Some questions + luci problem (AR150)

rene · 2015-12-19T16:46:49.000Z

Well, it depends first of all there is no port 83 open on the router (webinterface works with port 80)

second, if you would like to access ssh and the webinterface from your local network you have to change the firewall settings by default incoming traffic to the wan port will be blocked… if you want use ssh you will also have to select the port of the dropbear instance (Advanced ->System -> Administration)

I would recommend to make all changes and settings with wifi from the gl.ar150 or with a lan cable attached to it, sometimes there a strange problems using another router to configure as you can see

edit: Port 83 seems to be the port you can access from the internet if u want to access the router from ur workspace or similar. havent tried it before,

nasna · 2015-12-19T17:22:37.000Z

Hi Rene.
Ok I understand the ‘problem’ now, yes I will have to specify :83 if I want to access it over my local network that the AR150 is connected to. When connected to the AR150 directly, I don’t need to give a port, good

But the problem still remains that I cannot access LuCI or ssh when I am accessing the AR150 over a network.
I don’t understand why I will have to select the port for dropbear, wouldn’t it default to 22?
And if incoming traffic via WAN would be killed, then why can I still enter the GL’s web ui, but not LuCI?

Thanks for the help and information, sorry I am not very knowledgeable about networking…!

– I think I just found what I want for SSH. - “Allow remote hosts to connect to local SSH forwarded port”
– no, it wasn’t that simple, ha (it didn’t seem to work)

rene · 2015-12-19T17:37:13.000Z

You could try to modify the firewall settings go under advanced settings to firewall and then modify the wan interface to allow incoming traffic

i havent tried it before to use the little router in my existing network

And yes, ssh is port 22 but you try it to access with the wan port and i think this could be the problem under Advanced -> System -> Administration you could select the wan interface for dropbear… Maybe it´s working… maybe not i dont know but i would like to help anyways!

nasna · 2015-12-19T18:08:43.000Z

Thanks again
Ok, well under ‘Administration’, dropbear/ssh’s interface is the default ‘unspecified’. Below I see = "Listen only on the given interface or, if unspecified, on all. So that part is not the problem, it will work over wan. But when I attempt to connect and enter the correct password, it tells me it is incorrect… yet a direct connection is fine.

Yes I will look at the firewall… but, I wouldn’t think the problem is with the firewall if I get an ‘incorrect password’ error.
Would allowing incoming wan traffic be ‘insecure’?
Maybe the solution was ‘Gateway hosts’ like I thought earlier and I did something wrong…
Thanks

rene · 2015-12-19T18:28:30.000Z

Hello nasna

well i tried it… and you´re right with port 83 and another network the site keeps refreshing under advanced settings

i will test ssh and the firewall settings and let you know if its working in a few minutes

rene · 2015-12-19T18:34:49.000Z

Yes the solution for the problem is changing the firewall settings, modify the wan interface to accept incoming traffic after that you could access ssh AND the webinterface (on port 80) within your local network

rene · 2015-12-19T18:41:55.000Z

Alfie, could you check if you can access the routers webinterface on port 83 (connect the wan port to different router)and you could access the advanced settings page?

i think nasna found a bug here

nasna · 2015-12-19T19:14:03.000Z

Rene, very kind for testing, thanks for your time!
Ok so editing the firewall is the answer, excellent.
I will read more, I have never played with firewalls before!
I see this: OpenWrt Forum Archive
Maybe it is cleaner/safer to restrict wan incoming connections to ssh only, as opposed to letting everything in. I’m not sure if it is safe/unsafe, as I say I am new to networking

rene · 2015-12-19T20:02:44.000Z

you should be safe i think your local router before the gl-ar does also incoming traffic blocking additional there is your password for ssh / webinterface

alzhao · 2015-12-20T20:53:44.000Z

Luci is blocked from WAN, because in Luci you can do anything easily. However, keep reflashing is a bug. It should just give a deny message. This is done in lighttpd. We will check and get back to this issue.

SSH (port 22) is blocked from WAN too. You can open it on firewall.

Why we use 83 not 80 on WAN. First reason is to differentiate LAN and WAN access. Second, a lot of ISP just blocks 80 port, but not other port by default.

nasna · 2015-12-21T07:07:18.000Z

Thanks alzhao/Alfie(?)

