Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1931 posts

Uber Geek
+1 received by user: 541


Topic # 180585 14-Sep-2015 17:33
Send private message

Hi,

Apologies if this has been covered, but I couldn't find what I was after when searching.

I want to be able to access the web admin of my 7390 from the Internet. I've created a user with appropriate permissions, but I get no response on port 443 from the Internet. Is HTTPS access setup on a different port? I know it works because Snap have accessed it in the past.






  Home:                                                      Work:
Home Work


Create new topic
98 posts

Master Geek
+1 received by user: 8


  Reply # 1387333 14-Sep-2015 17:38
Send private message

Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers



1931 posts

Uber Geek
+1 received by user: 541


  Reply # 1387344 14-Sep-2015 17:49
Send private message

Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?

 
 
 
 


BDFL - Memuneh
59420 posts

Uber Geek
+1 received by user: 10629

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1387348 14-Sep-2015 17:57
2 people support this post
Send private message

I would strongly recommend you not to have any web admin access to your router from the WAN (Internet) side. Any router.




25827 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1387359 14-Sep-2015 18:20
Send private message

Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.





1931 posts

Uber Geek
+1 received by user: 541


  Reply # 1387375 14-Sep-2015 18:38
Send private message

sbiddle:
Paul1977:
Jiriteach: Under Internet > Permit Access > FRITZ!Box Services

Make sure advanced view is on. You can configure the remote HTTPS port there.

Cheers


Thanks for that. It wasn't on 443, but even when I try the specified port it doesn't work.

Now, I do note that the "internet access to Fritz!Box via HTTPS enabled" is unticked. When I tick this it works, so that's great...

...BUT, how have Snap previously access it with this box unticked?


Snap would have never had remote access via the web interface and have no need for this.

Having this enabled opens you up to various security risks so should really only be done if you fully understand these.




I would not leave it on a standard port, and would use a complex username and password to reduce the risk as much as possible. But your point is taken

Out if interest then, how does Snap login to change setting etc?

275 posts

Ultimate Geek
+1 received by user: 51


  Reply # 1387567 14-Sep-2015 21:57
Send private message

The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.  This is from my FritzBox 7390 Event Log:

14.09.15 11:19:45 The service provider successfully transmitted settings to this device.
13.09.15 13:19:45 The service provider successfully transmitted settings to this device.
12.09.15 15:19:45 The service provider successfully transmitted settings to this device.
11.09.15 17:19:45 The service provider successfully transmitted settings to this device.
10.09.15 19:19:45 The service provider successfully transmitted settings to this device.
09.09.15 21:19:45 The service provider successfully transmitted settings to this device.
08.09.15 23:19:45 The service provider successfully transmitted settings to this device.
08.09.15 01:19:45 The service provider successfully transmitted settings to this device.
07.09.15 03:19:45 The service provider successfully transmitted settings to this device.
06.09.15 05:19:45 The service provider successfully transmitted settings to this device.
05.09.15 07:19:45 The service provider successfully transmitted settings to this device.

Since I have my 7390 behind my Ubiquiti EdgeRouter Lite, when I first set it up I used the ERLite to see what traffic the 7390 generated, and when those messages were logged (if I am remembering correctly), I saw a TR-069 connection initiated by the 7390 connecting to a Snap server.  So the process is pretty secure, as it can not be initiated from the outside, and the traffic goes only to a Snap internal IP address over their network (plus Chorus or your local physical network provider).  TR-069 seems to be a reasonably well designed system for remotely configuring devices.  It uses port 8089, so I had to allow traffic to the 7390 on that port.

If you want to see your FritzBox doing this, use this URL to get the FritzBox's support page:

http://fritz.box/support.lua

(Change fritz.box to the correct address if your FritzBox is configured differently).

On that page, click on the "Packet traces" link to get a page where you can capture the packets from the FritzBox.  Use that to capture all the packets from the Internet connection at around the time the TR-069 connection is expected to happen.  Save the packet file, then use Wireshark (freeware):

https://www.wireshark.org

to display the results.  Filter for port 8089 to see the TR-069 traffic.

25827 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1387601 15-Sep-2015 07:10
Send private message

TR-069 is the normal way an ISP provisions and controls a device.




1931 posts

Uber Geek
+1 received by user: 541


  Reply # 1387643 15-Sep-2015 09:01
Send private message

fe31nz: The router calls home approximately once every day, I believe.  I think it uses TR-069 protocol, and once it makes the connection, then the config can be changed.  There is probably a database that tells what settings need to be in each router, and if anything is new and needs to be pushed out to the router when it calls home.


But for tech support can't Snap get into it whenever they need, not just when it calls home? I see it is listening on 8089, can they initiate a session from their end via port 8089? I assume they then still need user credentials - every Fritz!Box on Snap has a user account with a seemingly random string of characters for the name, I assume this is Snaps user for tech support?

275 posts

Ultimate Geek
+1 received by user: 51


  Reply # 1387888 15-Sep-2015 14:18
Send private message

There is normally a "TR069-" followed by random characters on the username for Snap.  It is set up for external access, and external access is normally enabled, but on a non-standard port for HTTPS.  So yes, Snap can login at any time and make a change or if you call for support.  Every login is logged, so you would know if that happened.  You can turn this off if you want to, by disabling external access on whatever port is enabled.  They could then turn it on again as part of the daily TR-069 updates - it is possible they have it configured to do that automatically.  I have left access on, but if I want to block it, I would block both the HTTPS port and the TR-069 port at my ERLite.

275 posts

Ultimate Geek
+1 received by user: 51


  Reply # 1387890 15-Sep-2015 14:22
Send private message

And I believe that you can trigger TR-069 to call hom by sending it a message with the right keys on pot 8089.  But you can not tell it where to connect to - it will always call home to the configured address.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand's IT industry in 2018 and beyond
Posted 22-Jan-2018 12:50


Introducing your new workplace headache: Gen Z
Posted 22-Jan-2018 12:45


Jucy set to introduce electric campervan fleet
Posted 22-Jan-2018 12:41


Hawaiki cable system will be ready for service in June 2018
Posted 22-Jan-2018 12:32


New Zealand hits peak broadband data
Posted 18-Jan-2018 12:21


Amazon Echo devices coming to New Zealand early February 2018
Posted 18-Jan-2018 10:53


$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.