NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R6230 not requiring password to login
My R6230 is in Wireless Access Point mode, connected by Ethernet cable to a Nighthawk X4S. I want to be able to mange the R6230 remotely, which is apparently not an option in Wireless Access Point mo...
The setup I was hoping for would allow the following
- X4S R7800 login via LAN IP from local network - this works of course, with caveat 1 below
- X4S R7800 login via WAN IP (remote management) - this works, with caveat 1 below
- AC1200 R6230 login via LAN IP from local network - this works of course, with caveat 2 below
- AC1200 R6230 login via X4S WAN IP forwarded with PAT to R6230 LAN IP - this works, with caveats 2 and 3 below
wrt my original post, I was using the same admin password on both routers, and I think ultimately this led to some authentication caching problems in the browser - I've found that if I'm very careful to always Logout I can't recreate the problem of a password not being required, regardless of how I reach the R6230
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
caveat 2: https is not supported on the R6230 LAN IP at all, regardless of local or forwarded connection
caveat 3: if I login to the R6230 via the same WAN address as the R7800 I get a warning about another active login, which is wrong, and I think is related to my earlier belief that passwords were not being required because of auth caching problems and browser cookies
Oh well, lessons learned, hopefully someday Netgear will add proper certificates with proper TLS support for admin login
thanks to everyone who pitched in!
I enabled remote management on the X4S, allowing public WAN IP 1.2.3.4:8443 to reach the X4S.
This behaves as expected, including X4S password required after X4S logout.
I then added X4S port forwarding for 1.2.3.4:9999 forwarded to the LAN IP of the 6230 192.168.1.250:80
(I might have also tried 192.168.1.250:443 but I don't think SSL worked, I forget)
This works and I'm able to access the 6230 remotely via 1.2.3.4:9999, BUT 6230 password is NOT required, logout doesn't fix it
Same behavior on multiple browsers, and not supposed to be saving credentials after logout, but haven't sniffed the traffic to confirm
I always use the IP addresses, not routerlogin.net or any other DNS resolution
Originally the password on the X4S and R6230 were the same, so I thought it might be an X4S credential cross-site caching mix up, but I changed the password on the R6230 and it didn't help
I know it doesn't make any sense, but as soon as I enable port forwarding and login via the X4S forwarding the R6230 no longer requires a password whether I reach it by forwarding or local LAN, even after logout
Maybe it's a caching problem, maybe it's a port problem, all clues welcome, I'll keep experimenting and report back
IPs and ports changed to protect the innocent
thanks
The setup I was hoping for would allow the following
- X4S R7800 login via LAN IP from local network - this works of course, with caveat 1 below
- X4S R7800 login via WAN IP (remote management) - this works, with caveat 1 below
- AC1200 R6230 login via LAN IP from local network - this works of course, with caveat 2 below
- AC1200 R6230 login via X4S WAN IP forwarded with PAT to R6230 LAN IP - this works, with caveats 2 and 3 below
wrt my original post, I was using the same admin password on both routers, and I think ultimately this led to some authentication caching problems in the browser - I've found that if I'm very careful to always Logout I can't recreate the problem of a password not being required, regardless of how I reach the R6230
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
caveat 2: https is not supported on the R6230 LAN IP at all, regardless of local or forwarded connection
caveat 3: if I login to the R6230 via the same WAN address as the R7800 I get a warning about another active login, which is wrong, and I think is related to my earlier belief that passwords were not being required because of auth caching problems and browser cookies
Oh well, lessons learned, hopefully someday Netgear will add proper certificates with proper TLS support for admin login
thanks to everyone who pitched in!
vt460 wrote:
Based on the discussion above and further consideration, I've realized this would be terribly insecure:
caveat 1: local and remote management via https with the self signed R7800 certificate is not secure
... hopefully someday Netgear will add proper certificates with proper TLS support for admin login
Aehm, are you sure there is a self-signed certificate on the R7800 and the R6230? Most if not all Netgear routers, Nightawk, Orbi, Wireless Extenders, and the like come wiht a (shared, sigh ... yes) certificate and privage key - Issued and signed by the Entrust CA L1K, and supplied with a bunch of alternate subject names.
Of course, this certificate can't be validated for an IP address (as there simply an't be valid certificates based just on IP), or some custom DDNS names. But in general - to the documented domain names - this is a valid certificate.
I think I saw that the Nighthawk X4S R7800 certificate is self signed, issued by and to www.routerlogin.net - but I can't confirm right now because I'm not on that network, and, of course, I turned off remote management, so I'll double check when I can and post here
I did experiment with local DNS resolution for www.routerlogin.net and it did not help
I also realized that even if it did help, there's no obvious way I could make this work from the same laptop for both local 192.168.1.1 and my public WAN IP. But maybe I could resolve www.routerlogin.net to 192.168.1.1 and routerlogin.net to the public WAN IP, or something like that
The R6230 does not appear to offer TLS at all, but maybe there's a trick I don't know