I understand the problems now.
And any information on this?
5. I see this page http://www.gl-inet.com/using-ssh-proxy-in-gl-inet-6416/ – is there not any plan to add this feature to the AR150? I think that is a great feature! (Or is it achievable with the underlying openwrt system?)
6. Is there a reason the default wifi mode is 72M(11ng) and not 150M (ng150)? Just curious, I would imagine the bigger number is better but I understand it might not be that simple!

This is a great device, it is already doing exactly what I wanted to do Thanks

klaberte · 2015-12-21T10:57:11.000Z

Like @alzhao said, performing configuration of the router from the WAN side creates security vulnerabilities. There are ways to do it, but if you aren’t going to spend the time to learn how to harden your router, you probably should just avoid doing this. This is one of those times that the OpenWRT gurus are trying to protect us from ourselves!

[As I understand it, your issue is with OpenWRT, not GLI.]

If you really want to do this, start by taking a look here:

https://wiki.openwrt.org/doc/howto/access.modem.through.nat

But, really, since you have your AR150 in your home network, when you want to configure your AR150, just connect to the AR150’s SSID as a WLAN client and then point your browser to the AR150’s LAN address. Or just connect a wire to the LAN port of the AR150 to your computer, if that suits you better.

Let us know how it goes!

nasna · 2015-12-22T08:03:03.000Z

Sure, Now I understand the LuCI from WAN situation now, I’m not going to make it so I can access it over WAN.
Having SSH access over WAN is fine for me, the change was simple to enable.
And yes that is what I do the few times so far when I want to use LuCI, connect to the AR150’s wifi.

j-maathuis · 2015-12-30T05:32:24.000Z

I don’t know how you want to use the GL-AR150 exactly, but if you use it as an extra hotspot in your house isn’t it more practical to configure the GL-AR150 as a accesspoint instead of a router?
*Jeroen still needs to figure that out himself. :-PThere is enough OpenWRT documentation how to configure OpenWRT for being an accesspoint instead of a router. eth0 then will become just LAN eth0 instead of WAN and eth1 will stay LAN eth1.

nasna · 2016-01-01T20:15:50.000Z

Hi Jeroen, no I don’t want to use it as a hotspot at all really.
(Although if I can set it up so when I am connected it all goes through an ssh tunnel, so I don’t have to run the tunnel on my computer, that would be great!)

All I want the little box to do is run rsync, lftp, download stuff for me whenever I want so I don’t have to leave my computer on over night
And for that it is working great! Anything else is a bonus. Much cheaper/compact/all in one/simple/better wifi than a raspberry pi!

rangerz · 2016-01-01T23:38:48.000Z

nasna, I find your use case very interesting. Please consider writing a “how to” for using these tools on the AR-150, etc including how to install, configure and run (with detail for dummies like me who do not know these apps). What types of source and destinations are you able to manage (local to local, local to FTP, etc)?

frietpan · 2016-01-02T10:58:22.000Z

It would be nice to have the different usecases / configs explained side by side, this is more something for the OpenWrt Wiki.

For the AR-150 it would make a lot of sense to have 3 config directories onder the GPIO 7 and 8 switch. And several configs to choose from in the Luci menu

Router, AccessPoint, Hotspot, NAS, Sambaserver, Printserver, etc. /config a default failsafe config that can’t be changed from the GUI, and 2 ‘user configs’ under GPIO 7 and 8.

This way we could contribute our use case configs and share them here, and make the AR-150 ever more interesting.

alzhao · 2016-01-04T10:29:21.000Z

@nasna, why dont you use aria2 to download?

We have this configuration in 6416 firmware, but never have resource to make it works perfect. So we didn’t involve this in AR150 firmware.

stanislav-khromov · 2016-07-17T14:38:51.000Z

Hi,

I am also having problem with flickering redirect loop when accessing Advanced Settings (Luci)

Is there a step-by-step instruction how I can enable Luci on port 83 and WAN port?

Thank you.

alzhao · 2016-07-18T12:08:46.000Z

@Stanislav, seems this bus is still here. You can modify the config of lighttpd.

edit /etc/lighttpd/conf.d/10-port.conf

remove these three lines

$HTTP[“url”] =~ “^/cgi-bin/luci*”{

url.access-deny=(“”)

}