Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1641 posts

Uber Geek
+1 received by user: 451


Topic # 180585 14-Sep-2015 17:33
Send private message

Hi,

Apologies if this has been covered, but I couldn't find what I was after when searching.

I want to be able to access the web admin of my 7390 from the Internet. I've created a user with appropriate permissions, but I get no response on port 443 from the Internet. Is HTTPS access setup on a different port? I know it works because Snap have accessed it in the past.






  Home:                                                      Work:
Home Work


Create new topic
98 posts

Master Geek
+1 received by user: 8


  Reply # 1387333 14-Sep-2015 17:38
Send private message

Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers



1641 posts

Uber Geek
+1 received by user: 451


  Reply # 1387344 14-Sep-2015 17:49
Send private message

Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

 
 
 
 


BDFL - Memuneh
58348 posts

Uber Geek
+1 received by user: 9800

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1387348 14-Sep-2015 17:57
2 people support this post
Send private message

I would strongly recommend you not to have any web admin access to your router from the WAN (Internet) side. Any router.

25073 posts

Uber Geek
+1 received by user: 4956

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1387359 14-Sep-2015 18:20
Send private message

Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.





1641 posts

Uber Geek
+1 received by user: 451


  Reply # 1387375 14-Sep-2015 18:38
Send private message

sbiddle:
Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.




I would not leave it on a standard port, and would use a complex username and password to reduce the risk as much as possible. But your point is taken

Out if interest then, how does Snap login to change setting etc?

230 posts

Master Geek
+1 received by user: 44


  Reply # 1387567 14-Sep-2015 21:57
Send private message

The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.  This is from my FritzBox 7390 Event Log:

14.09.15 11:19:45 The service provider successfully transmitted settings to this device.
13.09.15 13:19:45 The service provider successfully transmitted settings to this device.
12.09.15 15:19:45 The service provider successfully transmitted settings to this device.
11.09.15 17:19:45 The service provider successfully transmitted settings to this device.
10.09.15 19:19:45 The service provider successfully transmitted settings to this device.
09.09.15 21:19:45 The service provider successfully transmitted settings to this device.
08.09.15 23:19:45 The service provider successfully transmitted settings to this device.
08.09.15 01:19:45 The service provider successfully transmitted settings to this device.
07.09.15 03:19:45 The service provider successfully transmitted settings to this device.
06.09.15 05:19:45 The service provider successfully transmitted settings to this device.
05.09.15 07:19:45 The service provider successfully transmitted settings to this device.

Since I have my 7390 behind my Ubiquiti EdgeRouter Lite, when I first set it up I used the ERLite to see what traffic the 7390 generated, and when those messages were logged (if I am remembering correctly), I saw a TR-069 connection initiated by the 7390 connecting to a Snap server.  So the process is pretty secure, as it can not be initiated from the outside, and the traffic goes only to a Snap internal IP address over their network (plus Chorus or your local physical network provider).  TR-069 seems to be a reasonably well designed system for remotely configuring devices.  It uses port 8089, so I had to allow traffic to the 7390 on that port.

If you want to see your FritzBox doing this, use this URL to get the FritzBox's support page:

http://fritz.box/support.lua

(Change fritz.box to the correct address if your FritzBox is configured differently).

On that page, click on the "Packet traces" link to get a page where you can capture the packets from the FritzBox.  Use that to capture all the packets from the Internet connection at around the time the TR-069 connection is expected to happen.  Save the packet file, then use Wireshark (freeware):

https://www.wireshark.org

to display the results.  Filter for port 8089 to see the TR-069 traffic.

25073 posts

Uber Geek
+1 received by user: 4956

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 1387601 15-Sep-2015 07:10
Send private message

TR-069 is the normal way an ISP provisions and controls a device.




1641 posts

Uber Geek
+1 received by user: 451


  Reply # 1387643 15-Sep-2015 09:01
Send private message

fe31nz: The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.


But for tech support can't Snap get into it whenever they need, not just when it calls home? I see it is listening on 8089, can they initiate a session from their end via port 8089? I assume they then still need user credentials - every Fritz!Box on Snap has a user account with a seemingly random string of characters for the name, I assume this is Snaps user for tech support?

230 posts

Master Geek
+1 received by user: 44


  Reply # 1387888 15-Sep-2015 14:18
Send private message

There is normally a "TR069-" followed by random characters on the username for Snap.  It is set up for external access, and external access is normally enabled, but on a non-standard port for HTTPS.  So yes, Snap can login at any time and make a change or if you call for support.  Every login is logged, so you would know if that happened.  You can turn this off if you want to, by disabling external access on whatever port is enabled.  They could then turn it on again as part of the daily TR-069 updates - it is possible they have it configured to do that automatically.  I have left access on, but if I want to block it, I would block both the HTTPS port and the TR-069 port at my ERLite.

230 posts

Master Geek
+1 received by user: 44


  Reply # 1387890 15-Sep-2015 14:22
Send private message

And I believe that you can trigger TR-069 to call hom by sending it a message with the right keys on pot 8089.  But you can not tell it where to connect to - it will always call home to the configured address.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Push notifications: A productivity killer
Posted 25-Jul-2017 14:15


Intergen takes SKYCITY to the cloud
Posted 25-Jul-2017 14:04


Nothing nebulous about Microsoft’s cloud-transition
Posted 21-Jul-2017 15:34


We’re spending more on tech, but not as much as Australians
Posted 21-Jul-2017 11:43


Endace announces EndaceFabric for network-wide packet recording
Posted 20-Jul-2017 20:49


Acorn 6: MacOS image editing for the rest of us
Posted 20-Jul-2017 17:04


HTC faces backlash over keyboard pop-up ads
Posted 19-Jul-2017 15:53


BNZ adds Visa credit cards to Android Pay wallet
Posted 18-Jul-2017 19:44


Still living in a Notification hell – Om Malik
Posted 18-Jul-2017 13:00


Duet Display uses iPad to extend Mac, PC
Posted 18-Jul-2017 10:58


PC sales could be worse
Posted 17-Jul-2017 07:34


Crypto-currencies, tulips, market bubbles
Posted 17-Jul-2017 06:38


NZ Tech Podcast: Big batteries, solar cars, cold war, IoT
Posted 16-Jul-2017 16:53


Vodafone Australia mulls Wisp alliance, NZ implications
Posted 13-Jul-2017 16:49


Rural health professionals see fibre pay-off
Posted 13-Jul-2017 11:52



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.