HTTPd "local" admin server is binding to both LAN and WAN interfaces
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
So, when using Advanced IP Scanner v2 to scan my entire home network, I noticed that in the physical DMZ network we have, the ER7206 was offering an HTTP(S) service.
Being curious, I took a look and yes, the local admin pages are fully accessible on the WAN side of the network I'm running as well as the LAN side.
Clearly the httpd service is configured to bind to all interfaces when it should not be doing so.
Here's the LAN side admin URL in the browser which is fine.
I wasn't expecting the httpd server to respond but it does on the WAN side of the network.
Here's the WAN IP address DHCP assignment from our primary router.
I have run a router as a secondary router/firewall ever since I found out that our ISP has a back door built into the firmware of their router which we MUST use. The ER7206 is the latest router I've put into the network replacing the old router that broke. The ER7206 is therefore being used to create a small DMZ network that our ISP can see with guest Wi-Fi on it, then, behind the ER7206, our main network exists.
By doing this, our main network is fully protected from prying eyes. However, I wasn't expecting the httpd to be providing access to the admin area on the WAN side of things at all and I view this as a security risk.
As you can see from the next screenshots, remote admin is off...
HTTP admin is configured to redirect to HTTPS.
There's no way to specify which side of the LAN/WAN the httpd should bind and I'd expect it to default to LAN binding only but it seems it is binding to every available interface.
I know the router is password protected but as a security issue, the admin area interface shouldn't really be binding to the WAN side of the router at all.
Is this a bug or an issue with my configuration? Is there a checkbox I'm missing that I need to change to fix this or would it require a firmware update to change the network binding details for the router?
Thanks
Paul
Here's the topology of my network as it stands. The reason for the double router configuration is to stop any intrusion onto the network from outdoor network cables, like the ones used to connect the external security camera's.
Also, our ISP has told me in the past that they have a back door through their provided router and on one support occasion was able to accidentally see sensitive id documents that they shouldn't have had access to. This is when they told me about the back door. So, the second router was put in place to stop that sort of access. I've run this sort of topology for around 16 years with no ill effect.
As you can see, it's a physical DMZ rather than one configured in a router's settings so the NAT-DMZ configurations in both routers are not configured because they don't need to be, see images.
My issue is that the ER7206 http daemon is presenting the admin area login to the DMZ which is on the Ethernet WAN socket of the device and that really shouldn't be happening. Anything that connects to the DMZ via an external Ethernet cable could have access to the ER7206 and without a strong password, it would be easy to compromise the entire network.
We have over 30 devices connected to the LAN side of the ER7206 gateway, many of which contain sensitive personal and client data as we work from home and have multiple redundant backups of our data.
Paul
NETGEAR NAT/DMZ disabled
ER7206 NAT-DMZ disabled
