HTTPd "local" admin server is binding to both LAN and WAN interfaces

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

HTTPd "local" admin server is binding to both LAN and WAN interfaces

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
HTTPd "local" admin server is binding to both LAN and WAN interfaces
HTTPd "local" admin server is binding to both LAN and WAN interfaces
2022-03-24 09:30:27 - last edited 2022-03-31 14:22:33
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.0 Build 20220117 Rel.74491

So, when using Advanced IP Scanner v2 to scan my entire home network, I noticed that in the physical DMZ network we have, the ER7206 was offering an HTTP(S) service.

 

Being curious, I took a look and yes, the local admin pages are fully accessible on the WAN side of the network I'm running as well as the LAN side.

 

Clearly the httpd service is configured to bind to all interfaces when it should not be doing so.

 

Here's the LAN side admin URL in the browser which is fine.

 

I wasn't expecting the httpd server to respond but it does on the WAN side of the network.

 

Here's the WAN IP address DHCP assignment from our primary router.

 

 

I have run a router as a secondary router/firewall ever since I found out that our ISP has a back door built into the firmware of their router which we MUST use. The ER7206 is the latest router I've put into the network replacing the old router that broke. The ER7206 is therefore being used to create a small DMZ network that our ISP can see with guest Wi-Fi on it, then, behind the ER7206, our main network exists.

 

By doing this, our main network is fully protected from prying eyes. However, I wasn't expecting the httpd to be providing access to the admin area on the WAN side of things at all and I view this as a security risk.

 

As you can see from the next screenshots, remote admin is off...

 

HTTP admin is configured to redirect to HTTPS.

 

There's no way to specify which side of the LAN/WAN the httpd should bind and I'd expect it to default to LAN binding only but it seems it is binding to every available interface.

 

I know the router is password protected but as a security issue, the admin area interface shouldn't really be binding to the WAN side of the router at all.

 

Is this a bug or an issue with my configuration? Is there a checkbox I'm missing that I need to change to fix this or would it require a firmware update to change the network binding details for the router?

 

Thanks

 

Paul

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:HTTPd "local" admin server is binding to both LAN and WAN interfaces-Solution
2022-03-28 08:55:25 - last edited 2022-03-31 14:22:33

Dear @Paul2004V ,

 

Just to confirm with you, are you testing access to the WAN from within the LAN?
If so, this is normal and there are no security issues.

 

You can try to access the WAN from the WAN side, which is external to the ER7206, and you will find that there is no access.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#4
Options
4 Reply
Re:HTTPd "local" admin server is binding to both LAN and WAN interfaces
2022-03-25 09:54:38

 Dear @Paul2004V ,

 

Paul2004V wrote

So, when using Advanced IP Scanner v2 to scan my entire home network, I noticed that in the physical DMZ network we have, the ER7206 was offering an HTTP(S) service.

 

Being curious, I took a look and yes, the local admin pages are fully accessible on the WAN side of the network I'm running as well as the LAN side.

 

Clearly the httpd service is configured to bind to all interfaces when it should not be doing so.

 

1.Could you provide a screenshot of your specific DMZ settings?
2. What exactly did you set up the DMZ for?

3. What's the physical connection(current topology) of your devices? (You can draw a diagram of Network Topology simply if you don't mind.)

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:HTTPd "local" admin server is binding to both LAN and WAN interfaces
2022-03-25 11:39:24

@Hank21 

 

Here's the topology of my network as it stands. The reason for the double router configuration is to stop any intrusion onto the network from outdoor network cables, like the ones used to connect the external security camera's.

 

Also, our ISP has told me in the past that they have a back door through their provided router and on one support occasion was able to accidentally see sensitive id documents that they shouldn't have had access to. This is when they told me about the back door. So, the second router was put in place to stop that sort of access. I've run this sort of topology for around 16 years with no ill effect.

 

As you can see, it's a physical DMZ rather than one configured in a router's settings so the NAT-DMZ configurations in both routers are not configured because they don't need to be, see images.

 

My issue is that the ER7206 http daemon is presenting the admin area login to the DMZ which is on the Ethernet WAN socket of the device and that really shouldn't be happening. Anything that connects to the DMZ via an external Ethernet cable could have access to the ER7206 and without a strong password, it would be easy to compromise the entire network.

 

We have over 30 devices connected to the LAN side of the ER7206 gateway, many of which contain sensitive personal and client data as we work from home and have multiple redundant backups of our data.

 

Paul

 

NETGEAR NAT/DMZ disabled

 

 

ER7206  NAT-DMZ disabled

 

 

  0  
  0  
#3
Options
Re:HTTPd "local" admin server is binding to both LAN and WAN interfaces-Solution
2022-03-28 08:55:25 - last edited 2022-03-31 14:22:33

Dear @Paul2004V ,

 

Just to confirm with you, are you testing access to the WAN from within the LAN?
If so, this is normal and there are no security issues.

 

You can try to access the WAN from the WAN side, which is external to the ER7206, and you will find that there is no access.

 

Best Regards!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  1  
  1  
#4
Options
Re:HTTPd "local" admin server is binding to both LAN and WAN interfaces
2022-03-31 14:22:19 - last edited 2022-03-31 14:23:07

  @Hank21 I can confirm you're correct, I connected to the WAN side and re-scanned the network and the HTTP(S) access is missing. Attempting to connect to the router from the WAN side results in connection refused.

 

Thanks

 

Paul

  0  
  0  
#5
Options

Information

Helpful: 0

Views: 841

Replies: 4

Related Articles