Enable SSH to "LAN+WAN" reverts to LAN only

[pjama]

Having been using merlin on a RT-AC68U for a while now but I needed some IPSec capabilities so I bought a new (Origin China?) RT-AC86U and installed 384.6 on it c/w reset.

I need to be able to ssh to the router from the internet which I could do on the 68U and I set up the 86U the same to permit LAN+WAN but it keeps reverting back to LAN Only. There is a brief window where it sticks and I can ssh in but it still reverts and I can no longer open new ssh connections.

Is this a known issue? Is there a work around/fix?

Yes, I'm aware of the security issues and have a authorized key set up and skynet and SSHBFP on to minimize the risk.

Thanks for any assistance.

 

[M@rco]

If you have Skynet installed and securemode is enabled (it is by default), you can't enable WAN access. If you wish to disable it, at your own risk, execute:

sh /jffs/scripts/firewall settings securemode disable

If you really need access to your router, consider setting up your router as a VPN server for more secure access (and don't forget to re-enable Skynet's securemode afterwards, by executing 'sh /jffs/scripts/firewall settings securemode enable' without quotes).

 

[pjama]

Bingo. That was it. I would never have worked that out for my self.
Thankyou.

 

[Zonkd]

You’re very strongly advised against exposing the router services to WAN. The only good option for remote access is the OpenVPN server feature.

 

[zitev]

You’re very strongly advised against exposing the router services to WAN. The only good option for remote access is the OpenVPN server feature.

Sorry for the necromancy, I have the same problem now, but your comment made me unsure. I don't understand what security advantage an openvpn access has over an ssh access with a 4096-bit rsa key? Why should the user be given the choice at all? Obviously, only properly trained users will configure ssh, I see a smaller problem with this than with a poorly configured or outdated openvpn key. Sorry for thinking out loud..

 

[ColinTaylor]

... over an ssh access with a 4096-bit rsa key?

... Obviously, only properly trained users will configure ssh.

Obviously most users will not configure a key for SSH (most don't even know what that is or how to do it). Most will just enable regular username/password authentication using "admin" and "mypassword" on port 22. Using OpenVPN at least defaults to using certificates even if the user is unaware of it.

 

[zitev]

Obviously most users will not configure a key for SSH (most don't even know what that is or how to do it). Most will just enable regular username/password authentication using "admin" and "mypassword" on port 22. Using OpenVPN at least defaults to using certificates even if the user is unaware of it.

I see, so there is no risk if I override the SkyNet setting and constantly enable wan-side ssh. Thanks for the answer!

 

[ColinTaylor]

I see, so there is no risk if I override the SkyNet setting and constantly enable wan-side ssh. Thanks for the answer!

Well I doubt that anything in life is "no" risk. I'd say "low" risk, especially if you're not running SSH on a common port. There's still the possibility of security vulnerabilities in dropbear or the way Asus has implemented it. But the same could be said of OpenVPN. But Merlin keeps OpenVPN updated, more so than Asus does.

It's not always just about someone "hacking" the security. For example, opening any port to the internet runs the risk of being the target of a DoS attack, regardless of what that port is being used for.