Access router web interface from local network using DDNS

[jmedaglia]

Hi everyone!

I've recently upgraded my RT-AC68W from 380_69.2 to the latest 384.4_2 and wanted to use this new cool feature of generating SSL certificates using Let's Encrypt.

However, I'm having trouble accessing the router web interface using DDNS name from the local network, it seems router is blocking access as it considers it coming from the WAN, it works if I "Enable Web Access from WAN" (which is definitely something I don't want to do).

As a side note, I'm able to ping the router using DDNS name from the LAN, even though I have not enabled "Respond ICMP Echo (ping) Request from WAN" from Firewall settings.

It's this the expected behavior of NAT Loopback?
Would adding my DDNS name to hosts.add would be a valid workaround?

Thanks in advance!

 

[jmedaglia]

Hi everyone!

I've recently upgraded my RT-AC68W from 380_69.2 to the latest 384.4_2 and wanted to use this new cool feature of generating SSL certificates using Let's Encrypt.

However, I'm having trouble accessing the router web interface using DDNS name from the local network, it seems router is blocking access as it considers it coming from the WAN, it works if I "Enable Web Access from WAN" (which is definitely something I don't want to do).

As a side note, I'm able to ping the router using DDNS name from the LAN, even though I have not enabled "Respond ICMP Echo (ping) Request from WAN" from Firewall settings.

It's this the expected behavior of NAT Loopback?
Would adding my DDNS name to hosts.add would be a valid workaround?

Thanks in advance!

Anyone?

 

[jrmwvu04]

It wouldn’t work I wouldn’t think, unless you do as you suggested and make a manual dns entry for dnsmasq. With that being said, I’ll ask the silly question - why not use any of the other options like the ip, router.asus.com, the lan hostname if set, etc?

 

[jmedaglia]

It wouldn’t work I wouldn’t think, unless you do as you suggested and make a manual dns entry for dnsmasq. With that being said, I’ll ask the silly question - why not use any of the other options like the ip, router.asus.com, the lan hostname if set, etc?

Because the browser will complain when accessing it through HTTPS as the certificate is for another domain (the DDNS one)

Sent from my Pixel using Tapatalk

 

[jrmwvu04]

Because the browser will complain when accessing it through HTTPS as the certificate is for another domain (the DDNS one)

Sent from my Pixel using Tapatalk

Eric said it best:

Just ignore the message, it's misleading. Your connection is fully encrypted, the only reason they claim it's not secure is because it cannot validate that you are really connected to your router at the specified IP/hostname using a certificate issued by a trusted authority.

If you want to get rid of it, you need to either fiddle with Let's Encrypt, or generate your own CA + certificate, and import that CA in the trusted store of all your devices.

 

[FreshJR]

Did you add an entry in dnsmasq to override a dns lookup for your DDNS host name to resolve into your local router ip?

If you didn't, I can see a DDNS domain name dns lookup resolving to your WAN ip so your router treats it as an outside connection.

I just tried a dnsmasq entry (I don't use dnscrypt) and it resolved my router for whatever DNS I was to override.

 

[jmedaglia]

Thanks everyone for your answers.

I haven't added the entry in dnsmasq, I first wanted to confirm that it is a valid workaround for this issue; great to see that it is and that it will work.

I understand that I can ignore browser warning and that my connection will be fully encrypted, I still find it a little annoying though, that's why I wanted to always use my DDNS name to access my router (with Let's Encrypt certificate). What I still don't understand is why I am able to use DDNS from local network for some things without enabling access from WAN (ping), but for others don't (access router interface), is this expected behavior or a bug?

Thanks again!

 

[Keanu]

Sorry for hijacking this thread but I'd like to use Let's Encrypt as well. Would it be secure to make the Web UI accessible from WAN but only allow 2 IP addresses from LAN in the settings?

 

[skeal]

Sorry for hijacking this thread but I'd like to use Let's Encrypt as well. Would it be secure to make the Web UI accessible from WAN but only allow 2 IP addresses from LAN in the settings?

This is not a good idea. The web interface is the problem not your idea.

 

[skeal]

Unfortunately httpd is full of holes only Asus can fix. For now do yourself a solid and do not expose webui to WAN my friend.

 

[Keanu]

I understand this but in this case all IPs are blocked except the ones I allow. So no one gets near the httpd process or the web UI. Or am I missing something crucial?

 

[skeal]

I understand this but in this case all IPs are blocked except the ones I allow. So no one gets near the httpd process or the web UI. Or am I missing something crucial?

Exposing the webui to WAN is not advisable as it leaves httpd open for hacking, getting around the limit of IPs wouldn't be that hard. Someone correct me if I got this wrong. @RMerlin advises to use a vpn to access your webui. Just saying bud.

 

[martinr]

Exposing the webui to WAN is not advisable as it leaves httpd open for hacking, getting around the limit of IPs wouldn't be that hard. Someone correct me if I got this wrong. @RMerlin advises to use a vpn to access your webui. Just saying bud.

Yes indeed, almost word perfect! In Our Dear Leader’s own words:

https://www.snbforums.com/threads/e...wan-but-keep-http-from-lan.42521/#post-361843

 

[Dabombber]

What I still don't understand is why I am able to use DDNS from local network for some things without enabling access from WAN (ping), but for others don't (access router interface), is this expected behavior or a bug?

It's probably the expected behaviour. If WAN access is disabled then I don't think httpd would be listening on the WAN IP, stuff like ping doesn't care and just responds to whoever.