Re: MS510TXPP - locked myself out of admin UI

therealmrfox · ‎2024-05-10

So, I had the brilliant idea of disabling HTTP access to my switch, because in 2024 there just isn't a reason to use HTTP for anything.

Since there isn't an option to disable the HTTP UI, I figured I'd just add a deny rule under security->access.

Thought I'd start carefully, with deny HTTP, IP=10.1.10.22, Netmask=255.255.255.255.

Well, apparently "deny HTTP" means "deny HTTP *and* HTTPS, and "netmask 255.255.255.255" means "block the entire 10.1.10.X subnet". Thanks a lot, Netgear!

So, bottom line, I can't access the UI any more. Do have any other chance than a factory reset?

schumaku · ‎2024-05-11

@therealmrfox wrote:

Since there isn't an option to disable the HTTP UI, I figured I'd just add a deny rule under security->access.

This is the only officially supported way.

No matter which brand is printed on your Broadcom-based switch (Dell, FS, Cisco SMB,.. or Netgear just to mention a few), there is no way to disable the http service ... most likely, because they depend internally on the http, and have just implemented a https proxy on top.

@therealmrfox wrote:

Thought I'd start carefully, with deny HTTP, IP=10.1.10.22, Netmask=255.255.255.255.

Well, apparently "deny HTTP" means "deny HTTP *and* HTTPS, and "netmask 255.255.255.255" means "block the entire 10.1.10.X subnet". Thanks a lot, Netgear!

Works for me as designed, certainly on the MS510TXUP, v1.0.5.17

Only the single host 10.10.1.230 does get the HTTP access denied.

Keep in mind - because this is yet another ACL - with this configuration shown, the HTTP access remains active for any other host in the 10.10.1.0/24 subnet, .27 is explicitly allowed, and .230 is denied.

Had done extensive Beta testing back in 2017/18 on the MS510TXPP before the release. Was not aware anything like this was sliding through my own test cases, bust sometimes *** happens.

@therealmrfox wrote:

So, bottom line, I can't access the UI any more. Do have any other chance than a factory reset?

Have not retained any other alternate access paths, like SSH?

Regards,

-Kurt.

therealmrfox · ‎2024-05-12

Thanks @schumaku for the detailed response!

Works for me as designed, certainly on the MS510TXUP, v1.0.5.17

I guess I might've messed it up? I thought I was careful 🙂

Have not retained any other alternate access paths, like SSH?

Nope... In the end, I just did a factory reset and restored from backup, which was fairly painless.

Hit one little snag as I had just upgraded the FW before locking myself out. The backup from the older FW didn't work with the new FW, which isn't great. The dual-image feature saved my ass (reboot to older FW, apply backup, reboot to new image).

ErwinL · ‎2024-05-23

Hello @therealmrfox

And welcome to the NETGEAR Community! 🙂

I am glad you were able to get access again to your switch with your backup config. Were your issues addressed by schumaku? For this case would you accept his post as a solution to make it more visible for other users?

Have a lovely day,
Erwin
Netgear Team