How to access Brume 2 UI on home network

danielrevans4 · June 4, 2024, 2:55pm

Hello! New user here. I'm having trouble access my Brume 2 GUI on my home network. I have the Brume plugged into my home router's LAN port. Then I connect my PC to the home router's wifi (my mac doesn't have an ethernet port so can't connect directly.)

Brume (LAN) <-- Router --> Laptop (Wifi)

I tried to type in the default 192.168.8.1 in a browser but it would not load. I checked on the Router's GUI and I see the Bume is indeed connected and it says the IP address is 192.168.2.151. I tried typing that in the browser but it also did not work.

How do you access the Brume's GUI when it's connected to your home router?

LupusE · June 4, 2024, 4:38pm

You have 2 Networks. Home Network and Brumme Network. This are 2 different subnets and this is good.

Plug the Laptop/PC to LAN on your Brume and it will get a 192.168.8.0/24 address. Now you can access the Brume at 192.168.8.1 ...
Go to 'Network - Firewall' and select the Tab 'open Port on Router'. Here add 80 (http) and 443 (Https) if there is not already a switch for the web frontend.

Now you can connect the WAN of your Brume to the LAN of your Home Network, and access the Brumme with the IP it is getting from your home networks router.
Maybe you'll check this on left hand menu - Internet', befor you plug the LAN cable.

danielrevans4 · June 4, 2024, 5:02pm

hi, thanks for your response.

two things here:

I don't have an ethernet port on my laptop so I can't connect the Brume directly as you suggested. The brume is plugged in to my home router, so was hoping to get to the Brume UI somehow this way
for opening ports, is that the only step I need to do to allow access to the Brume UI from outside the network? what about something like IP passthrough?

LupusE · June 4, 2024, 5:19pm

Complicated, but possible: Set your Home router do Network 192.168.8.0/24 with another own IP as 192.168.8.1 ...
Easier but need investment: You should have LAN to configure a LAN only router, maybe a 10 bucks USB port replicator?

What do you want to forward?

The Brume got a Web Interface. This interface is not available from WAN -> secure.
So you set up in the firewall that the local Web interface is also available from WAN.

You could also use the LAN from the Brume and connect to LAN from the home router, and see how this will end. At least the two DHCP servers will be fun. But when you manage to disable one of them, you want the services from the brume as embedded PC?
I think GL-iNet should build a VPN server without router. As many people seems to want this lately.

danielrevans4 · June 4, 2024, 6:02pm

yes I've gone ahead and ordered a USB-C to Ethernet adapter from Amazon, should get here tomorrow.

i'm going to use the Brume as a wireguard server and take a travel router with me as the wireguard client. i'm a little fuzzy on the router settings through once I get to that step. i know you either need to do port forwarding but I've also used IP passthrough in the past to skip all of that. I'll also enable DDNS on the brume

LupusE · June 4, 2024, 6:08pm

This is a whole new situation.
The WireGuard port needs to be forwarded on your home router. But only the WireGuard port, not the Web interface!
Die DDNS should work without port forwarding.

danielrevans4 · June 4, 2024, 6:32pm

i want to be able to access the web interface remotely as well though, so I can make changes to the WG server settings if needed.

i'm going to set the WG port as 51820 so I'll forward that

LupusE · June 4, 2024, 6:42pm

You really should not forward the http(s) from the internet. Behind the port(s) is the GL-iNet UI and Luci. Please don't do this.

If you have VPN, you could make it available through VPN.

danielrevans4 · June 4, 2024, 7:12pm

not sure I follow. my network abilities start to show their cracks there. i read you have to port forward the WG port, or just allow IP passthrough to the Brume. i've been reading all sorts of different how-tos online, many with contradictions

LupusE · June 4, 2024, 7:44pm

The Internet is a scary dangerous mine field. A router with a firewall can protect you, but only if you use it wise.

So you've got a home router, that has one connect to the Internet and one to the LAN. Within the LAN you can access different services. The web front end (UI), the DNS forwarder, the DHCP Server, ... From the Internet you don't. why would you even want to access your router insecure from the internet?

Now we have a special situation, your Brume makes exact the same, it protects the LAN from the WAN. But as we are knowing the Brume WAN is your home LAN, we can open the services. I hope there is no thread in your home LAN.
Why would you want to access a device in your LAN from the insecure internet? Could you make sure you are the only one who is using this path you opened?

But if you open the WebUI to the Internet, you are on your own. Everybody can connect to the UI and bruteforce your password, use nginx exploits, ... If you don't know what you are doing, than don't take this risk.
And believe me, if you think you are smart and put the http(s) port from publicip:1234 to LANIP:80, this is not really a countermeasure.

WireGuard is build in another way. You can only access with a valid credential, that is much more complex than a standard username and a most times simple password. I am not a fan of the user management from GL-iNet. I would like to rename the admin. To add staged users with role based permissions, one per service ...
But I used to work in enterprise networks, here we are in home environment. Who want to track 7 usernames with complex passwords?

If you forward Wireguard from the Internet trough your home router to your GL-iNet device, it is fine.
If you forward your Admin UI from the internet in any way, it is an issue. And nobody else will be responsible if something will happen, based on that.

You want a VPN to access your LAN securely from remote. Then take care everything which is in the LAN stays there and maybe in the VPN.