How to access 2nd router (ASUS RT-AC68U) login page while on main router (Fios G1100) WiFi network?

[MilkyTech]

I am using RT-AC86U with the latest stock firmware. I use it as a VPN Client router. I now am able to access the gui using the WAN ip address (I wasn't using https before so that is why it was only working with the LAN ip) but I still can't get to it from the web even with a port forwarded from the ISP router to the WAN ip of the Asus. I am guessing that this is because the request coming into the router gui is no longer https once it is forwarded from the ISP router??

For right now, I'm not really concerned about the security. Since this router is behind my isp router, am I not still getting all of the security of the isp router?

(isp router is actiontec c2000a)

 

[ColinTaylor]

I am guessing that this is because the request coming into the router gui is no longer https once it is forwarded from the ISP router??

Port forwarding can't change the protocol being used.

For right now, I'm not really concerned about the security. Since this router is behind my isp router, am I not still getting all of the security of the isp router?

If you could get this to work then definitely not. By creating a forwarded port you are completely bypassing any security provided by the ISP router on that port.

 

[MilkyTech]

ok well security aside, if port forwarding isn't changing the protocol, then shouldn't this work same as accessing a pc with remote desktop?
I have the asus set up for Remote Access from WAN with a port assigned (lets call it port xxxx)
The WAN ip address of the Asus is on the same subnet as the ISP router (call it 192.168.x.y)
Firewall on Asus is turned off
ISP router has port xxxx forwarded (both tcp and udp) to ip 192.168.x.y
Shouldn't I be able to go to a browser outside the network and enter: https://public.ip.address:xxxx and get the gui? What is stopping this from working?

 

[ColinTaylor]

It sounds like it should work. Off the top of my head, reasons why it might not...

1. The port forwarding on the ISP router is not actually happening
2.The ISP blocks incoming traffic on port xxxx
3. You don't have a true public IP address but a CGNAT address

P.S. Re-enable the firewall on the Asus unless you have a specific reason not to.

 

[MilkyTech]

I turned off the firewall because just trying to connect locally from a different subnet using the LAN ip would only work with the firewall off.
the public ip is good. remote desktop works. I've tried many different ports and called my isp. they said they don't block those ports on their end. I used an online port checker and sure enough the ports are blocked. Doesn't matter what port I use to forward to the router. If I forward 3389 to my pc ip address it shows as open with the online port checker. If I try to forward that same port to the asus router and set that as the remote access port, it shows as blocked with the online port checker (and that's with the asus firewall off). I don't get it. Oh well, it looks like it's not possible. Thank you for your help.

 

[Val D.]

Enabling remote WAN access to the router is regarded as a very bad idea and strongly discouraged by this forum.

I don't know how bad ASUS routers are in this regard and I know it's not recommended in general, but I also know I have a Linux server open to Internet on a standard port and in last 7 years no one managed to login there, but me. I see a lot of attempts in the logs, but all unsuccessful. Mostly bots sniffing around, I guess. After 3rd unsuccessful attempt the server blocks the IP for 1h.

 

[ColinTaylor]

I don't know how bad ASUS routers are in this regard and I know it's not recommended in general, but I also know I have a Linux server open to Internet on a standard port and in last 7 years no one managed to login there, but me. I see a lot of attempts in the logs, but all unsuccessful. Mostly bots sniffing around, I guess. After 3rd unsuccessful attempt the server blocks the IP for 1h.

I (and the rest of the world ) don't have an issue running Apache on a Linux server with its reasonably frequent security fixes. The router's hacked-together version of milli_httpd with it's dubious security history is another matter.

 

[MichaelCG]

Please please please....just stop. You are exposing your internal network directly to the Internet and this is not going to end well. RDP should NEVER be directly exposed to the Internet. Your router GUI should NEVER be directly exposed to the Internet.

You are port forwarding through the ISP router....there is no security being provided by the ISP router. At this point the ISP router is blocking connections to other ports you haven't forwarded, but anything forwarded goes straight through. These are basic routers...they don't actually do anything above Layer3 to protect services.

There are historically vulnerabilities within the ASUS GUI that can and will be exploited. RDP just had a HUGE vulnerability in the past year and once again proved why you do not directly expose it to the Internet. Its one thing to expose something to the public Internet if you understand the risks and have taken the proper precautions. But those that try to expose their router GUI rarely have that full understanding. I have services exposed as well...but they are all sitting in a DMZ within my network, patched on a regular basis, and have no other access to my internal network. All of the web services are also going through the "WAF" on the FW that at least only forwards specific URI paths. It isn't perfect, but better than just straight up port forwarding.

 

[MilkyTech]

Please please please STOP lecturing me on the risk!! I am well aware of the risk!! I don't keep RDP open, I only opened it to test if my ISP router was properly forwarding ports. I don't need to remotely access my router GUI, I live in my house with my router. I can access the GUI anytime I want.
I have a job to do and right now that job is to figure out if the GUI of a router behind an ISP router can be accessed remotely. If you have input that will help solve this problem, then by all means speak up. If not, zip it! My boss is an extremely adept database security guru. I'll let him worry about the risk later.
So far it's not possible. So far I can open a dozen ports on my ISP router and they still show as blocked. So if you think there is some super-skilled network hacker out there that wants to take the time to randomly hack my useless network and he can get past both routers then the firewalls on my pc's, then my hats off to him. He is welcome to whatever data he wants. My sh*t is backed up. What's that? Ransomware you say? Bootloader rootkits you say? Be my guest!! He'll be wasting tremendous amounts of time and resources. Bots? No bot is going to crack my username and passwords without tremendous computing power and days of time to spend and for what?? My music collection? There's no pentagon secrets on my network!
So....Please please please...explain to me why when I open all of these random ports that my ISP insists they are not blocking, are they still showing as blocked with the online port checker.

