Port 80 open externally with config page on TL-R605
The TL-R605, which is being managed by my Omada software controller, is serving up a config page on port 80. Not only is this a huge security flaw, but it's likely interfering with authentication for LetsEncrypt. I see no setting to turn off the external accessibility of the config page in the Omada controller.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I am unable to recreate this
Hitting both DDNS and IP (with and without :80) from an foreign network does not resolve for me. It appears to be blocked
Shields up test reports the port as CLOSED, ideally it shouldn't respond at all (stealth) but closed is good
Granted when I hit the external address from internal, NAT resolves this and does prompt the "managed page" but that is to be expected from internal
@aloychan - Are you definitely using an external / foreign connection for the DDNS connection? The fact that you are seeing the 192.168.0.211 address listed makes me think you are connected to the TL-R605 and trying to go OUT then back IN. NAT wont allow you to do this and will just forward you to the LAN interface.
- Copy Link
- Report Inappropriate Content
Dear @BFH,
The TL-R605, which is being managed by my Omada software controller, is serving up a config page on port 80. Not only is this a huge security flaw, but it's likely interfering with authentication for LetsEncrypt. I see no setting to turn off the external accessibility of the config page in the Omada controller.
Where do you find it's serving up on port 80? Are you really able to access the config page of the controller from the external network?
The TL-R605 works as a NAT device, if the Omada software controller is connected behind NAT, I don't think it can be accessed from an external network unless you access it via cloud access (https://omada.tplinkcloud.com/).
Besides, Omada software controller serves the config page on port 8043 (for HTTPS connection) and port 8088 (for HTTP connection).
- Copy Link
- Report Inappropriate Content
I completely disconnected my whole TP-Link network and hooked up an old router to get access to port 80 for LetsEncrypt validation. The WAN assigned new DHCP addresses and when I hooked things back up, the issue was gone. Now, port 80 is properly forwarded to my proxy server and only serves to upgrade to SSL.
I believe the issue was real, but since it has disappeared with the new lease, there's no way for me to know if it was just NAT loopback.
- Copy Link
- Report Inappropriate Content
My TL-R605 is facing the exact issue as what BFH reported in this thread. When my DDNS name was used with :80, this page of the TL-R605 showed up.
Btw, I have a Omada controller managing the R506. I need to know to disable port 80 in Controller or R605.
- Copy Link
- Report Inappropriate Content
I am unable to recreate this
Hitting both DDNS and IP (with and without :80) from an foreign network does not resolve for me. It appears to be blocked
Shields up test reports the port as CLOSED, ideally it shouldn't respond at all (stealth) but closed is good
Granted when I hit the external address from internal, NAT resolves this and does prompt the "managed page" but that is to be expected from internal
@aloychan - Are you definitely using an external / foreign connection for the DDNS connection? The fact that you are seeing the 192.168.0.211 address listed makes me think you are connected to the TL-R605 and trying to go OUT then back IN. NAT wont allow you to do this and will just forward you to the LAN interface.
- Copy Link
- Report Inappropriate Content
Philbert wrote
I am unable to recreate this
Hitting both DDNS and IP (with and without :80) from an foreign network does not resolve for me. It appears to be blocked
Shields up test reports the port as CLOSED, ideally it shouldn't respond at all (stealth) but closed is good
Granted when I hit the external address from internal, NAT resolves this and does prompt the "managed page" but that is to be expected from internal
@aloychan - Are you definitely using an external / foreign connection for the DDNS connection? The fact that you are seeing the 192.168.0.211 address listed makes me think you are connected to the TL-R605 and trying to go OUT then back IN. NAT wont allow you to do this and will just forward you to the LAN interface.
@Philbert - Yes, you are fight I am trying to go OUT and then goes back INto my network. I just tried accessing my DDNS IP with :80 from OUTside my network and its not accessible already. Silly mistakes from my end. Tyvm for the support. Appreciate it.
- Copy Link
- Report Inappropriate Content
@BFH haha, I made a similar post about this issue a month ago. I'm not used to a built in NATed loopback on enterprise equipment so it was a shock when I found what I though was an open management portal. Go figure, right?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2994
Replies: 6
Voters 0
No one has voted for it yet.