EX2 - Web access on a different subnet

Hi,

I have my EX2 configured on the 192.168.10.0/24 subnet.

When i try acess the web gui being on a different subnet (VPN - 192.168.5.0/24) i get this message:

Forbidden

You don’t have permission to access / on this server.

Is there anyway to permit the acess to the webgui from a different subnet?

That’s the message i also get when connecting with OpenVPN.

resteves wrote:

Hi,

 

I have my EX2 configured on the 192.168.10.0/24 subnet.

 

When i try acess the web gui being on a different subnet (VPN - 192.168.5.0/24) i get this message:

 

Forbidden

You don’t have permission to access / on this server.

 

Is there anyway to permit the acess to the webgui from a different subnet?

That a question for your router manufacturer.  It’s your router that sets up what devices can be communicated with across subnets.

No it is not, i can acess port 80 on the IP address of the EX2, it responds, but the web server of the EX2 gives that messages, so the problem is on the EX2 web server that only permits access to the same subnet of it’s own ip address.

[root@ghost ~]$ nmap -sT -sV -P0 -p 80 192.168.2.18

Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-04 10:15 WEST
Nmap scan report for 192.168.2.165
Host is up (0.024s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd


[root@ghost ~]$ GET http://192.168.2.165

403 Forbidden

Forbidden

You don't have permission to access / on this server.

On the apache configuration (httpd.conf) we can see that “Require ip” :

<Directory “/var/www”>
    Options +FollowSymLinks -MultiViews -Indexes
    AllowOverride All
    AuthType None
    <If “(%{IPV6} != ‘on’) && (%{REQUEST_URI} !~  m#\A/api/[0-9.]+/rest/.*#)”>
         
            Require local
            Require ip 192.168.2.165/24
        
     
    
        
            Require all granted
        
    

I also agree that this is an ex2 problem and not the router’s.
I think they didnt think that far that vpn can be used and then an ip from a different subnet will request access.

I found a solution.

If you turn ON the Web Access, even if you do not make the port forwardings in your router to really access the dashboard from the internet, you can access now the dashboard from the VPN :slight_smile: . I haven’t figuered it out the reverse lookup on my vpn, so i access everything using the IP

I’ve tested right now and it works

What to you mean by turn ON the Wev access?

Settings > Cloud Access > Dashboard Cloud Access

However, i immediately found a BUG. I believe that other users on this forum remeber that i pointed out the fact that when you are connecting over the internet to the Dashboard, it will show you that the Cloud Services are turned OFF, even if they are ON when you access localy.

Now I access the Dashboard over VPN and when i try to see the statistics of the files and how much space they use, it will tell me to turn on the Cloud Services first.

WD please fix this !!!

PS: if someone has access to an EX2100 or EX4100, can you please test if this happens also on the new firmware ? Because if so, WD overlooks alot of things that we point out and it’s useless

First off - please don’t just enable “Dashboard Cloud Access”. All that does is enable any IP address to log in to your dashboard. If you haven’t set a very secure password, this could be a bad idea. Also, since your NAS is probably using UPnP to automatically open external network ports for the MyCloud file access, its a REALLY bad idea.

Since the MyCloud APIs are all served off port 80 and 443 internally, I did NOT want to enable Dashboard Cloud Access, since that means they would always be externally available when all I really wanted was VPN access.

As resteves pointed out, the restriction is taking place in the apache configs. I modified the httpd.conf file to allow new subnets and restarted apache - worked great. Rebooted the NAS - httpd.conf files gone. So rather than hack apart the OS to not modify the Apache configs etc on each boot I had a better idea. Configure LAN 2 for a new static IP address (no cable is even plugged in) so the OS thinks there is another local LAN interface. Here is the apache config before:

<Directory />
	AllowOverride All
	Options FollowSymLinks
	AuthType None
	<If "(%{IPV6} != 'on') && ((%{REQUEST_URI} !~ m#\A\/api\/[0-9.]+\/rest\/.*#) && (%{REQUEST_URI} !~ m#\A\/test.html#))">
			<RequireAny>
				Require local
				Require ip 192.168.100.10/24
			</RequireAny>
	</If>
	<Else>
		<RequireAll>
			Require all granted
		</RequireAll>
	</Else>
</Directory>

After setting a Static IP with a subnet mask of 255.0.0.0 (a /8 CIDR subnet) I now have this:

<Directory />
	AllowOverride All
	Options FollowSymLinks
	AuthType None
	<If "(%{IPV6} != 'on') && ((%{REQUEST_URI} !~ m#\A\/api\/[0-9.]+\/rest\/.*#) && (%{REQUEST_URI} !~ m#\A\/test.html#))">
			<RequireAny>
				Require local
				Require ip 192.168.100.10/24
				Require ip 192.168.50.10/8
			</RequireAny>
	</If>
	<Else>
		<RequireAll>
			Require all granted
		</RequireAll>
	</Else>
</Directory>

Since the /8 covers everything in the 192.x.x.x range, this will cover any IP address in any other subnet. Only downside is if you had 10.x.x.x and 192.x.x.x VPN subnets (but in that case this home device isn’t probably meant for your small/medium business needs anyways).

This should be the accepted solution - don’t open your box to the entire world - just configure another local LAN subnet on the second NIC interface with whatever subnet size you want, and the NAS will config apache to allow it, and survive reboots/upgrades as well w/o hacking the system or requiring SSH access.

adicrst is absolutely correct.
WD My Cloud does not work over different subnets, regardless of the routing between them.
I have several WD in my network and it is a pain to bakup some workstations.
I understand that this is a great security feature but I would like to have the ability to turn it off.