Administration panel not accessible on neighbor nodes when meshed via Ethernet

[andygunn]

When testing meshing over Ethernet for the Common Configurations, I have encountered timeouts when trying to access the Administration panel of neighbor nodes.

How to replicate:

1. Flash two nodes with Commotion 1.1RC2
2. Configure via the meshing over Ethernet instructions in the Advanced Configurations guide.
3. Access a neighbor node via its mesh IP or static/DHCP (Ethernet IP) - the splash page or landing page will come up.
4. Click on the "Administration" button.
5. Wait forever.

This is most likely a firewall issue, since the landing and splash pages are accessible (http port 80), but the administration panel will never load as it is being dropped (https port 443). To fix, maybe put https accept by default for the WAN zone?

[dismantl]

We originally closed HTTPS to WAN zone for security reasons, and just left SSH available. Neither HTTPS or SSH has brute-force prevention, but the authentication of the HTTPS portal could be bypassed by stealing an auth token from an admin user (through a cross-site scripting or cross-site request forgery attack). But I agree that on more complicated network architectures, blocking HTTPS on WAN is a real pain in the butt for administration.

[andygunn]

Hmm, is there another solution? Is there a simple-to-describe method to add in this rule in the firewall rules if people need it? If we mention that it will be blocked, that is fine I suppose... but we should let folks know how to change it.

[dismantl]

No other solution currently besides editing firewall rules manually. I think it's a good idea to give some simple ways to punch holes in the firewall, but we should think about how we might want to integrate that with the common config setups. So, for instance, if we ask the user to pick out of a list of common configurations, some of those configurations could automatically punch the hole in the firewall depending on if the WAN zone is directly connected to the internet or not.

[natmey]

I want to comment that meshing over ethernet is not required. I was noticing this behavior on a node running 1.1rc2. This node provides a gateway. I was on the same LAN as the node (we both got DHCP from the same router). I can SSH in, and hit the splash page of the node, but cannot get to the admin page. To reproduce this behavior you can:

• Flash 1.1rc2 onto a node, and configure it by running the setup wizard.
• Connect that node to a LAN (your home or office network), and let it get a DHCP lease.
• Figure out what it's IP address, either from the node ("ip addr", the dhcp server, or however you can think to do it).
• Connect your machine to the home or office LAN.

With this you should be able to SSH to the node using 'ssh root@$IPADRESS' and get a splash page when connecting through a browser. However you'll get what Andy was describing.

[andygunn]

Good point @natmey - I think that shows that we need to make it a bit easier to access the Administrator panel from the WAN port. For now, it's a documentation issue.

@dismantl - when you say edit the firewall rules manually, do you mean via command line, or is it possible to do it in luci? If the latter, could you drop the instructions into a doc so we can include it in the advanced configurations or another guide?

[dismantl]

You can do it in web UI. I'll add it to documentation.