Enable Web Access from WAN - HTTPS only from WAN but keep HTTP from LAN?

[skydreamer888]

When Authentication Method set to BOTH and Enable Web Access from WAN set to yes, Port of Web Access for HTTP and HTTPS both have to open? How can I only allow HTTPS from Wan, but still I can access Web UI via HTTP from LAN?

Thank you.

 

[RMerlin]

Simplest way is to wait for 382. With 382, Asus changed it so only HTTPS is allowed on the WAN, but you'll have both protocols available on the LAN.

Personally however, I do not recommend opening even HTTPS to the WAN. Asuswrt's web server is poorly secured, and has had numerous security issues over the years. Best to limit it to LAN only, and use a VPN to remotely access it.

 

[The H-Man Cometh]

Simplest way is to wait for 382. With 382, Asus changed it so only HTTPS is allowed on the WAN, but you'll have both protocols available on the LAN.

Personally however, I do not recommend opening even HTTPS to the WAN. Asuswrt's web server is poorly secured, and has had numerous security issues over the years. Best to limit it to WAN only, and use a VPN to remotely access it.

Meaning the router can be compromised even without knowing the admin ID/password credentials?

 

[sfx2000]

Personally however, I do not recommend opening even HTTPS to the WAN. Asuswrt's web server is poorly secured, and has had numerous security issues over the years. Best to limit it to WAN only, and use a VPN to remotely access it.

LAN only, not WAN - just making a correction here.

RMerlin's advice is dead on, opening the WebGUI (or any services to be honest) is not advisable - VPN does help, as it's reasonably secure.

 

[sfx2000]

Meaning the router can be compromised even without knowing the admin ID/password credentials?

It's happened in the past - and Router/Gateway are big targets these days...

 

[RMerlin]

Meaning the router can be compromised even without knowing the admin ID/password credentials?

Correct. There's been security holes in the past that allowed authentication to be bypassed.

 

[st3v3n]

Ah, thanks gents for inspiring my light bulb to finally light. That's got to be related to what was going on with our 3200. When I finally rid the router of Asus.comm.com, I thought it would never quit, and it was always trying to restart. After that was finally gone, the GUI issues also evaporated and the date/time never reset again. Lost too much sleep and thought on this. No matter how firmly one shuts the door, there's always bugs crawling about leaving no trace.

The GUI was dysfunctional, then after finally banishing asus.comm.com it's been good. After Asus.comm.com, was set up, it never worked well but but then refused to shutdown and leave. The router acted like betelgeuse. Defaulted/reset, left it unplugged overnight and it's been fine since, until whatever tickled the firewall and Glasswire triggered. The 3200 wasn't routing, it was pulling AP duty.

 

[The H-Man Cometh]

Okay, thanks. But if the PUs (Parental Units) live out of state and need help keeping their router in tip-top shape, what is the best way to update firmware via remote connection? Over a VPN connection (but always nervous an update will "break" VPN and I'll lose access for good)? Temporarily open WAN access over HTTPS just to perform the update, then verify VPN still working and disable WAN access again? I can remotely power cycle the router as needed, but no way for me to reset factory defaults on any type of regular basis.

 

[st3v3n]

OOO...H-Man, stumped me; I'd never remotely update firmware remotely, too many variables; if it goes down for whatever reason, you're still stuck with laying eyes on. Must be much travel involved to have to give it serious consideration, but perhaps I'm just too cautious. Good luck!

 

[SMS786]

Okay, thanks. But if the PUs (Parental Units) live out of state and need help keeping their router in tip-top shape, what is the best way to update firmware via remote connection? Over a VPN connection (but always nervous an update will "break" VPN and I'll lose access for good)? Temporarily open WAN access over HTTPS just to perform the update, then verify VPN still working and disable WAN access again? I can remotely power cycle the router as needed, but no way for me to reset factory defaults on any type of regular basis.

Another option perhaps is to set up a remote desktop profile on your PU's computer as a fail-safe from being shut out due to unforeseen firmware update issues. VPN would still be the best option, but if it breaks due to an update you can at least remote desktop in and then fix any issues from there.

 

[The H-Man Cometh]

Another option perhaps is to set up a remote desktop profile on your PU's computer as a fail-safe from being shut out due to unforeseen firmware update issues. VPN would still be the best option, but if it breaks due to an update you can at least remote desktop in and then fix any issues from there.

Thanks for your input. I had thought about setting them up with TeamViewer or something similar, but if a firmware update breaks both VPN and HTTPS WAN access, what are the chances I'll even be able to make an RDP connection? Providers like eero, et al. seem to have figured this out, so hoping there is at least some type of best practice to follow and hope for the best. Can't imagine letting their firmware get stale is the best approach.

 

[st3v3n]

Ditto, what SMS suggests seems logical, but when the router reboots, you'll still have to be logged into the computer, whether FW update passes or fails. PUs could unplug the router, plug both the computer and router into a switch, plug the switch into the modem so you could remote into the computer to work; as long as a VPN client existed on the machine prior to this, and you have all the ID/PW/permissions. Then you could try to log back in to the router (probably) to perform setup, troubleshoot or perhaps recover. If not, PUs will have to ship it to you via UPS/FedEx. As long as you're doing this for parents, and not hacking unethically. If that wasn't the case, I'd have no idea, except to call the Maytag repairman.

 

[Eric Lieb]

Ditto, what SMS suggests seems logical, but when the router reboots, you'll still have to be logged in somehow either or...if the FW update failed, then PUs would still have to unplug the router, plug the computer and the router into a switch, then into the modem so you could remote in, as long as a VPN client existed on the machine, then you'll still be able to log back in to the router (probably) to troubleshoot and perhaps recover. If not, then they'll have to ship it to you via UPS/FedEx. As long as you're doing it for parents, and not hacking unethically, and if that were the case I'd have no idea, except to call the Maytag repairman

Honestly most of the firmware updates seem to add features or fix features that the general public probably don't ever use. Just limit firmware updates to only critical security updates if they aren't using anything serious (like QOS or VPN). I think we are all guilty of the "if it works, i still want to upgrade it because why not" mentality instead of the general consumer "If it works, why mess with it?"

 

[st3v3n]

Yes, so as long as there's no critical need, leave it alone

 

[The H-Man Cometh]

Thanks all -- everything you wrote makes sense... although I don't think the PUs would be able to figure out the whole router/switch/modem thing. Or if they did, they'd never be able to put Humpty Dumpty back together again... at least not before I pulled all my hair out trying to walk them through it. Agreed not every update is required, and this would indeed be a very vanilla configuration. No QoS, and the only reason for VPN would be to run it as a server for me to tunnel in, since connecting to the WAN interface over HTTPS seems to be a bad idea. RMerlin does a great job communicating his firmware changes, but how can I determine what else is "critical" (i.e., what "security" updates are part of the closed source portions of the firmware)? For example, the AiProtection is an attractive feature for me to enable on their behalf. Does the Trend Micro integration get fixed/improved/updated with every firmware update or only with a major update like going from 380 to 382? Even if I only try a remote update for them, say, every 4-6 months or so, just go with the latest release available at the time and assume it's the best / most stable?

 

[st3v3n]

Good point; only Trend Micro and/or Asus knows such things, but they'll never talk. To be sure PUs don't unplug the toaster by mistake, send PUs a photo of which Ethernet cord to unplug and have UPS pick it up, overnight it to you for the upgrade then send it back (just joking). If my folks were still alive and bothered with the internet, it would be that, or I'd just buy a new one, update it and send them photos with the new unit. They must be pretty sharp to have had you, eh? Good luck