port forwarding limitation

[toejam]

I'm getting an Asus RT-AC68P and am looking forward to installing rmerlin on the device. I have quite a few network devices, including at least 15 security cameras. Each of the cameras is setup with a unique port and I setup port forwarding rules to access the cameras in my LAN from the internet. My old router (Netgear r6300v2) has a limitation on the number of port forwarding rules I can apply. I'm curious what the limitation on number of port forwarding rules is for rmerlin?

Please pardon me if I'm not using the correct lingo, I'm new to Asus and rmerlin. Looking forward to hearing constructive feedback.

 

[toejam]

Just came across an asus "How to" website that shows a max port forwarding limit of 32. Is this the case with rmerlin?

 

[L&LD]

RMerlin usually increases (for the better) any options Asus exposes. If 32 is the normal, then RMerlin will have at least that (sorry, don't use that feature).

Why don't you use OpenVPN to access your network securely instead though?

 

[toejam]

Been reading for the past couple hours on vpn. It brings even more questions and I'm just taking baby steps at this time. If I'm at a McDonalds using their free (but throttled) wifi I'd imagine that my throughput would be even less with a VPN. I already know how to do port forwarding, just run short of allowed rules due to all the security cameras.

 

[martinr]

Been reading for the past couple hours on vpn. It brings even more questions and I'm just taking baby steps at this time. If I'm at a McDonalds using their free (but throttled) wifi I'd imagine that my throughput would be even less with a VPN. I already know how to do port forwarding, just run short of allowed rules due to all the security cameras.

But L&LD has raised a very pertinent point (as always) - note his use of "securely": using your port forwarding method leaves your cameras connected to ports listening for any remote connections - yours and anyone trying to take over your cameras to become part of their botnet or even to access the rest of your network. Unless you are absolutely convinced your cameras are secured from being taken over - and I doubt anyone can be that sure, L&LD's advice about using OpenVPN to access your cameras should be followed up.

Setting up OpenVPN servers on your router, and the client software on the devices you wil use, really is not difficult even for a beginner - I managed it! The firmware does everything for you, don't pay attention to article about generating your own keys and certs: everything really is done for you. But I'd set up first perhaps just with passwords and usernames, gain confidence, and then when it all works you can add public key infrastructure (keys and certs) should you wish to massively enhance security.

(You'll only know the degree of Macdonalds' throttling by trying it, but I've never run into that problem on public wifi. You could always try
KFC.)

 

[RMerlin]

I allow up to 128 port forwards, tho I don't think anyone has really tested it beyond 32 or 64.

 

[L&LD]

RMerlin, I just checked the gui and was going to post the exact thing (128 Port Forwards).

 

[toejam]

Thanks for the data, 128 should be more than enough.
I will keep looking into VPN, just gonna take a few baby steps before I take the plunge.

 

[Demi Rurg]

Hi RMerlin,

Could you help me get more info - I've got two routers :
66_UB1 (running your firmware) and AC51U(running stock firmware) in two different places .

I have roughly 25 devices hooked to each router, and each device is managable via TCP, each one requiring up to 4 ports to be forwarded. And planning to have more.

Your firmware limits port redirects to 128 - which is fine for now
Stock firmare (AC51) limits to 32 - which is not enough

So maybe you can help me with solution on how is it possible to increase thsese values (via SSH probably ?) and if it is possible at all ?

Second question, as i dont want to expose those devices to the whole internet , I'm looking for a solution if :
1. - Is it possible limiting access by country on those ports (somehow use IP2Country ?)
2. - Is it possible to limit those redirected ports to several external IPs only ?

Hope you can help me with those .

PS- I was thinking about VPN, but i've got 1Gbps connection on both places which is used heavily sometimes with big traffic, so bringing these all to VPN would make is slower and probably costy .
PPS- I know i can buy a dedicated programmable router or just linux machine to route the traffic, but i"m pretty much sure ASUS could probably cope with those tasks, doesnt it?

Thanks in advance,
Demi

 

[RMerlin]

So maybe you can help me with solution on how is it possible to increase thsese values (via SSH probably ?) and if it is possible at all ?

You would have to change the webui code. The limitation is in the HTML code, it's not a value you could change somehow, sorry.

Second question, as i dont want to expose those devices to the whole internet , I'm looking for a solution if :
1. - Is it possible limiting access by country on those ports (somehow use IP2Country ?)
2. - Is it possible to limit those redirected ports to several external IPs only ?

This would require you to write your own firewall rules, not possible through the webui. And the stock firmware doesn't provide the necessary hooks for you to have custom rules applied automatically.

For such needs, you would probably need to go with a different model that's more flexible.

 

[Demi Rurg]

Thanks for fast reply,
is WEBUI something i can change ? (or does is goes into firmare readonly memory ?) Cause im good at HTML/JS, so if this is only HTML limiter i could fix that (Actually i'll try to do this with firebug - spoofing html entries then to see if it works )

 

[RMerlin]

You can't modify it in a persistent way. Best you can do is temporarily mount bind a writable copy, which you can modify. Something like this:

cp /www/Advanced_DHCP_Content.asp /jffs/
mount -o bind /jffs/Advanced_DHCP_Content.asp /www/Advanced_DHCP_Content.asp

Then you can edit that copy in /jffs/ . Next reboot, you will have to re-run the mount command if you need to access your modified version again.

The limit value is in a location or two within the file.