FTP Opens to WAN

[8Bit_1Byte]

I just don't understand how this is the case. What am I missing?

I just purchased an AC87R, and wanted to enable FTP for a HD I attached. I turned on the FTP option, and can't believe that actually opens port 21 on the WAN side?!

Why in the world does enabling FTP, automatically open an external port? Even worse, how is there no option to keep the external port 21 closed?

What am I not understanding, or doing wrong? Please don't tell me this router forces someone who wants to FTP on their internal network, to open a port externally?

 

[Nullity]

That is bad. You are right to be concerned.


Are you sure you are not misunderstanding the GUI?

How did you confirm that an external port is open.

 

[8Bit_1Byte]

I have to believe I'm doing something wrong, yet I don't see how. I have not enabled any of the aicloud functionality, nor have I enabled management interface from WAN.

I scan the router and 21 is closed. I turn on FTP, scan again, and it's open (I'm scanning from Internet website).

It has to be user error, I just don't understand how.... I'm positive that I haven't turned on any cloud functionality.

I'm going into USB tools, selecting the FTP tab, and turning on. That's it.

 

[L&LD]

FTP is long in the tooth and very insecure as it is.

Can a friend scan your FTP site from outside your network? Do you possibly have the router in DMZ mode?

 

[8Bit_1Byte]

Definitely haven't turned on DMZ.

I've checked port forwarding (nothing set or on), port triggering (nothing set or on), Web access from WAN is off, etc...

FTP may be an inefficient/insecure protocol, but it's not going anywhere, plus, I'm only looking to use it internal to my network.

A friend? It's Friday night and I'm worried about an open port on my router. How many friends do you think I have (kidding kidding). I ran the port scan via an online website, using my phone, which I turned off WiFi just to rule out any issues there (not that it would matter since the site doing the scan is from an external IP.

Don't blame you for asking me about DMZ, etc... because I don't understand it either....

I'm correct in assuming that simply turning on FTP shouldn't open an external port (Meaning this doesn't happen to anyone else?). I'm running the new 4608 Firmware.

 

[L&LD]

After you upgraded, did you do a reset to factory defaults and manually and minimally configure your router to secure and connect to your ISP?

 

[8Bit_1Byte]

After you upgraded, did you do a reset to factory defaults and manually and minimally configure your router to secure and connect to your ISP?

Firmware Upgrade - Yes, flashed upgrade, reset to factory and I manually configured (i.e., did not upload a config file).

Regarding manually/minimally connecting to my ISO securely, not sure I follow...

Are you asking about the router pulling Gateway/IP/DNS from modem? If so, I didn't do anything special, just let it pull the info itself.

If you are asking about securing my wifi, changing admin name/password, etc.. then yes. Plus I haven't enabled or configured anything related to ASUS aiCloud, modification to firewall, or changed any port triggers or virtual server (port forwarding).

 

[RMerlin]

This is actually the way Asus designed it. Their FTP server is meant to be used over WAN.

If you want to only use it from the LAN, you will have to switch to my firmware, where I added an option to disable WAN access to the FTP server.

 

[8Bit_1Byte]

This is actually the way Asus designed it. Their FTP server is meant to be used over WAN.

If you want to only use it from the LAN, you will have to switch to my firmware, where I added an option to disable WAN access to the FTP server.

Really appreciate the clarification! As of now, I'm running your FW!

Can't believe ASUS made such an assumption, especially considering not erring on the side of security.

I suppose their approach would be to address consumers whom may not understand WAN/LAN, and if provided such an option, wouldn't understand. Yet I find that a bit hard to believe, since ASUS has their aiCloud for such users.

Hope this is another Merlin feature that makes its way to the official FW!

Thanks everyone for the support.

 

[RMerlin]

Asus probably expected users to rely on SMB for LAN sharing, and FTP for WAN sharing. I agree that it should at least have been more visible that enabling FTP would also enable it WAN side.

AiCloud was only added much later to the firmware.

 

[mteicher]

thats not a good excuse.
my gosh. ftp open to the wan side. thats hard to believe a company would do that these days knowing how bad ftp is to the world.
not good not good at all...really no excuse for that imho

 

[L&LD]

thats not a good excuse.
my gosh. ftp open to the wan side. thats hard to believe a company would do that these days knowing how bad ftp is to the world.
not good not good at all...really no excuse for that imho

Just another reason to run RMerlin firmware.