Admin interface not accessible from other subnets & private address

[romanstardust]

I have my R7800 (running V1.0.2.91.1SF) set up as an AP (in router mode) and I am having trouble accessing the router from other private networks.

The R7800 is currently in router mode and has the VLAN setup as such-
Port 4 - Netgear Bridge
Port 1 - 2.4Ghz
Port 2 - 5Ghz
Port 3, WAN - Netgear Bridge (Unused)

The LAN address of the Router is set to 192.168.1.3. Now the issue is that if my PC is plugged into the 192.168.1.x network, I can access the router via Web, Ping, SSH etc

But if I plug my PC into it's own VLAN and it gets an IP such 192.168.10.x, the router will not respond at all. However, other devices on the 192.168.1.x network work fine. I can also SSH into a device on the 192.168.1.x network and then connect to the R7800.

Just not directly.

Checked the iptables -L & iptables -t nat -L -n -v commands and line 5 of the rules below all that I could find that seemed relevant

Chain loc2net (1 references)
num target prot opt source destination 
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 DROP tcp -- anywhere anywhere state NEW tcp flags:!FIN,SYN,RST,PSH,ACK,URG/SYN
3 DROP tcp -- anywhere anywhere state INVALID
4 TRIGGER all -- anywhere anywhere [16 bytes of unknown target data] 
5 DROP all -- !192.168.1.0/29 anywhere <= -* This line seems it might be the issue *-
6 ACCEPT all -- anywhere anywhere

Is that the right line to modify or do I need to do something else to get this to work.

 

[Tech Junky]

Change it to 192.168.0.0/16 and Amy 192 address should work.

 

[romanstardust]

Thanks that works. Is there anyway I can also allow access from 172.16.x.x IPs?

I set the LAN IP to 192.168.1.3/1 (128.0.0.0) and can access from 192.168.x.x, but not the 172.16.x.x range

 

[Tech Junky]

Make another rule for the 172 subnet. Or make a group for all rfc1918 IPs to be permitted or block the WAN interface or permit the LAN only.

172.16.0.0/12 the only other RFC1918 would be 10.0.0.0/8.

 

[romanstardust]

Ahh looks like I misunderstood your first reply. I changed the LAN IP and not the rule contents.

This did automatically change the rule to
5 DROP all -- !128.0.0.0/1 anywhere
Which should cover the 172 range, so not sure why it is not accessible.

Then I dropped that rule via iptables -D loc2net 5 but still no access.

Is loc2net the right table to be doing this?

Also my WAN is not used at all and the router only works on the internal network. Can I just disable the firewall?

The main firewall etc is done by pfSense + Managed Switch

 

[Tech Junky]

Here's what my iptables config looks like which is similar in how your commands are acting except mine only allow LAN originated traffic.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:PERMIT-FWD - [0:0]
:PERMIT-IN - [0:0]
:PERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A FORWARD -j PERMIT-FWD
-A OUTPUT -j PERMIT-OUT
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT
# Completed on Sun Jan 23 20:51:32 2022
# Generated by iptables-save v1.8.7 on Sun Jan 23 20:51:32 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT

128.0.0.0/1 isn't ideal as that permits more than what you want.

 

[Tech Junky]

Can I just disable the firewall?

Yes