I did a fresh flash of TOS 5.0.3 and encounter the following problem:
The web interface is exposed to WAN by default!
I would consider this as a bug, most people wouldn’t want their management interface open to the public right after (?) the initial setup.
Now I have a NAS in the LAN, for which in configured port forwarding for 80 and 443.
DDNS is setup for ipv4 and 6 and works.
This obviously overwrites the router web interface and worked initially.
But it seems like ipv6 is broken.
If I do a
curl -vvv -4 https://mydomain.duckdns.org I get the correct page and the let’s encrypt cert from my NAS.
If I do the curl with
-6 I get this:
* ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: self signed certificate * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
This cert is issued to turris.cz.
How can I completely turn off the web interface for WAN?