Limit access to management


#1

Hi ! Would be great to have the ability to manage the remote PEPLINK via existing PEPVPN connections from a central NOC. Today this seems impossible as all management related config is related to WAN ports ( read allowed WAN IP address and WAN Source IP ).

The only option you have is to allow all LAN networks and then you will be able to access management from all local VLANs.


#2

If you have multiple VLANs you can restrict web admin access to a single VLAN but this then means that the WebUi can only be accessed by a device on that same VLAN (so locally connected, or remotely over a Layer 2 VPN).

Firewall rules can’t block access to the webui either or restrict access to specific subnets.

I agree, we ought to have a access control list for the local web admin ui - the ability to add a list of subnets that can access it (either locally or over PepVPN).


ACL Protection for Admin Access
#3

Martin,

I don’t understand why only a single network restriction is allowed either. How come there isn’t the option to select multiple VLANs or network interfaces to restrict the administration to? It’s all or nothing right now and that’s not good (IMHO). Just a thought.


#4

To be fair - I suspect it reflects how most people manage their devices.

Personally I tend to use management VLANs to restrict local lan device access to the web ui on remotely deployed devices (so when I’m onsite only I can access the webui with a device in the right VLAN), then manage the entire estate using IC2 / remotte web admin. That approach (combined with IC2 managing the admin username and password centrally - and using long passwords) works perfectly for me and I suspect most others.

I had to run up test devices in my lab here to check what you wanted to achieve as I have never configured remote access (and locked it down locally) in exactly that way before using Peplink devices - which considering how long I’ve been doing this and the number of customer deployments I’ve been involved with in itself says something. Perhaps this is a reflection of differing approaches to remote web ui access between vendors.

However I agree that with a traditional NOC approach and using traditional management tools, the capability to do what you want here (locally secured webui access available over vpn) is important.

I’m sure Peplink engineering will consider improvements that could be made to enable that approach.


#5

Thanks for that. Currently I have to open for any access on LAN. If I limit to a local VLAN I loose both snmp monitoring and management from a central place. Hope you can add it soon.


#6

Personally I prefer a Management VLAN yes and I actually prefer to administer a router for example by console – very few devices offer this feature today and even fewer people know how to connect and operate one. :slight_smile:

I agree that the average user has a hard enough time figuring out their password to login but Pepwave is targeted towards commercial where it seems a feature like this would be very basic and expected functionality. I should be presented with a list of all available networks and interfaces and able to limit access to only a specific one OR to pick and choose, mix and match, to make an “access list” group for management.


#7

I also post a similar topic just now.

I agreed that this should be a basic feature, for limiting access to management as protection.

A simple approach is just to allow to define an ACL in the “Allowed LAN Networks” section, even with only one LAN segment defined.


#8

Please don’t use the term ACL as that refers to Cisco equipment and nomenclature. :slight_smile:

I’d like to see much finer-grain control capabilities for admin management as well. It seems like the most basic stuff.

Then again, my SOHOs still go belly up for any admin access locally when I enable HTTPS admin and that bug hasn’t been fixed yet either.


#9

The Web Admin Access under System > Admin Security > Admin Settings is to limit the access from WAN, not from LAN. This is not a bug. If you wish to limit the access from LAN, please refer to the suggestion from @MartinLangmaid here.


#10

Not to go off on too much of a tangent, but “ACL” is a generally employed TLA for “Access Control List,” not specific or limited to Cisco equipment. https://en.wikipedia.org/wiki/Access_control_list
Cheers,
Z.


#11

First of all, I don’t allow WAN-side Admin access. That’s foolish in any scenario.

Secondly, um…yes, the setting affects LAN side access. If I restrict it to a single network (or VLAN) then in fact I am only able to access the Administration from said network or VLAN. It also locks out the app, unless it is sitting on the specified network or VLAN (as I would expect it to, appropriately.) So here we have a very basic feature and a very important one which apparently even Peplink staff aren’t familiar with or have a misunderstanding of the functionality.

This needs to be addressed, along with the other major issue I’ve raised numerous times that still hasn’t been resolved. Namely, setting the Admin to HTTPS and using a port other than 443. Immediately, I lose any and all access (from any network) to the Administration. The only way in is via InControl which has no problem bringing up the WebUI (interesting, eh?). I’m not doing it wrong and my equipment works. The problem lies with the Pepwave product and/or the firmware. This is a serious oversight and it needs to be addressed.


#12

Hi ! The LAN option should be replace by a simple access list to limit who can do management/snmp independent if they access via IPSEC/PEPVPN. Leaving the option to ANY makes all local LAN’s able to access to management page.


#13

Agreed. Pepwave really needs to get this done. Administration is no small matter and a basic fundamental item for any network. One should be able to select each individual interface and the network(s) (both WAN and LAN, in fact) which are allowed to access Administration. This ‘all or nothing’ is ridiculous.