× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Start a New Discussion

Announcements

Polls
What is your Experience with NETGEAR Insight cloud management?
Vote
Hide Results
Top Contributors
See All
0 Kudos

Remote management of WAX214 Access Point

Status: New Idea Submitted by Follower on ‎2021-08-26 08:45 AM
7 Comments (7 New)

We have quite a few of the Business class WAX214 AP's and need to remotely manage these AP's in the absence of Insight management capability, previous versions of Netgear's AP's (WAC205/WAC210) do support this function, can you add this feature to make it truly more of a Business class AP?


The situation is that you can only manage the WAX214 from the local LAN whereas we need to have some sort of remote access to support configuration changes and such, i.e. from the Internet across a router using a public IP address and specific port No. which then forwards (via port forwarding) towards the AP on the local LAN.


Alternatively can you add the WAX214 on the list for support using the Insight Web management platform.

 

See more ideas labeled with:
7 Comments
schumaku
Guru Guru
Guru
‎2021-08-26 01:16 PM
‎2021-08-26 01:16 PM
@TonyTaylor wrote:

Netgear's AP's (WAC205/WAC210) do support this function

Not sure what product you are referring to here, and what kind of remote access should have been available earlier.

 

@TonyTaylor wrote:

The situation is that you can only manage the WAX214 from the local LAN whereas we need to have some sort of remote access to support configuration changes and such, i.e. from the Internet across a router using a public IP address and specific port No. which then forwards (via port forwarding) towards the AP on the local LAN.

Nothing specifically required to configure on the WAX21x in my opinion - a simple port forwarding from a random/available port on a router (the WX21x are not routers), considering the default gateway and subnet mask et all are properly configured, should do the job. This should (technically) work, the Web page should render, and you should be able to login.

 

However, I don't like the idea to promote any random port exposing a system which is not intended to be exposed to the wild Internet.

 

The WAX21x are intended as standalone wireless APs, while the WAX6xx are intended for the optional Netgear Insight cloud management. 

 

Talking of "real" business AP deployments, the de-facto standards are at least some kind of VPN usage for any kind of remote management, ideally paired with dedicated VLANs to isolate the management from the data/user traffic.

TonyTaylor
Follower
Follower
‎2021-08-26 05:28 PM
‎2021-08-26 05:28 PM

In response to your comments, I have to agree that in general the idea of using a VPN may seem the best approach for remotely managing the WAX214 on the local LAN but there is also the point that opening a VPN session to the clients LAN opens a hole for the purpose of capture or sniffing of those private packets on the clients LAN without the knowledge or permission of the client.

Now whilst the VPN maybe a de-facto method client Data or access to that client Data should be our greatest concern hence using HTTPS on a Web browser to a public facing TCP port on a router (which only points to the AP on the local LAN via port forwarding) shouldn't pose an issue especially if it is only allowed from a known public IP source address, further more using this method does not allow the remote engineer direct access to the clients Data stream.

We only enable this method of access to overcome the simple local management from the local LAN on the AP as it does not support the Insight portal method, as such the router is locally managed on our NMS which is on a private subnet and the example of using it across the Internet was only used as a general example of traversing from one IP subnet to another across a NAT'd gateway.

We have already tried your suggested method using simple port-forwarding and although in principle it should work (and does on the WAC50x series of AP's) on the WAX214 it appears to fail when accessed from another IP subnet other than the Local LAN IP subnet, in true reality the AP does respond but gives you the URL of the Netgear main site and not the view to the Login page on the AP itself.

So if you test this and come back with a solution I'll be surprised as I have already logged this with Netgear and they have confirmed it isn't possible hence my request for a product enhancement and not a comment of should work.

Best regards.

 

schumaku
Guru Guru
Guru
‎2021-08-27 11:37 AM
‎2021-08-27 11:37 AM
@TonyTaylor wrote:

We have already tried your suggested method using simple port-forwarding and although in principle it should work (and does on the WAC50x series of AP's) on the WAX214 it appears to fail when accessed from another IP subnet other than the Local LAN IP subnet, in true reality the AP does respond but gives you the URL of the Netgear main site and not the view to the Login page on the AP itself.

Reads like a bug to me. We've seen few other Netgear devices with similar restrictions or errors.

 

@TonyTaylor wrote:

So if you test this and come back with a solution I'll be surprised as I have already logged this with Netgear and they have confirmed it isn't possible hence my request for a product enhancement and not a comment of should work.

This is a community, I'm just yet another community member, and my crystal ball is broken so I can neither know about your communication with Netgear support nor your tests already done. I still would expect a simple port forwarding access from another subnet must be possible. If not - clearly a bug. There is no reason to redirect to some unspecified Netgear Web site.

 

@YeZ somethings sounds very wrong with the current (lack of exact firmware details) way the WAX21x is implemented. Any port forwarding or access from another subnet must be possible, just as it is on any other Netgear Small Business devices like earlier APs or switches or NAS or .... 

 

 

MistralBerck
Follower
Follower
‎2021-11-09 06:16 PM
‎2021-11-09 06:16 PM

Hello,

 

Simple port forwarding does not work

Here is the resulting log of such a try :

 

Nov 10 03:14:06 WAX214 daemon.warn miniupnpd[26934]: HTTP peer [::ffff:ww.xx.yyy.zz]:ppppp is not from a LAN, closing the connection

schumaku
Guru Guru
Guru
‎2021-11-09 10:48 PM
‎2021-11-09 10:48 PM

Oh nooo 8-) Lacks of a UI control to allow the management from other defined or any IP subnet in this case. @YeZ please.

TonyTaylor
Follower
Follower
‎2021-11-10 04:45 AM
‎2021-11-10 04:45 AM

Using port forwarding on a NAT router works fine on the older models so why does it not work on the newer Business Class WAX214, is this a bug, can Netgear supply a simple FW fix to resolve this management issue as it surely is the local AP just recognising the source IP as not being local!

Maybe it is Netgear's way of letting you buy a Business class AP and then only giving you local LAN connectivity (which really isn't Business Class at all), then you have to purchase it's big brother say the AX3000 in order to save face with the customer, great way of generating more income, either way it is poor show for to broadcast it as a Business Class AP is fundamentally wrong.

Anyway that's my take.

MistralBerck
Follower
Follower
‎2021-11-10 04:56 AM
‎2021-11-10 04:56 AM

Absolutely. There is nothing in the UI to allow users to enable remote management if they wish to do so.

I use several netgear products and those Wax214 are the only products that I am unable to connect to remotely even with a reverse proxy (for example, I am able to do so with the GS110TPP switch)

Is it possible to have a fix in order to be allowed to do so ? How many time would it require to get it ?

I suppose there is no way to log on the unit using SSH in order to fix it ourself ? (I saw on a previous trhead that the SSH login/pwd are only known by your support service)