NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R6230 not requiring password to login
My R6230 is in Wireless Access Point mode, connected by Ethernet cable to a Nighthawk X4S. I want to be able to mange the R6230 remotely, which is apparently not an option in Wireless Access Point mo...
The setup I was hoping for would allow the following
- X4S R7800 login via LAN IP from local network - this works of course, with caveat 1 below
- X4S R7800 login via WAN IP (remote management) - this works, with caveat 1 below
- AC1200 R6230 login via LAN IP from local network - this works of course, with caveat 2 below
- AC1200 R6230 login via X4S WAN IP forwarded with PAT to R6230 LAN IP - this works, with caveats 2 and 3 below
wrt my original post, I was using the same admin password on both routers, and I think ultimately this led to some authentication caching problems in the browser - I've found that if I'm very careful to always Logout I can't recreate the problem of a password not being required, regardless of how I reach the R6230
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
caveat 2: https is not supported on the R6230 LAN IP at all, regardless of local or forwarded connection
caveat 3: if I login to the R6230 via the same WAN address as the R7800 I get a warning about another active login, which is wrong, and I think is related to my earlier belief that passwords were not being required because of auth caching problems and browser cookies
Oh well, lessons learned, hopefully someday Netgear will add proper certificates with proper TLS support for admin login
thanks to everyone who pitched in!
> [...] I want to be able to mange the R6230 remotely, which is
> apparently not an option in Wireless Access Point mode (it is greyed
> out), [...]
Remote Management involves access through the router's WAN/Internet
port, and, when in WAP mode, the R6230 is all LAN, so the option doesn't
apply. You should be able to reach the management web site of the
R6230-as-WAP at the LAN IP address of the R6230-as-WAP. That can
wander, unless you reserve its address on the main-router DHCP server,
or you assign it a static address.
> [...] so I configured port forwarding on the X4S.
How, exactly?
> [...] I'm able to login via the X4S public IP address using the
> forwarded port, but with this setup the R6230 no longer requires a
> password for login, regardless of whether I use the public address with
> port forwarding or I login directly on the local subnet. [...]
Is that because your web browser is supplying saved credentials?
Does a different web browser behave differently? What are the actual
URLs being used? (You can hide your public IP address.)
> [...] If I disable port forwarding on the X4S I am again required to
> enter a password on the R6230. [...]
If you're using the same URL (with a LAN IP address in it), then I
can't explain why port forwarding, which you're not using, would make
any difference.
I enabled remote management on the X4S, allowing public WAN IP 1.2.3.4:8443 to reach the X4S.
This behaves as expected, including X4S password required after X4S logout.
I then added X4S port forwarding for 1.2.3.4:9999 forwarded to the LAN IP of the 6230 192.168.1.250:80
(I might have also tried 192.168.1.250:443 but I don't think SSL worked, I forget)
This works and I'm able to access the 6230 remotely via 1.2.3.4:9999, BUT 6230 password is NOT required, logout doesn't fix it
Same behavior on multiple browsers, and not supposed to be saving credentials after logout, but haven't sniffed the traffic to confirm
I always use the IP addresses, not routerlogin.net or any other DNS resolution
Originally the password on the X4S and R6230 were the same, so I thought it might be an X4S credential cross-site caching mix up, but I changed the password on the R6230 and it didn't help
I know it doesn't make any sense, but as soon as I enable port forwarding and login via the X4S forwarding the R6230 no longer requires a password whether I reach it by forwarding or local LAN, even after logout
Maybe it's a caching problem, maybe it's a port problem, all clues welcome, I'll keep experimenting and report back
IPs and ports changed to protect the innocent
thanks
Which X4S are we talking about there?
R7800, EX7500, D7800, C7800?
R7800
The bigger brother R9000 does not allow creating UPnP NAT custom entries pointing to the router LAN IP address.
The cause is not very systematic - most users don't have port forwarding ot the router LAN IP (especially not on the insecure http port 80).
When I remember right, I have sent some similar report on another Netgear router based on the similar platform and experienced the very same - the access to the Web UI was granted without requiring any login when accessing it using a port forwarded (with PAT) to the router LAN IP. Why I don't wonder one second ChristineT? More candidates for a ticket to Tasmania. And no, not for the customer reporting this.
> [...] You now know that in AP mode, there is not much that you can do
> with the R6230. What is the idea of getting in there with remote
> management?
Who cares? Perhaps he wants to reboot it. Perhaps he wants to do
some other part of "not much". The point is that it should be possible,
and he should need a password to do it.
> The bigger brother R9000 does not allow creating UPnP NAT custom
> entries pointing to the router LAN IP address.
"UPnP"? At least one of us is confused. As I understand it, the
port forwarding is "to the LAN IP of the 6230 192.168.1.250:80", that
is, the WAP LAN IP address, not to "the router LAN IP address" (which, I
assume, would be something like "192.168.1.1").
The setup I was hoping for would allow the following
- X4S R7800 login via LAN IP from local network - this works of course, with caveat 1 below
- X4S R7800 login via WAN IP (remote management) - this works, with caveat 1 below
- AC1200 R6230 login via LAN IP from local network - this works of course, with caveat 2 below
- AC1200 R6230 login via X4S WAN IP forwarded with PAT to R6230 LAN IP - this works, with caveats 2 and 3 below
wrt my original post, I was using the same admin password on both routers, and I think ultimately this led to some authentication caching problems in the browser - I've found that if I'm very careful to always Logout I can't recreate the problem of a password not being required, regardless of how I reach the R6230
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
caveat 2: https is not supported on the R6230 LAN IP at all, regardless of local or forwarded connection
caveat 3: if I login to the R6230 via the same WAN address as the R7800 I get a warning about another active login, which is wrong, and I think is related to my earlier belief that passwords were not being required because of auth caching problems and browser cookies
Oh well, lessons learned, hopefully someday Netgear will add proper certificates with proper TLS support for admin login
thanks to everyone who pitched in!
vt460 wrote:
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
... hopefully someday Netgear will add proper certificates with proper TLS support for admin login
Aehm, are you sure there is a self-signed certificate on the R7800 and the R6230? Most if not all Netgear routers, Nightawk, Orbi, Wireless Extenders, and the like come wiht a (shared, sigh ... yes) certificate and privage key - Issued and signed by the Entrust CA L1K, and supplied with a bunch of alternate subject names.
Of course, this certificate can't be validated for an IP address (as there simply an't be valid certificates based just on IP), or some custom DDNS names. But in general - to the documented domain names - this is a valid certificate.
