ColinTaylor
Part of the Furniture
Yes, that was my point because the OP said he wanted both remote web access and AiCloud access.Admittedly, I only checked AiCloud initially since that was immediately relevant to the OP. Again, the only time you need that rule is when the router-based service is bound *solely* to the LAN. I know that's the case for the GUI (httpd):
Code:admin@merlin-lab1:/tmp/home/root# netstat -an | grep :8443 tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:8443 0.0.0.0:* LISTEN
Remote access is simply the result of a DNAT:
Code:admin@merlin-lab1:/tmp/home/root# iptables -t nat -vnL VSERVER Chain VSERVER (1 references) pkts bytes target prot opt in out source destination 180 10800 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 to:192.168.1.1:8443 0 0 VUPNP all -- * * 0.0.0.0/0 0.0.0.0/0
As I said, if you create a port forwarding rule to an internal FTP server as well as enabling AiDisk it changes to using a DNAT rule to the internal address. Therefore requiring the VPN rule. Admittedly that's an odd combination, but I did actually come across this situation when testing FTPS support with John.I then checked FTP (port 21) for AiDisk:
Code:admin@merlin-lab1:/tmp/home/root# netstat -an | grep :21 tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
Just as w/ AiCloud, the service is listening on all network interfaces, so you do NOT need that rule. If configured for LAN only (the default), there is no rule in the input chain for port 21 since all inbound access to the router is allowed by default. But if you enable WAN access, then a specific rule is added for that purpose.
Code:admin@merlin-lab1:/tmp/home/root# iptables -vnL INPUT | grep :21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
And that's why there's no need for a DNAT like there is for the GUI (httpd).
To be fair I think RMerlin has disabled the ability to use plain FTP from the WAN, it has to be FTPS (at least that's the case in John's firmware).Of course, you have to question why anyone would be enabling remote access to these services anyway (esp. ftp, which is in the clear, at least the GUI is using https).
But regarding whether it's necessary or not to have that VPN rule, in the case of the wiki documentation it's simpler to just include it rather than trying to explain the situations where it may be required. As you said, even if it's not required including it is benign.