What's new

Access router web interface from local network using DDNS

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jmedaglia

Occasional Visitor
Hi everyone!

I've recently upgraded my RT-AC68W from 380_69.2 to the latest 384.4_2 and wanted to use this new cool feature of generating SSL certificates using Let's Encrypt.

However, I'm having trouble accessing the router web interface using DDNS name from the local network, it seems router is blocking access as it considers it coming from the WAN, it works if I "Enable Web Access from WAN" (which is definitely something I don't want to do).

As a side note, I'm able to ping the router using DDNS name from the LAN, even though I have not enabled "Respond ICMP Echo (ping) Request from WAN" from Firewall settings.

It's this the expected behavior of NAT Loopback?
Would adding my DDNS name to hosts.add would be a valid workaround?

Thanks in advance!
 
Hi everyone!

I've recently upgraded my RT-AC68W from 380_69.2 to the latest 384.4_2 and wanted to use this new cool feature of generating SSL certificates using Let's Encrypt.

However, I'm having trouble accessing the router web interface using DDNS name from the local network, it seems router is blocking access as it considers it coming from the WAN, it works if I "Enable Web Access from WAN" (which is definitely something I don't want to do).

As a side note, I'm able to ping the router using DDNS name from the LAN, even though I have not enabled "Respond ICMP Echo (ping) Request from WAN" from Firewall settings.

It's this the expected behavior of NAT Loopback?
Would adding my DDNS name to hosts.add would be a valid workaround?

Thanks in advance!

Anyone?
 
It wouldn’t work I wouldn’t think, unless you do as you suggested and make a manual dns entry for dnsmasq. With that being said, I’ll ask the silly question - why not use any of the other options like the ip, router.asus.com, the lan hostname if set, etc?
 
It wouldn’t work I wouldn’t think, unless you do as you suggested and make a manual dns entry for dnsmasq. With that being said, I’ll ask the silly question - why not use any of the other options like the ip, router.asus.com, the lan hostname if set, etc?
Because the browser will complain when accessing it through HTTPS as the certificate is for another domain (the DDNS one)

Sent from my Pixel using Tapatalk
 
Because the browser will complain when accessing it through HTTPS as the certificate is for another domain (the DDNS one)

Sent from my Pixel using Tapatalk
Eric said it best:
Just ignore the message, it's misleading. Your connection is fully encrypted, the only reason they claim it's not secure is because it cannot validate that you are really connected to your router at the specified IP/hostname using a certificate issued by a trusted authority.

If you want to get rid of it, you need to either fiddle with Let's Encrypt, or generate your own CA + certificate, and import that CA in the trusted store of all your devices.
 
Did you add an entry in dnsmasq to override a dns lookup for your DDNS host name to resolve into your local router ip?

If you didn't, I can see a DDNS domain name dns lookup resolving to your WAN ip so your router treats it as an outside connection.

I just tried a dnsmasq entry (I don't use dnscrypt) and it resolved my router for whatever DNS I was to override.
 
Thanks everyone for your answers.

I haven't added the entry in dnsmasq, I first wanted to confirm that it is a valid workaround for this issue; great to see that it is and that it will work.

I understand that I can ignore browser warning and that my connection will be fully encrypted, I still find it a little annoying though, that's why I wanted to always use my DDNS name to access my router (with Let's Encrypt certificate). What I still don't understand is why I am able to use DDNS from local network for some things without enabling access from WAN (ping), but for others don't (access router interface), is this expected behavior or a bug?

Thanks again!
 
Sorry for hijacking this thread but I'd like to use Let's Encrypt as well. Would it be secure to make the Web UI accessible from WAN but only allow 2 IP addresses from LAN in the settings?
 
Sorry for hijacking this thread but I'd like to use Let's Encrypt as well. Would it be secure to make the Web UI accessible from WAN but only allow 2 IP addresses from LAN in the settings?
This is not a good idea. The web interface is the problem not your idea.
 
Unfortunately httpd is full of holes only Asus can fix. For now do yourself a solid and do not expose webui to WAN my friend.
 
I understand this but in this case all IPs are blocked except the ones I allow. So no one gets near the httpd process or the web UI. Or am I missing something crucial?
 
I understand this but in this case all IPs are blocked except the ones I allow. So no one gets near the httpd process or the web UI. Or am I missing something crucial?
Exposing the webui to WAN is not advisable as it leaves httpd open for hacking, getting around the limit of IPs wouldn't be that hard. Someone correct me if I got this wrong. @RMerlin advises to use a vpn to access your webui. Just saying bud.
 
What I still don't understand is why I am able to use DDNS from local network for some things without enabling access from WAN (ping), but for others don't (access router interface), is this expected behavior or a bug?

It's probably the expected behaviour. If WAN access is disabled then I don't think httpd would be listening on the WAN IP, stuff like ping doesn't care and just responds to whoever.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top