There does not seem to be a definitive method to access Webfig on my RB2011 router from the internet. Is it actually possible? I have tried lots of different ways from many sites but none work (NAT, Firewall etc).
Can someone provide a working example?
Thanks
Charles
Actually you just need to uncheck “firewall router” checkbox in QuickSet and that should be all
Thanks for the response. I don’t have that setting on Quick Set. I have a new RB2011 with V6.24.
Where next?
Charles
Please post a screenshot of your Quickset page, your full model name (RB2011…) and also the firewall section screenshot (of the Filter tab)
Will do.
Please could you also point me at the wiki page that describes how to do it.
Thanks
It’s not clear why you are unsuccessful, so I can’t suggest a specific wiki page. Need to see the configuration page first.
Basically access from the internet is controlled in the “firewall → filter” menu. if you disable the rules that “drop” the traffic in the “input” chain, it should work from the public IP.
But this is dangerous and opens the router to anyone
OK.
I found the “Firewall Router” tick box. It was on the “Home AP” Quick set, not the default “WISP AP”.
As indicated by some posts, I have added a NAT rule on port 443 to get through to my Fileserver and that works whether I have the “Firewall Router” ticked or nor. However, if I create a NAT rule from port 81 back to the router itself (192.168.1.1 port 80) it only works with the “Firewall Router” unticked.
That seems to indicate the rules used for the ticked “Firewall Router” are too tight. However, your last post seems to indicate that I should not use the rules created when I untick “Firewall Router”.
So, as my router is attached to the internet (and is my firewall), it seems dangerous to untick “Firewall Router”.
How do I adjust the ticked “Firewall Router” rules to allow access to my router from the internet?
My Filter rules are:
0 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
1 ;;; default configuration
chain=forward action=drop connection-state=invalid log=yes
log-prefix=""
2 ;;; default configuration
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1-gateway log=no
log-prefix=""
3 chain=input action=accept protocol=icmp log=no log-prefix=""
4 chain=input action=accept connection-state=established log=no
log-prefix=""
5 chain=input action=accept connection-state=related log=no log-prefix=""
6 chain=input action=drop in-interface=ether1-gateway log=no
log-prefix=""
My NAT rules are (excluding some vpn rules):
2 chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=443 protocol=tcp
in-interface=ether1-gateway dst-port=443 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=81 protocol=tcp
in-interface=ether1-gateway dst-port=80 log=no log-prefix=""
Thanks
Charles
So I managed to figure this out.
To access a server within the internal network from outside, you need to set up a NAT rule.
To access the router itself from outside, you need to set up a Firewall rule to open up the port you want to use.
Perhaps that is obvious to some, but it confused me a lot when trying to figure out why I needed to use two different methods when opening up routes to the internal network.
CHarles
@howdey57
could you export your firewall and nat config, so I can see them? 
If he doesn’t, I can if you need help.
For access to the Router itself from the Internet, I use this firewall rule. For my simple mind, this works because it opens up port 80 on the first thing the internet hits.
chain=input action=accept protocol=tcp dst-port=80 log=no log-prefix=""
For access to my fileserver from the Internet, I use this NAT rule. This works because it is able to point the traffic at a different IP on the internal network (Network Address Translation).
chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=443 protocol=tcp in-interface=ether1-gateway dst-port=443 log=no log-prefix=""
I hope this helps.