 

[ColinTaylor]

... why when I open all of these random ports that my ISP insists they are not blocking, are they still showing as blocked with the online port checker.

Clutching at straws: Make sure your have removed any port forwarding rules on the Asus for the port you're trying to use.

If it still doesn't register as open try enabling the Asus' SSH port and forwarding that from your ISP router. See if that works.

 

[MilkyTech]

I don't have any port forwarding rules on the Asus. I just gave the SSH a try with both a random port and with the standard SSH port 22 and both still showed as blocked with the port checker. It's not looking very hopeful at least not with this C2000a ISP router.

So now my next question is - If I bypass the ISP router by setting it to Bridge, then either with this Asus or any other router firmware out there that you know of, is there a way to dedicate specific ports to VPN and specific ports to regular WAN? like have all of the wired LAN ports for VPN and the Wireless connection for regular WAN or vice versa?

I think with dd-wrt, you can add virtual wireless connections with different SSID's. Can one of those be set up just for VPN?

 

[ColinTaylor]

So now my next question is - If I bypass the ISP router by setting it to Bridge, then either with this Asus or any other router firmware out there that you know of, is there a way to dedicate specific ports to VPN and specific ports to regular WAN? like have all of the wired LAN ports for VPN and the Wireless connection for regular WAN or vice versa?

I don't know of any way of doing that with the RT-AC86U and as far as I know there is no third party firmware available for that model. You could probably do what you want with one of the older models (like the RT-AC68U) that supports OpenWRT, FreshTomato or DD-WRT.

 

[MichaelCG]

My last note on the security....it isn't always your data the bad guys are after. It is your resources they want to be able to use against others.

What is your WAN IP showing on your ASUS as well as on your ISP router? Are they showing as RFC1918 or public? When you do a "what is my ip" in Google, does that IP reported match the IP showing on your ISP router? Trying to understand if the ISP is doing another NAT somewhere else that is blocking your flows. Rarely do ISPs do as much filtering to block as many things as you have tried. It is one thing if they blocked a few common ports to prevent/protect users from running their own inbound services....but very few would be blocking all unless you are behind another NAT somewhere outside of your view.

 

[Val D.]

like have all of the wired LAN ports for VPN and the Wireless connection for regular WAN or vice versa?

I believe you can with Asuswrt-Merlin + YazFi script. You have to set all network VPN and then use YazFi to create an SSID going through WAN only. You can do the opposite too, no specified clients through VPN, but all connected to specific SSID going through VPN. This is the theory from what I remember YazFi script was doing. I don't have the router to test though.

Pinging @Jack Yaz for assistance, he is the author of the great YazFi script.

 

[ColinTaylor]

I believe you can with Asuswrt-Merlin + YazFi script. You have to set all network VPN and then use YazFi to create an SSID going through WAN only. You can do the opposite too, no specified clients through VPN, but all connected to specific SSID going through VPN. This is the theory from what I remember YazFi script was doing. I don't have the router to test though.

Pinging @Jack Yaz for assistance, he is the author of the great YazFi script.

That's not what he's asking for. He wants to separate out the individual physical LAN sockets. YazFi can't do that as it's a WiFi utility.

 

[Val D.]

He wants to separate out the individual physical LAN sockets.

Won't work for separate ports, but may work for all of them:

like have all of the wired LAN ports for VPN and the Wireless connection for regular WAN

 

[MilkyTech]

@Val D. I would settle for all wired ports or even no wired ports but just a separate SSID that is VPN which it sounds like can be done, but the ideal scenario (as @ColinTaylor was saying) would be to separate out the individual ethernet ports and have 2 wired VPN poort and 2 wired WAN ports plus one VPN SSID and one WAN SSID. I'll keep looking into it. There are quite a few posts of people using code to create VLAN and bridging VPN or whatever but looks quite possible with a bit of work and coding. What we may need is to hire someone like Eric Sauvageau who wrote the asus-merlin to write us a custom firmware that natively has the ability to create VLANs and Virtual Wireless Connections and bind VPN to any physical or virtual port you want with the click of a checkbox or dropdown!

@MichaelCG Yes, whatismyip shows that same ip as what is shown in the ISP router GUI. I don't know what RFC1918 is but the Asus is "behind" the ISP so its WAN has a local ip (192.168.x.x) on the same subnet as the default gateway but has LAN ip on diffeerent subnet. It's ok though, I'm not too worried about this because if I can do the above with VLAN, then that might be an even better solution. I could put the ISP router in bridge mode, then I should definitely be able to access the Asus gui since it will be directly connected to the internet with the public ip AND still be able to quickly switch between VPN and WAN using only the Asus.

 

[Val D.]

but the ideal scenario would be to separate out the individual ethernet ports...

When software solution is not available or it's hard to achieve, more hardware may come to rescue. Get a cheap second-hand RT-AC66U router, run it in Media Bridge mode, connect it to "WAN Only" SSID of the main router, keep it close to the main router in order to hold a steady 1300Mbps link speed, get 4 x LAN ports "WAN Only" as a result.

Drawbacks:
- extra cost (but you have 8 x LAN ports total)
- extra power consumption (but you have a backup router)
- the traffic generated between your main router and "wireless" LAN ports will eat part of your total available wireless bandwidth

 

[MilkyTech]

Get a cheap second-hand RT-AC66U router, run it in Media Bridge mode,

There is a commercial application behind my efforts here so need to get it done with one router.

 

[Val D.]

There is a commercial application behind my efforts here so need to get it done with one router.

Wrong hardware choice then. Good luck.