Router access

[ITguy]

I have 2 routers connected via wire.

This is my setup.

Fibre to the home going to ISP router (A) ----> my router (B)

My router(B) is connected to the ISP router(A) via cable (lan port A to wan port B)

Both routers have DHCP enabled so B is on A's lan.

My question

1) How can I access (ie login) my router(B) when I am on the internet and away from home ? (ie in another country)
2) How vulnerable is my router(B) to attack from a hacker outside of my network ?
The scope of this question is only thru the fibre to the home connection. (excludes my devices connected to B.

 

[eibgrad]

Fundamentally, you port forward from A to B. Or perhaps place the WAN ip of B in the DMZ of A. But that's not necessarily safe. You don't typically want to expose your router's GUI (or much of anything else frankly) directly to the internet. The better option is to establish a VPN client connection from the public side of A to a VPN server, running either on A or B, thus making B (and potentially the rest of A or B's local networks) accessible.

All that said, there are a lot of different ways to approach VPNs, including OpenVPN, Wireguard, or third-parties like Cloudflare tunnels, Tailscale, ZeroTier (which usually don't require port forwarding), just to name a few.

 

[ITguy]

Thanks.

If I setup a vpn server on B, how can I possibly access it when not at home ? The IP address assigned to it is from router A DHCP (lan address). I'm assuming some kind of portforwarding from A ? I understand DDNS, however, I thought that was strickly for internet facing routers (ie A). I only have basic knowledge of networking.

 

[eibgrad]

Your remote access options are heavily dictated by your available hardware and network configuration.

As I said, port forwarding has been the traditional method, but comes w/ potential hazards. As long as you have a public IP on the WAN of router A, you can use DDNS to keep a dynamic hostname updated w/ your current public IP, then reference it back to router A on its WAN, where the incoming traffic can be forwarded to router B's WAN.

You can keep the DDNS hostname updated using router A (which has the public IP) provide it has a DDNS update feature, or else configure the DDNS update feature on router B, but tell it to determine the public IP by connecting to a public website intended for that purpose, rather than examine its own WAN ip. Most DDNS updaters have that option precisely for this reason.

All in all, pretty simple and basic stuff. The mechanics are well understood and it's documented in many places. And it's been around forever. But there's a potential catch.

If router A does NOT have a public, but instead a *private* IP (aka CGNAT, e.g., 100.64.x.x), you can NOT route to it from the internet. You either have to convince your ISP to give you a public IP (and assuming they can/will, it might come w/ a surcharge), or else use an alternative like Cloudflare, Tailscale, etc.

In the case of Cloudflare et al, you establish an outbound connection to one of their public servers, from which you tunnel back into your home network. It avoids the need for port forwarding entirely (making it more secure), but it introduces a third-party to your network. And that could be an issue for some ppl in terms of privacy, and whether you trust them in not getting hacked, esp. since they are a bigger target than you merely acting alone. Still, it's mighty convenient, and many ppl choose this methodology, even if they have the ability to port forward w/ a public IP.

 

[sfx2000]

1) How can I access (ie login) my router(B) when I am on the internet and away from home ? (ie in another country)
2) How vulnerable is my router(B) to attack from a hacker outside of my network ?
The scope of this question is only thru the fibre to the home connection. (excludes my devices connected to B.

1) You don't, not directly - have a VPN connection to a host inside that lan
2) pretty closed until you open ports for remote access
3) Why?

Any time you open up the firewall for direct inbound connections - you're creating a security risk.

Believe it or not, one of the more secure solution is Google Nest Wifi - I've dropped them into a couple of family members that are less than technical, and I can manage those offsite thru the Google Home App.

They don't have a lot of config options, but at the same time, the hardware is pretty decent, and best of all, stable, and they update them frequently...

they're like cruise missiles - fire and forget - they'll hit the target...

 

[ITguy]

1) You don't, not directly - have a VPN connection to a host inside that lan
2) pretty closed until you open ports for remote access
3) Why?

.

1) So I could access a VPN server running on router B even though its behind router A and on A's lan ?
2) Not brute force password attack. I was thinking of a more sophisticated attack like vulnerabilies in the routers software allowing RCE.
3) Not sure what you're referring to.