ATA191 & SPA112 provisioning questions re network access

David30 · ‎05-14-2021

The ATA191 Provisioning Guide (p.149) defines <Allowed_Remote_IP_Address> as:

Description—Specifies a remote IPv4 address that is allowed access to the web-based configuration utility, when Remote Management is enabled
User Interface—Administration > Management > Web Access Management page,
Allowed Remote IPv4 Address field, unlabeled text box
Valid inputs—IPv4 address, Default—0.0.0.0
Example
<Allowed_Remote_IP_Address>209.165.201.129</Allowed_Remote_IP_Address>

First question: That seems plain enough, but what is the address shown below from the example on p.173? Is the final '0' intended to specify an IP4 mask length (e.g. 1.2.3.4/24)?

<Web_Remote_Upgrade>1</Web_Remote_Upgrade>
<Allowed_Remote_IP_Type>1</Allowed_Remote_IP_Type>
<Allowed_Remote_IP_Address>0.0.0.0 0</Allowed_...>

The Provisioning Guide also states that <Web_Remote_Management> enables or disables WAN access to the GUI management utility and <Remote_Web_Utility_Access> specifies the HTTP or HTTPS protocol to be used, which can be one or the other but not either.

However <Web_Utility_Access_HTTP> and <Web_Utility_Access_HTTPS> independently specify whether one or the other, or either, can be used to access the GUI utility from systems on the same LAN port.

Second question: How does all the above apply to devices (including the ATA191 & SPA112) where all traffic is handled over one LAN port?

Just as a comment, I suggest both the terminology and the descriptions of the functional logic used in the Provisioning Guide should be reviewed. The distinction between WAN & LAN access is unclear and inconsistent. Call me a pedant, but I think expressions such as "Web_Remote_Management" "Remote_Web_Utility_Access" "Web_Utility_Access_HTTP" are not precise enough.

Dan Lukes · ‎05-21-2021

Well, the issues you are mentioning are not described in documentation in clear. Fortunately, it's easy for you to test it by self ...

May be I will test it as well, but I'm so busy now so it may take a lot of time.

David30 · ‎05-21-2021

ATA network security is probably implemented using IPtables so I doubt trial & error would be very reliable. And I'll assume the stray "0" at the end of the IP4 address shown in the MPP Provisioning Guide on page-173 is either a typo or the default is equivalent to a mask of /32:

<Allowed_Remote_IP_Address>0.0.0.0 0</Allowed_Remote_IP_Address>

I noticed another possible typo on page-36 of the MPP Provisioning Guide too. Should the statement: "The Profile_Rule provided with the factory default configuration is ata$PSN.cfg, where $PSN represents the product serial number." refer to the product series number, e.g. "191" ?

Thanks for replying.

Dan Lukes · ‎05-21-2021

I doubt trial & error would be very reliable

I consider it rather simple. Just edit the value on UI then check the resulting value shown in dump of configuration.

But I guess it's second value of "range" - e.g. range 192.154.2.2 - 192.154.2.21 will be shown as 192.154.2.2 21

Or it may be mask (e.g. 0.0.0.0 0 is 0.0.0.0/0 which mean ANY). It's what needs to be tested.

where $PSN represents the product serial number." refer to the product series number, e.g. "191" ?

True, as far as I know.