Firewall - Blocking LAN access to web admin of modem/router

I am running my PepWave Surf Soho behind my ISP router/modem. The ISP router is nat’ed and the surf soho is nat’ed.

My ISP Modem can be accessed from the LAN on 192.168.1.1 and my surf soho can be accessed on the lan at 192.168.50.1. When connected to my surf soho, If I type 192.168.1.1 in my web browser, I can still access my ISP modem/router’s web interface and change it’s settings.

What I would like to do, is to completely block access to my ISP Modem’s web interface when behind the LAN on the surf soho, thus making it so, the only way to access the ISP settings is to plug directly into the ISP modem.

According to some very old posts that I found, all I have to do is set my outbound firewall to block 192.168.1.1. Unfortunately, when doing so, internet access from the web browser gets blocked. So I’m not exactly sure how to specifically block the web page 192.168.1.1 from outbound connections on the Surf Soho, while keeping the rest of my internet active. Is there an easy way to do this that anyone can think of?

Thank you so much in advance for any help and guidance in helping me solve this issue! Cheers Peplink Community!

Hi Dan_Ran,

Home user here / SURF MK3. I have a similar double NAT’d home setup. My ISP modem/router has a separate IP address for the admin page and gateway. I just tried blocking my ISP modem/router’s admin IP address with a SURF outbound firewall rule(s) and it worked:

If that doesn’t work you could make another rule but this time specify HTTPS. If that doesn’t work you could try modifying the Destination>Single port value to any for both rules.

Not an expert - but I don’t think you can because you are double NAT’d or it sounds like your gateway and admin page reside on the same IP address so the above would not work. It sounds like the admin page is hardcoded to exist on the gateway - so you can’t change it to effect the above solution.

Can you specify a different gateway IP / admin page IP / or other subnet on a manual configuration of the ISP equipment? You could try tinkering/reconfiguring the ISP modem/router PPoE settings to get this to work. This may involve a factory reset or 2, so make sure you take a few pictures or screenshots of everything and/or have your ISP account login info handy. Some ISP modem/router’s also allow you to download a configuration file so you can get it back up and running faster after a failed test.

You could try experimenting with NAT Mappings on the SURF - but I don’t know how to do that or if it would work either.

Although I too am double NAT’d - it just worked with the ISP modem/router I have because the admin page uses a different address. You could try picking up a different new/used ISP modem/router that supports your usage case. Or just get a dedicated modem that can do bridging?

Another work around is you could bridge the ISP modem/router if it had that option, to eliminate both problems (double NAT/ ISP modem/router admin access). This typically eliminates the ability to login via an IP address and instead only allows SSH or something which you could also block with a firewall rule. If you bridge the ISP modem/router you would have to reconfigure the SURF’s WAN details to use PPoE (typically) and enter your ISP account login info there.

Another work around would be if the ISP modem/router has admin whitelisting or parental control whitelisting.

You could also try your ISP’s tech support number and explain your situation and see if they can resolve it, (don’t tell them about your fancy router). There’s probably a few other ways to do it too but that’s as far as I got.

:speaking_head:Hope that helps!

*tinkering around with the ISP provided equipment could brick it - do you have an old modem preconfigured ready to go “just in case”? Almost everyone has unlimited data plans on their phones now anyways - you could just WiFi WAN until you can sameday a new modem.

1 Like

Hey @happysurfer! Thank you so much for the long and detailed response! This has been a great help! I’m not sure why I couldn’t seem to get it working before hand, but all I did was follow your setup in the screenshot for both http as well as https and indeed my webif for my ISP router is now blocked successfully! I can’ tell you how much I appreciate your help, and hope this can contribute towards helping any other users with the same issue! Cheers Friend!

Dan

1 Like