Restrict Admin Web Console by Port

[Denna]

On an RT-AC88U, is it possible to restrict access to the admin web console by LAN router port ?

 

[ColinTaylor]

No.

 

[OzarkEdge]

On an RT-AC88U, is it possible to restrict access to the admin web console by LAN router port ?

Maybe Administration\System\Remote Access Config\Enable Access Restrictions to webUI by Network/Host IP... would suit your LAN need. If you lock yourself out, you'll have to reset the firmware.

OE

 

[Denna]

@ColinTaylor and@OzarkEdge ,

Thanks for the help.​

Restriction by address is even better.​

 

[CaptainSTX]

If you want to make access more secure pick an IP that isn't normally assigned to the device you want administer the router. Then if you want to administer the router, using Windows or by using an app assign that IP to the PC then log into your router. Other wise if someone is trying to access the router and you are Dad or the IT guy they might guess that the IP needed to access the router is your IP. Of course if anyone has the time and patience they can try every IP in your subnet.

 

[Denna]

Scenario:

There is only one admin PC to manage the router through the web console.​

The admin PC is configured on the router with a manual IP address that is outside of the router's DHCP scope.​

The admin PC's IP address is added to the Access Restrictions.​

One day, the admin PC is no longer available due to hardware failure.​

​

Since the manual IP address is linked with the MAC address of the unavailable PC, does that mean the Admin is now locked out of managing the router ?
The only workaround would be to temporarily change the MAC address on the new admin PC with the MAC address of the unavailable PC, correct ?

 

[Yota]

Scenario:

There is only one admin PC to manage the router through the web console.​

The admin PC is configured on the router with a manual IP address that is outside of the router's DHCP scope.​

The admin PC's IP address is added to the Access Restrictions.​

One day, the admin PC is no longer available due to hardware failure.​

​

Since the manual IP address is linked with the MAC address of the unavailable PC, does that mean the Admin is now locked out of managing the router ?
The only workaround would be to temporarily change the MAC address on the new admin PC with the MAC address of the unavailable PC, correct ?

No, because access restrictions use IP addresses instead of MAC addresses, you can always specify your IP address on the device and ignore DHCP's automatic assignment of an IP address for you.

As long as you specify the correct IP address you can log into the admin web.

So to be honest, it's not secure, but if you have this security risk in your subnet, the first thing I do is not think about how to block it, but find the guy.

 

[Denna]

Perhaps a future feature to further secure router administration would be to include 2FA to restrict access to the Web UI.
However, I doubt that is within the scope of Asuswrt / Asuswrt-Merlin.