I recently upgraded one of my customers to a Ubiquiti EdgeRouter Lite, which is a significant improvement over their old ISP-supplied router.
To reduce the frequency of attacks against the router's web interface while still allowing remote administration, one thing that we had done on the old router was to move remote management to a non-standard port, let's say 8642. On the old ISP-supplied router, there was a simple text-box for this, but on the Edgerouter it must be done by hand.
I added a simple Port-Forwarding rule on the Edgerouter to forward PUBLIC_IP:8642 to LOCAL_LAN_IP:443, as well as a corresponding firewall rule:
name WAN_LOCAL {
default-action drop
description "WAN to router"
...
rule 2 {
action accept
description "Allow remote management"
destination {
group {
port-group ManagementPorts
}
}
log disable
protocol tcp
state {
established enable
invalid disable
new enable
related enable
}
}
...
}
where port-group ManagementPorts
contained 8642
.
However, I still could not access the web interface. The only way I could find to resolve the issue was to allow outside access to port 443
as well - then access to port 8642
worked. However, this means that the web interface is now available from outside on two ports, the default and the one I want.
What is the correct configuration for doing this so that the web interface is available internally on 443
and externally on 8642
?
Your
port-group ManagementPorts
configuration should specify the internal port number (443
), rather than the external port number (8642
). The NAT translation rules are applied before the firewall rules, so by the time it gets to your firewall rule, it's requesting access on port443
. That's why adding443
fixed things.I agree that VPN is a more secure solution. However, what you're asking can still be done. If you go with the solution you're suggesting, I'd highly recommend that you also replace the HTTPS cert with a valid cert, that has been signed by a root CA. Otherwise you're at risk of a man-in-the-middle attack, because the self-signed cert that ships with the EdgeRouter is public domain. With VPN, you'll also want to install a valid cert.
To expose the EdgeRouter from the WAN, using an alternate port, I think you need to first change the web gui port. †
Enter configure mode
Set the Web UI port; change 8443 to whatever you would like
Commit and save
If you require access to the Web GUI from an external location, you will need to create a firewall rule to allow the traffic.
Create the firewall rule to allow inbound traffic on port 8443
† Attribution: Dave Lasley