2

I recently upgraded one of my customers to a Ubiquiti EdgeRouter Lite, which is a significant improvement over their old ISP-supplied router.

To reduce the frequency of attacks against the router's web interface while still allowing remote administration, one thing that we had done on the old router was to move remote management to a non-standard port, let's say 8642. On the old ISP-supplied router, there was a simple text-box for this, but on the Edgerouter it must be done by hand.

I added a simple Port-Forwarding rule on the Edgerouter to forward PUBLIC_IP:8642 to LOCAL_LAN_IP:443, as well as a corresponding firewall rule:

name WAN_LOCAL {
     default-action drop
     description "WAN to router"
     ...
     rule 2 {
         action accept
         description "Allow remote management"
         destination {
             group {
                 port-group ManagementPorts
             }
         }
         log disable
         protocol tcp
         state {
             established enable
             invalid disable
             new enable
             related enable
         }
     }
     ...
 }

where port-group ManagementPorts contained 8642.

However, I still could not access the web interface. The only way I could find to resolve the issue was to allow outside access to port 443 as well - then access to port 8642 worked. However, this means that the web interface is now available from outside on two ports, the default and the one I want.

What is the correct configuration for doing this so that the web interface is available internally on 443 and externally on 8642?

Moshe Katz
  • 3,053
  • 3
  • 26
  • 41
  • Why not disable remote management and use a VPN connection to connect to the router and manage it? It seems to me that that's a better solution than allowing remote management, even on another port, where a port scanner will surely discover it. – joeqwerty Jan 22 '15 at 19:51
  • @joeqwerty VPN is an option, though I'm sure that there has to be way to do this and I would like to find it just for the sake of knowing. I'm not concerned about a port scanner though - I have several other locations using other firewall software (pfSense, ISP-provided, and others) and have cut down from thousands of attacks per location per day to almost zero, simply by changing the port. – Moshe Katz Jan 22 '15 at 20:05
  • @MosheKatz I ran into this issue (the nat/port forward happening before the firewall) today. Did you ever find a suitable workaround? – solenoid Apr 09 '18 at 23:39

2 Answers2

2

Your port-group ManagementPorts configuration should specify the internal port number (443), rather than the external port number (8642). The NAT translation rules are applied before the firewall rules, so by the time it gets to your firewall rule, it's requesting access on port 443. That's why adding 443 fixed things.

jsears
  • 286
  • 2
  • 9
  • I'm not sure this is the correct answer. I tried something similar and this just opened both 443 and the external port number to the outside WAN. – reedog117 Nov 01 '16 at 15:02
1

I agree that VPN is a more secure solution. However, what you're asking can still be done. If you go with the solution you're suggesting, I'd highly recommend that you also replace the HTTPS cert with a valid cert, that has been signed by a root CA. Otherwise you're at risk of a man-in-the-middle attack, because the self-signed cert that ships with the EdgeRouter is public domain. With VPN, you'll also want to install a valid cert.

To expose the EdgeRouter from the WAN, using an alternate port, I think you need to first change the web gui port. †

  1. Log into router via ssh/console

  2. Enter configure mode

    configure

  3. Set the Web UI port; change 8443 to whatever you would like

    set service gui https-port 8443

  4. Commit and save

    commit
save

If you require access to the Web GUI from an external location, you will need to create a firewall rule to allow the traffic.

  1. Create the firewall rule to allow inbound traffic on port 8443

    edit firewall name WAN_LOCAL rule 50
set description "Inbound traffic to WEB GUI"
set action  accept
set log disable
set protocol tcp_udp
set destination port 8443

† Attribution: Dave Lasley

jsears
  • 286
  • 2
  • 9
  • Thanks! I'm still wondering if there's a way to use the original port from inside the business though. – Moshe Katz Feb 23 '15 at 21:30
  • Try setting "enable-default-log" to enable firewall/NAT logging, as described in the [destination port forwarding](http://wiki.ubnt.com/EdgeMAX_PortForward) guide in the EdgeOS wiki. That should help you to determine where the packets are being dropped. – jsears Feb 24 '15 at 01:03