Port Forward to a dumb Access Point

My setup:

H1(host, tunn interface IP: 1.x.x.1) --- Internet ---- router R1(tunn interface IP: 1.x.x.2, LAN IP: 192.168.7.1) ====== AP(192.168.7.2), H2(host,192.168.7.210)

AP and H2 are in R1's lan.
AP is a consumer grade router (tp-link archer c60) with stock firmware, configured in dumb AP mode by disabling DHCP and added a static lan IP.
I want to access AP's config page from H1.

I have added port forward rules in R1 for both AP and H2.
I am able to access H2's apache test page from H1. So port forward rules are working.
But the same is not working for AP's config page.
Of course AP's page is accessible over lan and it's http page.
Any reason why AP's config page will not be accessible from H1?
I will provide my configs, in case i am doing some mistake but before that I wanted to ask if it's expected behaviour.

Didn't get this.
Aren't AP and H2 exactly same as far as network is concerned?

What about default route?
Most likely AP network configuration is missing gateway option.

1 Like

In the AP config, gateway is being asked for WAN port and under DHCP.
Both sections are non-relevant in Access Point mode.

You need to specify default gateway in the same section where you set up static IP.
Otherwise AP has no route outside your LAN.

1 Like

It's not asking for gateway.

So, it is AP firmware limitation.

You can create firewall SNAT-rule as a workaround:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#source_nat

1 Like

This workaround I need to add in router (R1) or AP?
Because AP's firmware is vendor locked.

R1 that runs OpenWrt of course.

1 Like

Will give this a try when I am back to this again in a few days.
I appreciate your help. Thanks @vgaetera

1 Like

@vgaetera
I am not fully clear how SNAT will help, but I gave it a try.
Not able to access the AP page.
Able to access the H2 apache page.

Below is my /etc/config/firewall.
'edge' is the vpn zone.

Port forward For H2:
config redirect
option target 'DNAT'
option src 'edge'
option dest 'lan'
option proto 'tcp udp'
option src_dport '13201'
option dest_ip '192.168.7.210'
option dest_port '80'
option name 'Forward_PC'

Port Forward for AP:
config redirect
option target 'DNAT'
option src 'edge'
option dest 'lan'
option proto 'tcp udp'
option src_dport '13202'
option dest_ip '192.168.7.2'
option dest_port '80'
option name 'Forward_AP'

SNAT for AP:
config redirect
option target 'SNAT'
option proto 'tcp udp'
option src 'lan'
option src_ip '192.168.7.2'
option src_dip '1.x.x.x'
option dest 'edge'
option name 'SNAT_AP'

PS: src_dip is the edge interface IP as seen from ifconfig on R1. I have masked it here while pasting for security reasons.

uci -q delete firewall.ap_snat
uci set firewall.ap_snat="redirect"
uci set firewall.ap_snat.name="R1-AP-SNAT"
uci set firewall.ap_snat.src="edge"
uci set firewall.ap_snat.dest="lan"
uci set firewall.ap_snat.dest_ip="192.168.7.2"
uci set firewall.ap_snat.src_dip="192.168.7.1"
uci set firewall.ap_snat.family="ipv4"
uci set firewall.ap_snat.proto="tcpudp"
uci set firewall.ap_snat.target="SNAT"
uci commit firewall
service firewall restart
1 Like

It's a big security risk to open a simple device web config page to everyone on the Internet-- be it LuCI or a vendor.

Have you tried a SSH tunnel? SSH into the OpenWrt main router with the -L option to open a tunnel to one of your LAN devices. This requires no setup of the firewall other than being able to accept SSH from outside. And it is secure.

Thanks but it didn't work.
To remind, from H1 to R1 the connection is through a tunnel, interface name edge0 on R1; firewall zone name 'edge'.
If you notice the port forward rules, src is 'edge'.
So, from the H1 I do in browser 1.x.x.2:13201, I am able to see the H2 apache page.

Now do I not need to modify the SNAT rule for the AP accordingly?
I updated original post with some more info.

As I understood, the vendor AP doesn't have default gateway set, so in addition to SSH tunnels or port forwards, SNAT as workaround is required.

I updated the rule.

You do not need it because AP and H2 are in the same network:

The new rule also is not working.

H1$ wget 1.x.x.2:13202
--2019-03-27 16:35:31-- http://1.x.x.2:13202/
Connecting to 1.x.x.2:13202... 
failed: Connection timed out.
Retrying.
--2019-03-27 16:36:35-- (try: 2) http://1.x.x.2:13202/
uci show network; uci show firewall
killall tcpdump; reset; tcpdump -ni any tcp port 80 or tcp port 13202

Then try to test wget from H1.

This works!!
Issue was a captive portal which was running.
As soon as I stopped it I am able to access the AP.

Update: I had to add AP's mac address in captive portal's white-list to get this working.

Update2:
It all works, but only one AP at a time allows login to its config page. As soon as I login to a different AP through a new browser tab, previous one logs out.