What's new

Port Forwarding and Other Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Mick Mickle

Regular Contributor
RMerlin - Would it be feasible to add these options to your firmware?

1. Ability to toggle "Enable/Disable" for each port forward (like DD-WRT provides).

To disable a port forward now requires deleting it in the webGUI, and it's an inconvenience to reenter the information and add it back to enable again. For users who test or use multiple software configurations that need various port forwards (HTTP/S or FTP servers, WHS, Remote Potato, etc.) that feature would be great. I know I had a full page of port forwards in DD-WRT on my previous router, most disabled at any one time, and I'd hate to think of adding and deleting them to accomplish the same thing. Also, because AiCloud seems incapable of using anything but port 443 (probably to simplify the mobile apps), it would be nice to easily switch between AiCloud and remote web access for Windows server family by simply turning AiCloud on/off in concert with enabling/disabling the port forward for 443. (Edit: By the way, I found that when AiCloud is turned on and port 443 is forwarded at the same time, RT-N66R handles the conflict in favor of the port forward, bypassing AiCloud.)

2. Ability to chose authentication method for accessing the webGUI as HTTP for LAN but HTTPS for Web. Similar to the current "BOTH" option, except plain HTTP access not allowed from the Web for security reasons.

Perhaps there's little justification for such a new option, but I initially had some difficulty accessing the webGUI with SSL on the LAN with the out-of-box firmware version, and it can be over-kill on a private LAN. Also, HTTPS access to DD-WRT has some options (like configuration backup and restore) greyed out. But that might be unique to DD-WRT and not a problem with your firmware.

Thanks for thinking about this.
 
Last edited:
As for number 2, couldn't you just have the firewall block incoming on port 80?

Then you can set it to both, use both http and https from the lan but only https from the wan?
 
I think that would work okay, but it would prevent you from using port 80 to run a web server from a computer inside the LAN. (Which is one reason why, if you do allow HTTP control of the router from the Web, the Merlin build lets you pick the port -- 8080, etc.)
 
Well, if you forward port 80 on the wan to a computer on your lan, nobody will be able to connect to port 80 on the router wan, so that also "fixes" the problem.

So, two ways to solve it:

1. Block incoming on port 80
2. Forward port 80 to other computer

You could also set the port to something like 8080 and block that port, and still forward port 80 to the web server on your lan.
 
For item 2, your logic makes sense, but I just tried it and it's not working for me. With a WAN access of both HTTP (set to port 8080) and HTTPS (set to port 8443), I blocked 8080 in the router's Firewall Network Services Filter Table. However, I could still access the router with HTTP://xxx.asuscomm.com:8080. Maybe the router's firewall is only for the LAN side?

So I forwarded 8080 to a local IP, but the browser still went to the router's GUI. (Based on my observation that a forwarded port 443 commandeers it from AiCloud, I'd expect the webGUI would be denied 8080 if it was forwarded to a computer. But that didn't hold true. Maybe when a port is forwarded to a computer, the computer has to accept and utilize the port or the router can continue to use it?)
 
1) Would require too many changes to both the webui and the backend, which would break backward compatibility with Asus's firmware.

2) Do it manually through a firewall-start script, where you can close down ports as desired, otherwise that setting would become a bit complicated to manage for most users.
 
Hmmm, I guess you can't block incoming with the router's firewall (http://forums.smallnetbuilder.com/showpost.php?p=40324&postcount=7). Under BOTH, I've got HTTP WAN on 8080, and 8080 in the firewall. But it's still accessible through the internet. Self-discipline is probably the solution: just remember not to access router over internet with plain text password.

You can delete the firewall rule using a nat-start script:

#!/bin/sh
iptables -t nat -D VSERVER -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.10.1:80

That way, port 8080 won't redirect to the router's port 80.
 
Yes, the "firewall" settings in the Web UI seems to only affect outgoing traffic, rules for incoming traffic have to be set "manually" using script with iptables.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top