Fritz!Box HTTPS Remote Access

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Fritz!Box HTTPS Remote Access

Paul1977

5052 posts

Uber Geek

#180585 14-Sep-2015 17:33

Hi,

Apologies if this has been covered, but I couldn't find what I was after when searching.

I want to be able to access the web admin of my 7390 from the Internet. I've created a user with appropriate permissions, but I get no response on port 443 from the Internet. Is HTTPS access setup on a different port? I know it works because Snap have accessed it in the past.

Home: Work:
Home Work

Jiriteach

1119 posts

Uber Geek

ID Verified

Lifetime subscriber

#1387333 14-Sep-2015 17:38

Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers

-- opinions expressed by me are solely my own. ie - personal

Paul1977

5052 posts

Uber Geek

#1387344 14-Sep-2015 17:49

Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers

Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

freitasm

BDFL - Memuneh
79309 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1387348 14-Sep-2015 17:57

I would strongly recommend you not to have any web admin access to your router from the WAN (Internet) side. Any router.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1387359 14-Sep-2015 18:20

Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers

Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.

Paul1977

5052 posts

Uber Geek

#1387375 14-Sep-2015 18:38

sbiddle:
Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers

Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.

I would not leave it on a standard port, and would use a complex username and password to reduce the risk as much as possible. But your point is taken

Out if interest then, how does Snap login to change setting etc?

fe31nz

1233 posts

Uber Geek

#1387567 14-Sep-2015 21:57

The router calls home approximately once every day, I believe. I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed. There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home. This is from my FritzBox 7390 Event Log:

14.09.15 11:19:45 The service provider successfully transmitted settings to this device.
13.09.15 13:19:45 The service provider successfully transmitted settings to this device.
12.09.15 15:19:45 The service provider successfully transmitted settings to this device.
11.09.15 17:19:45 The service provider successfully transmitted settings to this device.
10.09.15 19:19:45 The service provider successfully transmitted settings to this device.
09.09.15 21:19:45 The service provider successfully transmitted settings to this device.
08.09.15 23:19:45 The service provider successfully transmitted settings to this device.
08.09.15 01:19:45 The service provider successfully transmitted settings to this device.
07.09.15 03:19:45 The service provider successfully transmitted settings to this device.
06.09.15 05:19:45 The service provider successfully transmitted settings to this device.
05.09.15 07:19:45 The service provider successfully transmitted settings to this device.

Since I have my 7390 behind my Ubiquiti EdgeRouter Lite, when I first set it up I used the ERLite to see what traffic the 7390 generated, and when those messages were logged (if I am remembering correctly), I saw a TR-069 connection initiated by the 7390 connecting to a Snap server. So the process is pretty secure, as it can not be initiated from the outside, and the traffic goes only to a Snap internal IP address over their network (plus Chorus or your local physical network provider). TR-069 seems to be a reasonably well designed system for remotely configuring devices. It uses port 8089, so I had to allow traffic to the 7390 on that port.

If you want to see your FritzBox doing this, use this URL to get the FritzBox's support page:

http://fritz.box/support.lua

(Change fritz.box to the correct address if your FritzBox is configured differently).

On that page, click on the "Packet traces" link to get a page where you can capture the packets from the FritzBox. Use that to capture all the packets from the Internet connection at around the time the TR-069 connection is expected to happen. Save the packet file, then use Wireshark (freeware):

https://www.wireshark.org

to display the results. Filter for port 8089 to see the TR-069 traffic.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1387601 15-Sep-2015 07:10

TR-069 is the normal way an ISP provisions and controls a device.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

Paul1977

5052 posts

Uber Geek

#1387643 15-Sep-2015 09:01

fe31nz: The router calls home approximately once every day, I believe. I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed. There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.

But for tech support can't Snap get into it whenever they need, not just when it calls home? I see it is listening on 8089, can they initiate a session from their end via port 8089? I assume they then still need user credentials - every Fritz!Box on Snap has a user account with a seemingly random string of characters for the name, I assume this is Snaps user for tech support?

fe31nz

1233 posts

Uber Geek

#1387888 15-Sep-2015 14:18

There is normally a "TR069-" followed by random characters on the username for Snap. It is set up for external access, and external access is normally enabled, but on a non-standard port for HTTPS. So yes, Snap can login at any time and make a change or if you call for support. Every login is logged, so you would know if that happened. You can turn this off if you want to, by disabling external access on whatever port is enabled. They could then turn it on again as part of the daily TR-069 updates - it is possible they have it configured to do that automatically. I have left access on, but if I want to block it, I would block both the HTTPS port and the TR-069 port at my ERLite.

fe31nz

1233 posts

Uber Geek

#1387890 15-Sep-2015 14:22

And I believe that you can trigger TR-069 to call hom by sending it a message with the right keys on pot 8089. But you can not tell it where to connect to - it will always call home to the configured address.