D-Link Forums
D-Link VPN Router => DSR-250 => Topic started by: kezzism on November 12, 2019, 08:21:14 PM
-
Greetings, I quite like my D-Link DSR-250 although the custom services and firewall rules were a little verbose to configure, I've had it setup to pass through SSH and MOSH connections to a computer on the other side of the thing for a while now and that has worked great!
The Computer communicates with a nameserver to route a custom domain there as well, dynamically. This makes an easy point to SSH into, and I thought that when I configured that I was only going to pass through the ports and services I specified in the router interface. Well apparently I was wrong.
Tried today to pass through port 80 so I could host a regular website there on the PC here intermittently... but when I went to the site, I SAW THE ADMIN INTERFACE OF MY ROUTER EXPOSED ON THE INTERNET What the hell? Sure enough port 80 is occupied by the DSR router like a sitting duck waiting to get pwned! Apparently it's been like this the whole time.
I just removed the rule I wrote passing port 80 through and I CAN STILL GET TO MY ROUTERS ADMIN INTERFACE. Thankfully yes I've changed my password, but we're all only one vendor sploit away from things going south. How can I turn this off? There doesn't seem to be an option for it ANYWHERE.
(https://i.imgur.com/Etj28vE.png)
LOOK, nowhere in these images is there a 192.168.1.1 or anything describing forwarding the admin interface outwards
(https://i.imgur.com/c9P0SUU.png)
Even if I didn't make a cron job on my PC to update my ISP assigned IP address to a site, even before I touched any configuration on this router apparently if someone would have hit up that IP they would have gotten right into the login screen for my router. This is a HUGE problem. How can I fix this?
-
And yes before anyone asks, all the stuff you'd think would be responsible for this kinda thing happening is turned off
(https://i.imgur.com/8edv7pQ.png)
Here's an example of accessing the router's admin interface from the site:
(https://i.imgur.com/vZ70mcO.png)
EVEN IF I GOOGLE "WHAT IS MY IP ADDRESS" AND PASTE THAT INTO THE URL BAR IT TAKES ME TO THE DSR-250 ADMIN INTERFACE.
In my opinion, not cool.
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=49573.0)
- What region are you located?
Are you still connected to the same network as the DSR or you doing this from a remote location from out side the DSRs network on the WAN side?
-
I'm in the US
And now that I'm out and about (on Cellular) sure enough I can't reach my Router's configuration page :P
Oof, I can't reach my services either but that's probably because I haven't fully configured the firewall on the PC yet.
We'll see how this progresses, I'm still surprised that on the local network it's accessible but I guess that's because it does some DNS stuff too
-
The router management page will always be accessible from the LAN side. If it was disabled, you could not configure it.
-
On a similar note though, I tried to forward port 80 so I could access a webserver inside my network remotely. Every other port works except for that one when I make services for them. Should I be using the address translation? Like if I want to run that service on port 8000 on the machine inside my network but have that route to port 80 outside so when the IP address gets hit by a browser they're brought to port 8000 inside, what should I put in the options for the service?
(https://i.imgur.com/H7UJGbo.png)
Is that where the Source Port Range options come in in the service menu?
-
This is still a HUGE problem that was never solved.
I have to make the router itself the thing that is available at the IP address that my ISP gives me, and I in turn put my own domain there with dynamic DNS; the result is, going to my custom domain at kezz.io (http://kezz.io) will still take you right to my router's configuration login page (unless you specify the port of one of my other services running on it)! I DO NOT WANT THIS. I want it to forward port 80 from the outside internet to my computer serving content on port 80. Instead the router is occupying that port, which on the local network makes perfect sense (so I can administer it without having to use the management port) but from the WAN side MAKES NO SENSE AT ALL. This is an insane design oversight.
I don't care anymore that I'm posting the url here, I just need this answered because it's preventing me from getting a certificate (certbot can only work with port 80 which means I would have to install certbot on the router somehow). If you want to pwn my router be my guest! D-Link has made that incredibly easy.
-
I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this.
Link> Tech Support Contact Information (http://forums.dlink.com/index.php?board=635.0)
We find that chat/phone contact has better immediate results over using email.
-
Alright, sure
I'll be contacting them first thing tomorrow
Thanks