Description:

Remote access to our routers should preferably be implemented by means of a VPN client dial-in, for example using the LANCOM Advanced VPN Client. If this is not possible, it is often necessary to enable access via the WAN connection.

This article explains the different ways of securing the remote access to a LANCOM router from the WAN.


Requirements:


Section 1: Restricting specific management protocols for WAN access

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.

Screenshot of a technical configuration menu for device management featuring options for enforced device password policy, agent rollout, authentication, administrative settings, software updates, lock configurations, and monitoring protocols.

2) Click on Access rights and select the option From a WAN interface.

Screenshot of a network configuration interface displaying access settings, configuration access ways, and HTTP access options for LAN and WAN interfaces.

3) You can allow or restrict access to the management protocols in this menu.

  • If access to a specific protocol from the WAN is to be enabled, then select allowed in the drop-down menu.
  • If access from the WAN is not allowed, then select denied.
  • If the router should only be accessible via VPN, then select only via VPN.
  • By default, access to all of the management protocols from the WAN is denied.

In general, LANCOM Systems recommends to prohibit access to the management protocols from the WAN (setting denied) or only allow access via VPN (setting only via VPN).

If access from the WAN is necessary, make absolutely sure, that only encrypted protocols are used (HTTPS, SSH, Telnet over SSL, SNMPv3). Otherwise the password can be read as plain text! Additionally the access should be restricted to specific IP addresses and/or networks (see Option 2).

 An image displaying a network device's configuration interface with various protocols such as SSH, TELNET, TELNET over SSL, and TFTP denied, and highlighting the access requirements for SNMP and TFTP protocols over a WAN interface.



Section 2: Restricting access to the router from specific IP addresses and/or IP networks only 

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.

2) Go to the menu Access stations.

Screenshot of a configuration menu displaying various network access settings and protocol management options.

3) Enter the networks and the IP addresses, which should have access to the router. For a network, enter the asscociated subnetmask. For a single IP address, enter the subnetmask 255.255.255.255

As the table Access stations works as a Whitelist, it needs to contain all of the IP networks or IP addresses from which access to the router should be allowed. Consequently, the internal networks must also be stored here. Otherwise access to the router will no longer be possible from the internal network!

Image of a technical configuration interface displaying network settings such as Access stations, TPaciress, Netmask, and other configuration options. 



Section 3: Deactivating the web server services from the WAN interface

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.

Image showing a complex technical configuration menu for a device with various settings including password policy, device administration, agent rollout, software updates, and management protocols.

 2) Click on HTTP access and select the option From a WAN interface.

A screenshot of a network configuration interface displaying options to specify access rights for various network stations and protocol settings, with buttons for 'OK' and 'Cancel'.

3) For the HTTP port select the option Disabled. In doing so, the web server is closed for all services. This is only practical in scenarios, where no access to the router should be possible from the WAN via HTTP/HTTPS (also not via VPN) and no services should be available on the WAN interface which require the web server (e.g. the OCSP server/responder).

An exception is IPSec-over-HTTPS. If the option Accept IPSec-over-HTTPS is active, the message "403 Access Forbidden" is still displayed when trying to access the router via WEBconfig from the WAN even if the web server is deactivated.

Image displaying a user interface setting for enabling HTTP access from a WAN interface, labeled Lonconee.



Section 4: Configuration login lock

When management protocols are accessible from the WAN, you should expect frequent Internet-based brute force attacks attempting to gain access to the router. This is where brute-force protection comes into effect.

The relevant setting can be found under Management → Admin → Configuration login lock. With default settings, 5 failed logins cause the management protocol to be locked globally for 5 minutes.

If a management protocol is locked, it is therefore also not available from the internal network.

An image displaying a complex technical user interface for managing device security settings, including password policies, administrator roles, and configuration logs.

The Event Log shows whether a management protocol is locked. The Event Log can be read out via the CLI command ls Status/Config/Event-Log . The following figure shows that too many failed login attempts were made via SSH. This protocol was locked as a consequence (LoginBlocked).

 As an alternative you can also open the Event Log in WEBconfig under (Extras →) LCOS menu tree →  Status →  Config → Event Log.

Screenshot of a system event log interface displaying multiple failed SSH login attempts for user 'root'.



Section 5: Change the default port

Since brute-force attacks usually target the default ports, we recommend that you change the ports used by any management protocols that are accessible from the WAN.

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Settings.

Image of a technical device configuration interface showing various settings options such as forced device password policy, administrator name, password generation, advanced security settings, and management protocol configurations.

2) You can modify the default ports in this menu (in this exampie the HTTPS port was modified).

The port settings are global. Access to these management protocols from both the WAN and the LAN is only possible on the changed port.

A screenshot of a settings interface displaying various network management protocols such as HTTPS, SSH, TELNET, and FTP, with options to activate each protocol.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH