ADSL Router configuration question
This isn't really a Linux question but it is network/computer related so it's not that far off topic. We've just got ADSL and I'm now up and running with a Zyxel 660H router/switch. I would like to be able to configure the Zyxel remotely using the web interface but I would also like to make a Web server on one of the machines in our home network visible to the outside world. Is it possible to do both of these things at the same time? The Zyxel has a specific menu for setting up access to the management interface, you can enable/disable the telnet and HTTP interfaces for LAN or WAN or LAN & WAN. You can also set the port number associated with these. In the NAT configuration you can set up services on the LAN which you wish to be visible to the outside world. However I don't see how one can have a web server visible to the outside world at the same time as making the management interface visible as they will both appear as the same port number and IP address. I tried changing the port number for the managment interface access from the default 80 to 8080 but that just stopped it working completely because the firewall at the other end wouldn't pass traffic on port 8080. Is there any clever redirection I can do on the LAN to make it possible to connect to the Web server on the LAN and then to the Zyxel router from the LAN side? I could configure using telnet, I'm quite happy to do that, but it's hardly secure over the internet. I suppose I can set it so that it's only accessible from specific IP addresses which might be OK. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Wed, 2005-05-18 at 21:43 +0100, Chris Green wrote:
This isn't really a Linux question but it is network/computer related so it's not that far off topic.
We've just got ADSL and I'm now up and running with a Zyxel 660H router/switch.
I would like to be able to configure the Zyxel remotely using the web interface but I would also like to make a Web server on one of the machines in our home network visible to the outside world. Is it possible to do both of these things at the same time?
The Zyxel has a specific menu for setting up access to the management interface, you can enable/disable the telnet and HTTP interfaces for LAN or WAN or LAN & WAN. You can also set the port number associated with these.
In the NAT configuration you can set up services on the LAN which you wish to be visible to the outside world.
However I don't see how one can have a web server visible to the outside world at the same time as making the management interface visible as they will both appear as the same port number and IP address.
I tried changing the port number for the managment interface access from the default 80 to 8080 but that just stopped it working completely because the firewall at the other end wouldn't pass traffic on port 8080.
Is there any clever redirection I can do on the LAN to make it possible to connect to the Web server on the LAN and then to the Zyxel router from the LAN side?
I could configure using telnet, I'm quite happy to do that, but it's hardly secure over the internet. I suppose I can set it so that it's only accessible from specific IP addresses which might be OK.
Hi Chris, THere is something you could try, but it is really very nasty, and about as secure as anything M$ :-) Apache has a proxying capability, so you could connect to the web server on your pc, and depending on your url proxy it to the Zyxel. eg http://yourpc.com/zxyel The thing is this opens up all kinds of security holes, and people start using your webserver as a proxy. I tried using it to talk to the web interface on my Tivo. In the end I just enabled passwords on the Tivo, and set up port forwarding on my linux machine. My turn for a question now... Is the Zyxel modem any good? Does it do PPPoA to PPTP relaying? Currently I'm using an Alcatel Speedtouch Pro, using the relaying function so my Linux PC gets the IP address. I was thinking about replacing it with the Zyxel when it eventually dies, not that it's showing any signs of sockness at the moment :-) Chris -- Chris ---------------------------------- E Mail: chris@glovercc.plus.com SIP: 84411389@voiptalk.org IAXTEL: 17003366726
On Wednesday 18 May 2005 10:00 pm, Chris Glover wrote:
My turn for a question now...
Is the Zyxel modem any good? Does it do PPPoA to PPTP relaying? Currently I'm using an Alcatel Speedtouch Pro, using the relaying function so my Linux PC gets the IP address. I was thinking about replacing it with the Zyxel when it eventually dies, not that it's showing any signs of sockness at the moment :-)
Most of the issues you will see with PPTP are a result of trying to tunnel it through NAT, a lot of routers suffer from this. More so at the endpoint rather than the client (There are very few Routers that won't let you be a PPTP client) The issue seems to be to do with the Protocol 47 (GRE) packets hitting a NAT translated address at the endpoint with the wrong source address. Actually when dealing with a Microsoft Server VPN as an endpoint I find Netgear Routers to be the best bet, my D-Link DSL-604+ will only work as a client. If you want to be a VPN endpoint then I'd recommend Draytek Routers (The 2600Plus) and actually using the Router as the endpoint. They support pretty much any VPN client and are a doddle to set up. More expensive than your common or garden ADSL router though.
On Wed, 18 May 2005, Wayne Stallwood wrote:
If you want to be a VPN endpoint then I'd recommend Draytek Routers (The 2600Plus) and actually using the Router as the endpoint. They support pretty much any VPN client and are a doddle to set up. More expensive than your common or garden ADSL router though.
Sorry I didn't make that very clear did I. What I meant was my ADSL gets converted by my ADSL modem to raw PPP. I use the PPTP client on my linux machine pointed at the IP address of my modem, so my linux PC, which handles all the NATing gets the IP address. I do this as I use Asterisk, and trying to make VOIP work thorugh NAT is a pain the arse, this was just easier, and it works very well. ADSL PPTP ISP ------> Modem ------> Linux PC (which gets real IP) Confused, you should be :-) -- Chris ---------------------------------- E Mail: chris@glovercc.plus.com SIP: 84411389@voiptalk.org IAXTEL: 17003366726
On Wed, May 18, 2005 at 10:33:48PM +0100, Wayne Stallwood wrote:
On Wednesday 18 May 2005 10:00 pm, Chris Glover wrote:
My turn for a question now...
Is the Zyxel modem any good? Does it do PPPoA to PPTP relaying? Currently I'm using an Alcatel Speedtouch Pro, using the relaying function so my Linux PC gets the IP address. I was thinking about replacing it with the Zyxel when it eventually dies, not that it's showing any signs of sockness at the moment :-)
Most of the issues you will see with PPTP are a result of trying to tunnel it through NAT, a lot of routers suffer from this. More so at the endpoint rather than the client (There are very few Routers that won't let you be a PPTP client)
The issue seems to be to do with the Protocol 47 (GRE) packets hitting a NAT translated address at the endpoint with the wrong source address.
The Zyxel manual has a section about clients that don't work with NAT and it has ways of overcoming the problem so it may well be that it does address Chris Glover's requirement.
Actually when dealing with a Microsoft Server VPN as an endpoint I find Netgear Routers to be the best bet, my D-Link DSL-604+ will only work as a client.
If you want to be a VPN endpoint then I'd recommend Draytek Routers (The 2600Plus) and actually using the Router as the endpoint. They support pretty much any VPN client and are a doddle to set up. More expensive than your common or garden ADSL router though.
Again the Zyxel does support VPN. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Wed, May 18, 2005 at 10:00:27PM +0100, Chris Glover wrote:
THere is something you could try, but it is really very nasty, and about as secure as anything M$ :-)
Where does MS come into it then?
Apache has a proxying capability, so you could connect to the web server on your pc, and depending on your url proxy it to the Zyxel.
The thing is this opens up all kinds of security holes, and people start using your webserver as a proxy. I tried using it to talk to the web interface on my Tivo. In the end I just enabled passwords on the Tivo, and set up port forwarding on my linux machine.
I'll look into that, thanks, maybe it can be tied down to just the one IP address or something.
My turn for a question now...
Is the Zyxel modem any good? Does it do PPPoA to PPTP relaying? Currently I'm using an Alcatel Speedtouch Pro, using the relaying function so my Linux PC gets the IP address. I was thinking about replacing it with the Zyxel when it eventually dies, not that it's showing any signs of sockness at the moment :-)
It seems pretty good, the manuals and everything are available from the Zyxel web site (I think, some systems are down here at work and I can't get to the web at the moment). So you can get the full manual and look for yourself. The firewall is pretty comprehensive and easy to configure as well plus NAT is also quite comprehensive. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
Chris Green wrote on 19 May 2005 08:45:
It seems pretty good, the manuals and everything are available from the Zyxel web site (I think, some systems are down here at work and I can't get to the web at the moment). So you can get the full manual and look for yourself. The firewall is pretty comprehensive and easy to configure as well plus NAT is also quite comprehensive.
ZyXEL kit is pretty good stuff indeed. I've had a Prestige 650HW and was a solid all-round performer. We had a lot of problems with the wireless Draytek models (although the wired models are just fine) and consequently started replacing them with ZyXEL kit and never looked back since. Regards, Martyn
Martyn Drake wrote:
Chris Green wrote on 19 May 2005 08:45:
It seems pretty good, the manuals and everything are available from the Zyxel web site (I think, some systems are down here at work and I can't get to the web at the moment). So you can get the full manual and look for yourself. The firewall is pretty comprehensive and easy to configure as well plus NAT is also quite comprehensive.
ZyXEL kit is pretty good stuff indeed. I've had a Prestige 650HW and was a solid all-round performer. We had a lot of problems with the wireless Draytek models (although the wired models are just fine) and consequently started replacing them with ZyXEL kit and never looked back since.
Regards,
Martyn
Hmmm... We've been using Linksys, but have had a few reliability problems recently. I think I'll take a look at the ZyXEL stuff. Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
On Thu, May 19, 2005 at 09:42:14AM +0100, Martyn Drake wrote:
Chris Green wrote on 19 May 2005 08:45:
It seems pretty good, the manuals and everything are available from the Zyxel web site (I think, some systems are down here at work and I can't get to the web at the moment). So you can get the full manual and look for yourself. The firewall is pretty comprehensive and easy to configure as well plus NAT is also quite comprehensive.
ZyXEL kit is pretty good stuff indeed. I've had a Prestige 650HW and was a solid all-round performer. We had a lot of problems with the wireless Draytek models (although the wired models are just fine) and consequently started replacing them with ZyXEL kit and never looked back since.
The 660H is quite similar to the 650H I think, just a bit newer and whizzier. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Wed, May 18, 2005 at 09:43:32PM +0100, Chris Green wrote:
This isn't really a Linux question but it is network/computer related so it's not that far off topic.
Sounds on topic enough to me, you are trying to talk to a Linux box afterall ;)
I could configure using telnet, I'm quite happy to do that, but it's hardly secure over the internet. I suppose I can set it so that it's only accessible from specific IP addresses which might be OK.
You talked about ssh earlier today... why can't you ssh to your home pc and then use a text browser to configure the router or use X forwarding to the host you launch ssh on and a graphical browser if you are that way inclined? (and FWIW I don't think I have ever actually needed to change the configuration on my ADSL router when I have not actually been at home, tbh the actual adsl and network part perhaps only gets fiddled with very infrequently). Adam -- jabberid = quinophex@jabber.earth.li AFFS || http://www.affs.org.uk/ || Not a filesystem newbaby!! http://quinophex.org/newbaby/
On Wed, May 18, 2005 at 10:21:16PM +0100, Adam Bower wrote:
I could configure using telnet, I'm quite happy to do that, but it's hardly secure over the internet. I suppose I can set it so that it's only accessible from specific IP addresses which might be OK.
You talked about ssh earlier today... why can't you ssh to your home pc and then use a text browser to configure the router or use X forwarding
Text browser doesn't work as the Zyxel configuration pages use lots and lots of javascript. There are even some incompatibilities with firefox (though almost everything works with Firefox), you have to use IE to edit existing firewall settings. I must try getting X forwarding working with ssh, at present it doesn't but I think that may be partly due to going through intermediate systems. I now have the work firewall opened up (small company, I'm friendly with the IT people) so that I can connect direct to from my home system so it may well be that I can get ssh/X tunneling working.
to the host you launch ssh on and a graphical browser if you are that way inclined? (and FWIW I don't think I have ever actually needed to change the configuration on my ADSL router when I have not actually been at home, tbh the actual adsl and network part perhaps only gets fiddled with very infrequently).
True, I suspect I won't want to configure remotely after the first week or two. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Thu, May 19, 2005 at 08:49:44AM +0100, Chris Green wrote:
I must try getting X forwarding working with ssh, at present it doesn't but I think that may be partly due to going through intermediate systems. I now have the work firewall opened up (small company, I'm friendly with the IT people) so that I can connect direct to from my home system so it may well be that I can get ssh/X tunneling working.
... and I can, I now have X working through my ssh connection from work to home. However, running firefox across this connection is not really a practical proposition, it's too slow to be really usable. The first time I tried it firefox outsmarted me, it worked out that there was a copy of firefox already running on my Solaris box at work and popped up a new window from that rather than running a copy on my home system and using X. I had to close down the firefox on my work system before starting the remote firefox at home, then it worked, but very slowly. I think I'll just enable the telnet router management for the outside world and specify what IP addresses it can work from, that (along with a good password) is secure enough. I'm pleased to have got the X working across ssh though, simpler things like terminal windows run at perfectly acceptable speed, it also means I can work from home more practically as there are a few X applications that I need to run to do much work even though most of the time I'm using terminal windows. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Thu, May 19, 2005 at 10:02:27AM +0100, Chris Green wrote:
I'm pleased to have got the X working across ssh though, simpler things like terminal windows run at perfectly acceptable speed, it also means I can work from home more practically as there are a few X applications that I need to run to do much work even though most of the time I'm using terminal windows.
Hmmn, if you find IE to be better for router admin then you could tunnel vnc over ssh, which should be much more usuable if you are having problems with firefox over X. Adam -- jabberid = quinophex@jabber.earth.li AFFS || http://www.affs.org.uk/ || Not a filesystem 1 month old baby!! http://quinophex.org/newbaby/
participants (6)
-
Adam Bower -
Chris Glover -
Chris Green -
Laurie Brown -
Martyn Drake -
Wayne Stallwood