Admin UI access from multiple VLANs

My Surf SOHO’s (v 8.0.0 build 1429) WAN port is in the DMZ of my ISP’s DSL Modem to avoid double NAT.

I would like to block access to the SOHO’s admin UI from the Internet.

Setting “Web Admin Access” to “LAN Only,” however doesn’t accomplish this unless “Allowed LAN Network” is further restricted to one of my VLANs. Setting “Allowed LAN Networks” to “Any” permits WAN admin UI access via the public IP, e.g. from the browser on my cell phone, even if Web Admin Access is “LAN Only.”

Is that the intended behavior? Is there a way to restrict WAN admin access without restricting admin access to a single VLAN?

Dear @dlpoole

thanks for posting in forum.

First comment is about the expected behaviour of Web Admin Access:

  • LAN/WAN - Management is allowed through LAN/WAN interfaces with or w/o IP sources restrictions.
  • LAN only - Management is allowed through LAN interfaces (including virtual) with an option to set IP source from single subnet. In this case LAN station can point either to LAN IP or to public WAN IP to access management UI.

To get an exact answer I need more details about your setup: 1) physical topology; 2) Surf SOHO configuration.

It may look that your cell phone is connected to LAN network. If yes, then all is fine, access via public IP is allowed. But if your smart device really comes from Internet through WAN, there is some problem.
You can always check open ports on your router WAN interface using online tool like this
https://www.yougetsignal.com/tools/open-ports/

If you provided more details including screenshots of your network configuration we could continue here. Otherwise, if the issue exists, please welcome to open a ticket https://ticket.peplink.com/
BTW, it is recommended to use the latest firmware v8.0.1.

Thanks & Regards

1 Like

Ricardas,

Thanks for the quick response.

I was fairly sure the phone wasn’t authenticated to the SOHOs’ APs, but perhaps it was, or I was seeing a cached SOHO admin login.

I just repeated the test with the phone’s WiFi turned completely OFF and I cannot reproduce the previous result. With Web Admin Access set to LAN Only and allowed LAN access set to Any, a port scan on the public IP from the phone shows only ports 80 and 443 as OPEN but there is no response to a browser request. I’d prefer closed or better yet, blocked ports to discourage further probes, but as long as the SOHO’s UI isn’t accessible from the Internet, that meets my needs. If that is the intended performance, then there is no need to open a support ticket.

Thanks for your support.

Dave

It is advised to scan the device by directly connecting to the WAN to avoid unpredictable behavior when doing a scan from/through the Internet. There might be a port open on a router in front of the Peplink SOHO or some ISP may intercept the traffics at different times and you may see the port is opened. Directly on the WAN port means taking a laptop or pc, and connect a cable directly to the router, and do a port scan from your system LAN port to the router’s WAN port.

Examples of similar cases:

1 Like

aldwinaldwin: Thanks for the advice. Sure enough, when probed over a wire, every port on the SOHO WAN port is blocked. My original observation must have been over a local LAN connection or a cached login page from one.

I simulated Horowitz’ experiment using a dumb e-net hub and Wireshark to sniff traffic on the WAN port. All of the SYN packets for the common ports probed from the phone with Net Analyzer were visible, sourced via an AT&T CGNAT provider then properly dropped by the SOHO. The probe of port 80 was also visible, sourced instead by a server within AT&T mobility, then also properly dropped by the SOHO. That may be a proxy intended to throttle a web server were I running one.

The Surf SOHO is doing exactly what it should.

6 Likes