAT for AP:
config redirect
option target 'SNAT'
option proto 'tcp udp'
option src 'lan'
option src_ip '192.168.7.2'
option src_dip '1.x.x.x'
option dest 'edge'
option name 'SNAT_AP'

PS: src_dip is the edge interface IP as seen from ifconfig on R1. I have masked it here while pasting for security reasons.

vgaetera · March 26, 2019, 4:09pm

uci -q delete firewall.ap_snat
uci set firewall.ap_snat="redirect"
uci set firewall.ap_snat.name="R1-AP-SNAT"
uci set firewall.ap_snat.src="edge"
uci set firewall.ap_snat.dest="lan"
uci set firewall.ap_snat.dest_ip="192.168.7.2"
uci set firewall.ap_snat.src_dip="192.168.7.1"
uci set firewall.ap_snat.family="ipv4"
uci set firewall.ap_snat.proto="tcpudp"
uci set firewall.ap_snat.target="SNAT"
uci commit firewall
service firewall restart

mk24 · March 26, 2019, 10:20pm

It's a big security risk to open a simple device web config page to everyone on the Internet-- be it LuCI or a vendor.

Have you tried a SSH tunnel? SSH into the OpenWrt main router with the -L option to open a tunnel to one of your LAN devices. This requires no setup of the firewall other than being able to accept SSH from outside. And it is secure.

rakesh · March 27, 2019, 4:25am

Thanks but it didn't work.
To remind, from H1 to R1 the connection is through a tunnel, interface name edge0 on R1; firewall zone name 'edge'.
If you notice the port forward rules, src is 'edge'.
So, from the H1 I do in browser 1.x.x.2:13201, I am able to see the H2 apache page.

Now do I not need to modify the SNAT rule for the AP accordingly?
I updated original post with some more info.

rakesh · March 27, 2019, 4:35am

As I understood, the vendor AP doesn't have default gateway set, so in addition to SSH tunnels or port forwards, SNAT as workaround is required.

vgaetera · March 27, 2019, 10:31am

I updated the rule.

You do not need it because AP and H2 are in the same network:

rakesh · March 27, 2019, 11:14am

The new rule also is not working.

H1$ wget 1.x.x.2:13202
--2019-03-27 16:35:31-- http://1.x.x.2:13202/
Connecting to 1.x.x.2:13202... 
failed: Connection timed out.
Retrying.
--2019-03-27 16:36:35-- (try: 2) http://1.x.x.2:13202/

vgaetera · March 27, 2019, 11:21am

uci show network; uci show firewall
killall tcpdump; reset; tcpdump -ni any tcp port 80 or tcp port 13202

Then try to test wget from H1.

rakesh · March 27, 2019, 11:47am

This works!!
Issue was a captive portal which was running.
As soon as I stopped it I am able to access the AP.

Update: I had to add AP's mac address in captive portal's white-list to get this working.

Update2:
It all works, but only one AP at a time allows login to its config page. As soon as I login to a different AP through a new browser tab, previous one logs out.