Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2751 posts

Uber Geek


# 180585 14-Sep-2015 17:33
Send private message

Hi,

Apologies if this has been covered, but I couldn't find what I was after when searching.

I want to be able to access the web admin of my 7390 from the Internet. I've created a user with appropriate permissions, but I get no response on port 443 from the Internet. Is HTTPS access setup on a different port? I know it works because Snap have accessed it in the past.






 Home:                                                           Work:
Home Work


Create new topic
213 posts

Master Geek

Subscriber

  # 1387333 14-Sep-2015 17:38
Send private message

Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers



2751 posts

Uber Geek


  # 1387344 14-Sep-2015 17:49
Send private message

Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

 
 
 
 


BDFL - Memuneh
64477 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

28220 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1387359 14-Sep-2015 18:20
Send private message

Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.





2751 posts

Uber Geek


  # 1387375 14-Sep-2015 18:38
Send private message

sbiddle:
Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.




I would not leave it on a standard port, and would use a complex username and password to reduce the risk as much as possible. But your point is taken

Out if interest then, how does Snap login to change setting etc?

472 posts

Ultimate Geek


  # 1387567 14-Sep-2015 21:57
Send private message

The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.  This is from my FritzBox 7390 Event Log:

14.09.15 11:19:45 The service provider successfully transmitted settings to this device.
13.09.15 13:19:45 The service provider successfully transmitted settings to this device.
12.09.15 15:19:45 The service provider successfully transmitted settings to this device.
11.09.15 17:19:45 The service provider successfully transmitted settings to this device.
10.09.15 19:19:45 The service provider successfully transmitted settings to this device.
09.09.15 21:19:45 The service provider successfully transmitted settings to this device.
08.09.15 23:19:45 The service provider successfully transmitted settings to this device.
08.09.15 01:19:45 The service provider successfully transmitted settings to this device.
07.09.15 03:19:45 The service provider successfully transmitted settings to this device.
06.09.15 05:19:45 The service provider successfully transmitted settings to this device.
05.09.15 07:19:45 The service provider successfully transmitted settings to this device.

Since I have my 7390 behind my Ubiquiti EdgeRouter Lite, when I first set it up I used the ERLite to see what traffic the 7390 generated, and when those messages were logged (if I am remembering correctly), I saw a TR-069 connection initiated by the 7390 connecting to a Snap server.  So the process is pretty secure, as it can not be initiated from the outside, and the traffic goes only to a Snap internal IP address over their network (plus Chorus or your local physical network provider).  TR-069 seems to be a reasonably well designed system for remotely configuring devices.  It uses port 8089, so I had to allow traffic to the 7390 on that port.

If you want to see your FritzBox doing this, use this URL to get the FritzBox's support page:

http://fritz.box/support.lua

(Change fritz.box to the correct address if your FritzBox is configured differently).

On that page, click on the "Packet traces" link to get a page where you can capture the packets from the FritzBox.  Use that to capture all the packets from the Internet connection at around the time the TR-069 connection is expected to happen.  Save the packet file, then use Wireshark (freeware):

https://www.wireshark.org

to display the results.  Filter for port 8089 to see the TR-069 traffic.

28220 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1387601 15-Sep-2015 07:10
Send private message

TR-069 is the normal way an ISP provisions and controls a device.


 
 
 
 




2751 posts

Uber Geek


  # 1387643 15-Sep-2015 09:01
Send private message

fe31nz: The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.


But for tech support can't Snap get into it whenever they need, not just when it calls home? I see it is listening on 8089, can they initiate a session from their end via port 8089? I assume they then still need user credentials - every Fritz!Box on Snap has a user account with a seemingly random string of characters for the name, I assume this is Snaps user for tech support?

472 posts

Ultimate Geek


  # 1387888 15-Sep-2015 14:18
Send private message

There is normally a "TR069-" followed by random characters on the username for Snap.  It is set up for external access, and external access is normally enabled, but on a non-standard port for HTTPS.  So yes, Snap can login at any time and make a change or if you call for support.  Every login is logged, so you would know if that happened.  You can turn this off if you want to, by disabling external access on whatever port is enabled.  They could then turn it on again as part of the daily TR-069 updates - it is possible they have it configured to do that automatically.  I have left access on, but if I want to block it, I would block both the HTTPS port and the TR-069 port at my ERLite.

472 posts

Ultimate Geek


  # 1387890 15-Sep-2015 14:22
Send private message

And I believe that you can trigger TR-069 to call hom by sending it a message with the right keys on pot 8089.  But you can not tell it where to connect to - it will always call home to the configured address.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35


Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24


The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55


Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52


Streaming service Acorn TV launches in New Zealand with selection with British shows
Posted 18-Sep-2019 08:55


Bitcoin.com announces partnership with smartphone manufacturer HTC
Posted 16-Sep-2019 21:30


Finalists Announced for Microsoft NZ Partner Awards
Posted 16-Sep-2019 19:37


OPPO Showcases New CameraX Capabilities at Google Developer Days China 2019
Posted 15-Sep-2019 12:42


New Zealand PC Market returns to growth
Posted 15-Sep-2019 12:24


Home sensor charity director speaks about the preventable death which drives her to push for healthy homes
Posted 11-Sep-2019 08:46


Te ao Maori Minecraft world set to inspire Kiwi students
Posted 11-Sep-2019 08:43


Research reveals The Power of Games in New Zealand
Posted 11-Sep-2019 08:40


Ring Door View Cam now available in New Zealand
Posted 11-Sep-2019 08:38


Vodafone NZ to create X Squad
Posted 10-Sep-2019 10:25


Huawei nova 5T to be available 20th September
Posted 5-Sep-2019 11:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.