Home user here / SURF MK3. I have a similar double NAT’d home setup. My ISP modem/router has a separate IP address for the admin page and gateway. I just tried blocking my ISP modem/router’s admin IP address with a SURF outbound firewall rule(s) and it worked:
If that doesn’t work you could make another rule but this time specify HTTPS. If that doesn’t work you could try modifying the Destination>Single port value to any for both rules.
Not an expert - but I don’t think you can because you are double NAT’d or it sounds like your gateway and admin page reside on the same IP address so the above would not work. It sounds like the admin page is hardcoded to exist on the gateway - so you can’t change it to effect the above solution.
Can you specify a different gateway IP / admin page IP / or other subnet on a manual configuration of the ISP equipment? You could try tinkering/reconfiguring the ISP modem/router PPoE settings to get this to work. This may involve a factory reset or 2, so make sure you take a few pictures or screenshots of everything and/or have your ISP account login info handy. Some ISP modem/router’s also allow you to download a configuration file so you can get it back up and running faster after a failed test.
You could try experimenting with NAT Mappings on the SURF - but I don’t know how to do that or if it would work either.
Although I too am double NAT’d - it just worked with the ISP modem/router I have because the admin page uses a different address. You could try picking up a different new/used ISP modem/router that supports your usage case. Or just get a dedicated modem that can do bridging?
Another work around is you could bridge the ISP modem/router if it had that option, to eliminate both problems (double NAT/ ISP modem/router admin access). This typically eliminates the ability to login via an IP address and instead only allows SSH or something which you could also block with a firewall rule. If you bridge the ISP modem/router you would have to reconfigure the SURF’s WAN details to use PPoE (typically) and enter your ISP account login info there.
Another work around would be if the ISP modem/router has admin whitelisting or parental control whitelisting.
You could also try your ISP’s tech support number and explain your situation and see if they can resolve it, (don’t tell them about your fancy router). There’s probably a few other ways to do it too but that’s as far as I got.
Hope that helps!
*tinkering around with the ISP provided equipment could brick it - do you have an old modem preconfigured ready to go “just in case”? Almost everyone has unlimited data plans on their phones now anyways - you could just WiFi WAN until you can sameday a new modem.