Enable Web Access from WAN?

[Miguel Santa]

I just found out that my router has the Web Access from WAN feature enabled. Can I change it to another port? I f so, which ports are good? Also, if I decide to disable it, can I still see my ip cameras remotely or will the cameras need this feature to work properly. What are the dangers of leaving this feature on?

 

[RMerlin]

This option doesn't do what you think it does. It's meant to allow your router's web interface to be accessible over the Internet - something that's a really bad idea security-wise.

 

[Miguel Santa]

I don't really have any need to access the router right now so I can disable it without affecting any other service or port, correct? I think it uses port 8080, a default port, can I change that to something like 9090 0r 7575?

 

[RMerlin]

I don't really have any need to access the router right now so I can disable it without affecting any other service or port, correct? I think it uses port 8080, a default port, can I change that to something like 9090 0r 7575?

This setting is only for making it reachable over the Internet, it has no control over the LAN access. You should keep that setting disabled, unless you are willing to put your router at risk.

You cannot completely disable the web interface, and the LAN port over http cannot be changed. If you really need to free up port 80, you could switch it to HTTPS-only - https allows you to select which port to use.

 

[Miguel Santa]

The ASUS router app works remotely only if this setting is enabled, that's probably how it was enabled to begin with but like you mentioned the router is exposed to hackers. I wonder if you change the default port, would that make it less risky?

 

[RMerlin]

The ASUS router app works remotely only if this setting is enabled, that's probably how it was enabled to begin with but like you mentioned the router is exposed to hackers. I wonder if you change the default port, would that make it less risky?

Security through obscurity can help, but it doesn't make it any more secure - just harder to find.

Asus's app was designed to be used within the LAN, not over the Internet. I suspect the app doesn't use SSL, so it means that anything you'd transmit remotely could easily be intercepted. bad idea.

If you really need to remotely manage your router, do so through a VPN tunnel.

 

[Miguel Santa]

Now, that sounds really interesting, thank you for guiding me on the correct path. I'll look into VPN tunneling. Thanks again.

 

[Miguel Santa]

Thanks for your suggestion about VPN tunneling. I was able to use openVPN to log into my router and have a secure connection. It works very well,i typed the LAN ip address on the browser and it gets me in.


Sent from my iPhone using Tapatalk

 

[XIII]

Miguel, how did you configure this?

I want to remotely manage an ASUS router of a family member (with their permission) and have configured OpenVPN on it (I can activate that and can surf via their IP address).

However, when I use that OpenVPN connection (on my iPad) and surf to https://192.168.1.1:8443 or https://router.asus.com:8443 I get the login page of my local AC66U instead of their remote AC68U.

 

[RMerlin]

Miguel, how did you configure this?

I want to remotely manage an ASUS router of a family member (with their permission) and have configured OpenVPN on it (I can activate that and can surf via their IP address).

However, when I use that OpenVPN connection (on my iPad) and surf to https://192.168.1.1:8443 or https://router.asus.com:8443 I get the login page of my local AC66U instead of their remote AC68U.

Try 10.8.0.1.

 

[XIII]

Try 10.8.0.1.

Then I get this:

Network Error

An error occurred while accessing
"https://10.8.0.1:8443/".

Could not connect to the server.

(Network Error #-1004)

 

[RMerlin]

Then I get this:

Actually nevermind, Asus changed it so the httpd daemon will no longer bind to the VPN interfaces, only to the LAN interfaces (192.168.1.1).

192.168.1.1 won't work on your iPad because it's unable to deal with the fact that both networks share the same subnet. You'll need to change one of the two networks to a different subnet.

 

[XIII]

I'm not sure I understand, but would like to learn.

Does this mean I have to transfer one of the routers to 192.168.2.1 and all associated devices to 192.168.2.x?

 

[RMerlin]

I'm not sure I understand, but would like to learn.

Does this mean I have to transfer one of the routers to 192.168.2.1 and all associated devices to 192.168.2.x?

Yes. The VPN client on your iPad cannot tell your iPad to router the whole subnet through the tunnel.

That's why I use a less common subnet at home (192.168.10.0/24), to avoid that kind of issue when connecting with work or with a customer's network.