Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 6
Registered: 3 weeks ago

Congiguring the ERlite3 - Remote Management

V1.9 with Hotfix.

 

Two issues same thing though:

1. Would like to access the Web Dashboard of the device from the internet, cannot figure out how to make that work.

 

2. Enabled SSh and attempted to connect using SSH over the internet using putty but this too failed.

 

Would like to get both methods functioning cant figure out how to do it.

 

Thanks in advance

Member
Posts: 119
Registered: ‎10-19-2016
Kudos: 20
Solutions: 13

Re: Congiguring the ERlite3 - Remote Management

Please post your config.  From ssh run 

show configuration | cat

Then post it here sanatizing sensitive data out. 

New Member
Posts: 6
Registered: 3 weeks ago

Re: Congiguring the ERlite3 - Remote Management

Didnt do it form the SSH but he CLI not really sure how to use the SSH.  Attached is the text file attached.

Member
Posts: 119
Registered: ‎10-19-2016
Kudos: 20
Solutions: 13

Re: Congiguring the ERlite3 - Remote Management

If you use GUI.. Go to firewall section. 

 

Select the Firewall/Nat groups

 

  • Add new port group
  • Edit group and add port  22 and 443
  • Save group

Then

 

Select Firewall Policies tab

 

  • Edit WAN_LOCAL ruleset
  • Add new rule 
  • Select "Accept" for the action
  • Select "TCP" for the protocol 
  • Go to destination tab
  • Select your port group from the port group drop down
  • Click save

You should now be able to access the web interface and ssh from the internet. 

 

 

Established Member
Posts: 1,437
Registered: ‎05-03-2016
Kudos: 480
Solutions: 139

Re: Congiguring the ERlite3 - Remote Management

It is a bad idea to expose your GUI interface to the internet as it is very insecure. Tunnel GUI access thru the ssh connection.

 

See ssh -L for ssh tunneling a port.

New Member
Posts: 6
Registered: 3 weeks ago

Re: Congiguring the ERlite3 - Remote Management

I would like to thank you.  It worked.

 

If I might be able to trouble you a bit more?? Sorry for the "dumb" questions...

 

On other firewalls, we would simply select a port forward, say port 8088 forwards to port 80 of the firewall in order to remote manage it.... this obviously doesnt work in the same way.

 

If we wanted to use a different port other than the standard port 443 to access the firewall would we issue a port forward or is there a better way?

Established Member
Posts: 910
Registered: ‎03-02-2016
Kudos: 211
Solutions: 63

Re: Congiguring the ERlite3 - Remote Management

YOu'd need to create a DNAT rule and a firewall rule. The port forwarding wizard I think only works for forwarding connections to a device on your LAN, not to the router itself.

Echoing @karog's point that it's a bad idea to open the GUI to the internet. The most secure thing is to use key-based authentication on ssh and disable passwords, then tunnel the GUI connection over SSH.
Member
Posts: 119
Registered: ‎10-19-2016
Kudos: 20
Solutions: 13

Re: Congiguring the ERlite3 - Remote Management

[ Edited ]

theisgroup wrote:

I would like to thank you.  It worked.

 

If I might be able to trouble you a bit more?? Sorry for the "dumb" questions...

 

On other firewalls, we would simply select a port forward, say port 8088 forwards to port 80 of the firewall in order to remote manage it.... this obviously doesnt work in the same way.

 

If we wanted to use a different port other than the standard port 443 to access the firewall would we issue a port forward or is there a better way?


You can change the port in the "config tree" section of the router.   Then go to Service -> Gui 


Keep in mind that this changes the port for both remote management and internal management... Also remember that you would have to change the firewall rule you created earlier to allow the new port instead of 443.. (So if you're doing it remotely, do that first). 

 

@gfunkdave , @karog  -- What would be wrong with firewalling the GUI port to allow only specific source(s) ..?  

Highlighted
Established Member
Posts: 910
Registered: ‎03-02-2016
Kudos: 211
Solutions: 63

Re: Congiguring the ERlite3 - Remote Management


cabsil wrote:

 

@gfunkdave , @karog  -- What would be wrong with firewalling the GUI port to allow only specific source(s) ..?  


 

Nothing, if you know you only need to access the router from certain places. I was just saying that it's a bad idea to let anyone on the internet access it, and that if you're going to leave it open you should implement key-based authentication.

New Member
Posts: 6
Registered: 3 weeks ago

Re: Congiguring the ERlite3 - Remote Management

Sorry Im not skilled enough to know what to change in the config tree or the services GUI component can you be a bit more specific?

 

Member
Posts: 119
Registered: ‎10-19-2016
Kudos: 20
Solutions: 13

Re: Congiguring the ERlite3 - Remote Management

conftree_gui_port.PNG

New Member
Posts: 6
Registered: 3 weeks ago

Re: Congiguring the ERlite3 - Remote Management

Really appreciate your help. Thanks.

 

Regarding security... not it is not as secure as a secured tunnel but a strong password and admin name helps with that.  So unless the device itself is vulnerable it is probably ok.

 

We are thinking that setting an allowed ip range from the remote site might make some sense.

Reply